Edit tour

Windows Analysis Report
UiF5hKi5o7.exe

Overview

General Information

Sample name:	UiF5hKi5o7.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	D14972C18F26FD101DF4502B6D1DA4C36EA30679AE0E9BD12D6148E99F3C5652
Analysis ID:	1546646
MD5:	e54e6d6f9a6e2abac7563407294cb9ee
SHA1:	cb0853fd275bd4fc1354742fb2bb8b98095b39fa
SHA256:	d14972c18f26fd101df4502b6d1da4c36ea30679ae0e9bd12d6148e99f3c5652
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Found pyInstaller with non standard icon

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

UiF5hKi5o7.exe (PID: 5516 cmdline: "C:\Users\user\Desktop\UiF5hKi5o7.exe" MD5: E54E6D6F9A6E2ABAC7563407294CB9EE)

conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UiF5hKi5o7.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\UiF5hKi5o7.exe" MD5: E54E6D6F9A6E2ABAC7563407294CB9EE)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T11:19:24.625945+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	64384	TCP
2024-11-01T11:20:02.498429+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.5	64593	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.4% probability

Machine Learning detection for sample

Source: UiF5hKi5o7.exe

Joe Sandbox ML: detected

Source: UiF5hKi5o7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.1.dr
Source:	Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr
Source:	Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\python310.pdb source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\select.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, select.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.1.dr

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772617BB0 FindFirstFileExW,FindClose,	1_2_00007FF772617BB0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772632044 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF772632044

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:64384
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:64593

Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digi
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: UiF5hKi5o7.exe, 00000004.00000002.2245359860.0000022947158000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: libcrypto-1_1.dll.1.dr	String found in binary or memory: https://www.openssl.org/H
Source: UiF5hKi5o7.exe, 00000001.00000003.2224391384.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: UiF5hKi5o7.exe, 00000004.00000002.2245359860.00000229470D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772616B80	1_2_00007FF772616B80
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77263741C	1_2_00007FF77263741C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726364D0	1_2_00007FF7726364D0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772631098	1_2_00007FF772631098
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772621404	1_2_00007FF772621404
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772631098	1_2_00007FF772631098
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726223DC	1_2_00007FF7726223DC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726343E0	1_2_00007FF7726343E0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726184D0	1_2_00007FF7726184D0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77263A158	1_2_00007FF77263A158
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772621200	1_2_00007FF772621200
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262328C	1_2_00007FF77262328C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262E24C	1_2_00007FF77262E24C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772623AC8	1_2_00007FF772623AC8
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772622774	1_2_00007FF772622774
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77263674C	1_2_00007FF77263674C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772621814	1_2_00007FF772621814
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772620FF4	1_2_00007FF772620FF4
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77263487C	1_2_00007FF77263487C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772632044	1_2_00007FF772632044
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628904	1_2_00007FF772628904
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726260F0	1_2_00007FF7726260F0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262ED60	1_2_00007FF77262ED60
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772621610	1_2_00007FF772621610
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772620DF0	1_2_00007FF772620DF0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262A660	1_2_00007FF77262A660
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262E6E0	1_2_00007FF77262E6E0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772627ECC	1_2_00007FF772627ECC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772636ED0	1_2_00007FF772636ED0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF7726236C4	1_2_00007FF7726236C4
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 4_2_00007FF8BFB97508	4_2_00007FF8BFB97508

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: String function: 00007FF772611F60 appears 52 times

Source: unicodedata.pyd.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe	Binary or memory string: OriginalFilename vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000004.00000002.2247277820.00007FF8A8F37000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs UiF5hKi5o7.exe

Source: classification engine

Classification label: mal52.winEXE@4/11@0/0

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF7726177F0 GetLastError,FormatMessageW,WideCharToMultiByte,

1_2_00007FF7726177F0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_03

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI55162

Jump to behavior

Source: UiF5hKi5o7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

File read: C:\Users\user\Desktop\UiF5hKi5o7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: UiF5hKi5o7.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: UiF5hKi5o7.exe

Static file information: File size 5462278 > 1048576

Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UiF5hKi5o7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: UiF5hKi5o7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: UiF5hKi5o7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.1.dr
Source:	Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr
Source:	Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\python310.pdb source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\select.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, select.pyd.1.dr
Source:	Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.1.dr

Source: UiF5hKi5o7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UiF5hKi5o7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UiF5hKi5o7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UiF5hKi5o7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UiF5hKi5o7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: UiF5hKi5o7.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.1.dr	Static PE information: section name: .00cfg
Source: python310.dll.1.dr	Static PE information: section name: PyRuntim

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772655078 push rcx; ret		1_2_00007FF772655079
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772655048 push rcx; retn 0000h		1_2_00007FF772655049

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Process created: "C:\Users\user\Desktop\UiF5hKi5o7.exe"

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF7726143E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00007FF7726143E0

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-17334

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772617BB0 FindFirstFileExW,FindClose,	1_2_00007FF772617BB0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF772632044 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF772632044

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF77261BADC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF77261BADC

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF772633C50 GetProcessHeap,

1_2_00007FF772633C50

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77261BC84 SetUnhandledExceptionFilter,	1_2_00007FF77261BC84
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77261B230 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF77261B230
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77261BADC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF77261BADC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 1_2_00007FF77262AE08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF77262AE08
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Code function: 4_2_00007FF8BFBA004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF8BFBA004C

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"

Jump to behavior

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF772639FA0 cpuid

1_2_00007FF772639FA0

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF77261B9C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF77261B9C0

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Code function: 1_2_00007FF7726364D0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF7726364D0

Source: C:\Users\user\Desktop\UiF5hKi5o7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UiF5hKi5o7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.openssl.org/H	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	UiF5hKi5o7.exe, 00000004.00000002.2245359860.0000022947158000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.python.org/dev/peps/pep-0205/	UiF5hKi5o7.exe, 00000001.00000003.2224391384.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.dr	false		unknown
https://python.org/dev/peps/pep-0263/	UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr	false		unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl3.digi	UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.python.org/download/releases/2.3/mro/.	UiF5hKi5o7.exe, 00000004.00000002.2245359860.00000229470D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr	false		unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.openssl.org/H	libcrypto-1_1.dll.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546646
Start date and time:	2024-11-01 11:18:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UiF5hKi5o7.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	D14972C18F26FD101DF4502B6D1DA4C36EA30679AE0E9BD12D6148E99F3C5652
Detection:	MAL
Classification:	mal52.winEXE@4/11@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.160.17, 40.126.32.76, 40.126.32.136, 40.126.32.133, 40.126.32.140, 20.190.160.20, 40.126.32.74, 40.126.32.72, 52.182.143.212
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target UiF5hKi5o7.exe, PID 6364 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: UiF5hKi5o7.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll	X4KSeQkYJT.exe	Get hash	malicious	Unknown	Browse
	https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SolaraV4.exe	Get hash	malicious	Blank Grabber	Browse
	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win64.Remsim.gen.13211.29605.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win64.Remsim.gen.13211.29605.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd	X4KSeQkYJT.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.MacOS.ReverseShell-C.28203.22681.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse
	auto.exe	Get hash	malicious	Unknown	Browse
	auto.exe	Get hash	malicious	Discord Token Stealer	Browse
	log.exe	Get hash	malicious	Unknown	Browse
	rcm.exe	Get hash	malicious	Unknown	Browse
	KuponcuBaba.exe	Get hash	malicious	Unknown	Browse
	qv81R5O5Cd.exe	Get hash	malicious	BazaLoader, Njrat	Browse
	laZagne.exe	Get hash	malicious	LaZagne, Mimikatz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97168
Entropy (8bit):	6.424686954579329
Encrypted:	false
SSDEEP:	1536:yKHLG4SsAzAvadZw+1Hcx8uIYNUzU6Ha4aecbK/zJZ0/b:yKrfZ+jPYNz6Ha4aecbK/FZK
MD5:	A87575E7CF8967E481241F13940EE4F7
SHA1:	879098B8A353A39E16C79E6479195D43CE98629E
SHA-256:	DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
SHA-512:	E112F267AE4C9A592D0DD2A19B50187EB13E25F23DED74C2E6CCDE458BCDAEE99F4E3E0A00BAF0E3362167AE7B7FE4F96ECBCD265CC584C1C3A4D1AC316E92F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: X4KSeQkYJT.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.22561.28030.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SolaraV4.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win64.Remsim.gen.13211.29605.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win64.Remsim.gen.13211.29605.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.BScope.Trojan.Wacatac.4653.13746.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...Y.-a.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	80784
Entropy (8bit):	6.45456109441925
Encrypted:	false
SSDEEP:	1536:hwz7h8B7BjhJCZePYgl/5S8Gh2Nv0DFIGtVQ7Sygj:hwz18BrJCJglhlGINv0RIGtVQej
MD5:	BCF0D58A4C415072DAE95DB0C5CC7DB3
SHA1:	8CE298B7729C3771391A0DECD82AB4AE8028C057
SHA-256:	D7FAF016EF85FDBB6636F74FC17AFC245530B1676EC56FC2CC756FE41CD7BF5A
SHA-512:	C54D76E50F49249C4E80FC6CE03A5FDEC0A79D2FF0880C2FC57D43227A1388869E8F7C3F133EF8760441964DA0BF3FC23EF8D3C3E72CE1659D40E8912CB3E9BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: X4KSeQkYJT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.MacOS.ReverseShell-C.28203.22681.exe, Detection: malicious, Browse Filename: auto.exe, Detection: malicious, Browse Filename: auto.exe, Detection: malicious, Browse Filename: log.exe, Detection: malicious, Browse Filename: rcm.exe, Detection: malicious, Browse Filename: KuponcuBaba.exe, Detection: malicious, Browse Filename: qv81R5O5Cd.exe, Detection: malicious, Browse Filename: laZagne.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>E.mE.mE.mL.=mO.m...lG.m#.SmF.m...lI.m...lM.m...lA.m...lF.m...lG.mE.m..m...lM.m...lD.m..QmD.m...lD.mRichE.m........PE..d....y.a.........." .........^...............................................P......S7....`.........................................@...H............0....... ..,............@......`...T...............................8............................................text...U........................... ..`.rdata...>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	250768
Entropy (8bit):	6.527857952800466
Encrypted:	false
SSDEEP:	6144:MJFPEV3nLF0eMMCtGzohEgCmUQjYK9qWMa3pLW1AtSrYB4BRWr8k:cPgXLF035tVZCRBQC06nWr8k
MD5:	D976C5F77A6370CF6F28A5714BF49AE3
SHA1:	79273EB123A68BA5CB91FF37EE0A82CEE880C2CC
SHA-256:	FE2BCCB2E204A736ED86A8D16EFFEAFE83B30B44F809349E172142665DE8458A
SHA-512:	57DF90F9FAF31F81F245A39A14C0784A3FACE4F76F00430DE8CFF2E86B55FA3269CD595119FD093E03709DEBF0888618917CAE5EA5E68F43A8E928861CAA01C5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t!=.0@S.0@S.0@S.98..>@S.b5R.2@S.b5V.<@S.b5W.8@S.b5P.4@S..5R.3@S..2R.2@S.0@R..@S..5P.1@S..5^.?@S..5S.1@S..5..1@S..5Q.1@S.Rich0@S.................PE..d....y.a.........." .....\|...:......l...............................................-.....`..........................................T..P....T...................'..............<... ...T...............................8............................................text....{.......\|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...\|..............@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60304
Entropy (8bit):	6.093275200649072
Encrypted:	false
SSDEEP:	768:JV/wp93dN0yIITgu/w521DxBjWO/Z1bbr1IG5ItYiSyvJhKy:GNdeyIaVww1TjWMr1IG5It7Syf
MD5:	F63DA7F9A4E64148255E9D3885E7A008
SHA1:	756DC192E7B2932DF147C48F05EC5E38E9AA06E6
SHA-256:	FA0BB4BF93A6739CE5ADE6A7A69272BBC1227D09C7AFC1C027D6CEA41141BCC6
SHA-512:	23D06DEF20C3668613392A02832777B27AD5353E1DC246316043B606890445D195A1066FCA65300A5D429319AA2AE2505F9FA3A5AB0F97ABA2717B64AAA07E8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bGq.&&..&&..&&../^.."&..tS..$&..tS..-&..tS...&..tS..%&..S..$&...T..$&...Q..%&..&&..&..S..'&..S..'&..S..'&..S..'&..Rich&&..........................PE..d....y.a.........." .....P...~.......<...................................................`.............................................P......................................T....k..T............................k..8............`...............................text....N.......P.................. ..`.rdata...O...`...P...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	154000
Entropy (8bit):	6.8078458773005055
Encrypted:	false
SSDEEP:	3072:GD6xBrqs+vs0H0q8bnpbVZbXsAIPznfo9mNoK5vSpxpRIGe1y2:GD63rcRLCV+7wYOK50P2
MD5:	BA3797D77B4B1F3B089A73C39277B343
SHA1:	364A052731CFE40994C6FEF4C51519F7546CD0B1
SHA-256:	F904B02720B6498634FC045E3CC2A21C04505C6BE81626FE99BDB7C12CC26DC6
SHA-512:	5688AE25405AE8C5491898C678402C7A62EC966A8EC77891D9FD397805A5CFCF02D7AE8E2AA27377D65E6CE05B34A7FFDEDF3942A091741AF0D5BCE41628BF7D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l............................................Z......3.............Z......Z......Z......Z......Rich............PE..d....y.a.........." .....^...........2....................................................`.............................................L...,...x....`.......@.......:.......p..D...H{..T............................{..8............p...............................text....].......^.................. ..`.rdata.......p.......b..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`......................@..@.reloc..D....p.......8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75152
Entropy (8bit):	6.147254943521508
Encrypted:	false
SSDEEP:	1536:z1XB7kEDATyhAZ9/s+S+pxyXc/+lf7PdIGQwP7Syr:ZXB4EDXhAZ9/sT+px8c/Sz1IGQwP9
MD5:	79C2FF05157EF4BA0A940D1C427C404E
SHA1:	17DA75D598DEAA480CDD43E282398E860763297B
SHA-256:	F3E0E2F3E70AB142E7CE1A4D551C5623A3317FB398D359E3BD8E26D21847F707
SHA-512:	F91FC9C65818E74DDC08BBE1CCEA49F5F60D6979BC27E1CDB2EF40C2C8A957BD3BE7AEA5036394ABAB52D51895290D245FD5C9F84CC3CC554597AE6F85C149E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...............nk......c.......c.......c.......c......xc..........t....d......xc......xc......xc......xc......Rich....................PE..d....y.a.........." .....l.......... &.......................................P......v7....`.............................................P............0....... ..<............@..........T..............................8............................................text...Fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	879571
Entropy (8bit):	5.683502245340345
Encrypted:	false
SSDEEP:	12288:8VghgApCWymC6Shc1tBA4a2YcsduVwOsfJEw4W0SaMNc:8VghoVmrLa2PLVwOsfJEw4vMNc
MD5:	1C7BFA4919E119BA94287BEBF03555B7
SHA1:	815C8ADB9115A2F97E31502C149BE857DE74F27D
SHA-256:	23980D83F8AF04F1E5AF8BB3F82E71E76D5730622B39831847BA5E725256B8B0
SHA-512:	A5B7690E9201D8F5B2062AC2C5F967777FAB34D7156B0AEEE34A9701F6814759277BDC2F1890DE67CA1B3C16EA689D7A64924C5A7F3BDB3D8712126BFF116408
Malicious:	false
Preview:	PK..........!.0.~E............_collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3438840
Entropy (8bit):	6.094542623790425
Encrypted:	false
SSDEEP:	49152:DTKuk2HvIU6iwpOjPWBdwQN+5X2uyWsrV4+OGyu1BYGx6KCIrA9NPe0Cs5Z1CPwE:Pg+Hb5Wt+2BoBIcU0CsD1CPwDv3uFfJZ
MD5:	63C756D74C729D6D24DA2B8EF596A391
SHA1:	7610BB1CBF7A7FDB2246BE55D8601AF5F1E28A00
SHA-256:	17D0F4C13C213D261427EE186545B13EF0C67A99FE7AD12CD4D7C9EC83034AC8
SHA-512:	D9CF045BB1B6379DD44F49405CB34ACF8570AED88B684D0AB83AF571D43A0D8DF46D43460D3229098BD767DD6E0EF1D8D48BC90B9040A43B5469CEF7177416A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................0.........................3........^....^.....^....^.\...^....Rich............................PE..d....A.a.........." ......$...................................................5.......4...`..........................................h/..h...:4.@....p4.\|....`2.h....\4.......4..O..,.,.8...........................p.,.8............04..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata..8....`2.......1.............@..@.idata..^#...04..$....3.............@..@.00cfg..c....`4.......3.............@..@.rsrc...\|....p4.......3.............@..@.reloc...x....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4453776
Entropy (8bit):	6.4554098557218
Encrypted:	false
SSDEEP:	49152:wplyWz2QcN6iPdzYjz0AMs9Kt2KnX0OCpFLoFnAcECdNCsugztL0DD9fIysVHkDx:sximj29G5H+ywH+MWqlgdMW
MD5:	C6C37B848273E2509A7B25ABE8BF2410
SHA1:	B27CFBD31336DA1E9B1F90E8F649A27154411D03
SHA-256:	B7A7F3707BEAB109B66DE3E340E3022DD83C3A18F444FEB9E982C29CF23C29B8
SHA-512:	222AD791304963A4B8C1C6055E02C0C4C47FCE2BB404BD4F89C022FF9706E29CA6FA36C72350FBF296C8A0E3E48E3756F969C003DD1EB056CD026EFE0B7EBA40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4...A...4...[n..4...A...4...A...4...A...4...L...4..zF...4...4...5...A..i4...A...4...Al..4...A...4..Rich.4..................PE..d....y.a.........." .....j#..^!.....l.........................................E......ND...`...........................................<.....X.=.\|....pD......PB.......C.......D..t....$.T...........................0.$.8.............#.(............................text...>h#......j#................. ..`.rdata...+....#..,...n#.............@..@.data.........=.......=.............@....pdata.......PB......DA.............@..@PyRuntim`....`D......RC.............@....rsrc........pD......VC.............@..@.reloc...t....D..v...`C.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26000
Entropy (8bit):	6.339693503329678
Encrypted:	false
SSDEEP:	384:NUTqPjk/7e12hwheCPHqqYBsVRXPdIG7GxIYiSy1pCQFC67hEQ:iTgUC2hwh7HqbYVPdIG7GmYiSyvD7hF
MD5:	431464C4813ED60FBF15A8BF77B0E0CE
SHA1:	9825F6A8898E38C7A7DDC6F0D4B017449FB54794
SHA-256:	1F56DF23A36132F1E5BE4484582C73081516BEE67C25EF79BEEE01180C04C7F0
SHA-512:	53175384699A7BB3B93467065992753B73D8F3A09E95E301A1A0386C6A1224FA9ED8FA42C99C1FFBCFA6377B6129E3DB96E23750E7F23B4130AF77D14AC504A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...N...N...N......N...O...N...K...N...J...N...M...N.t.O...N...O...N...O...N.t.C...N.t.N...N.t.....N.t.L...N.Rich..N.................PE..d....y.a.........." .........0............................................................`.........................................`@..L....@..x....p.......`.......F..........H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\UiF5hKi5o7.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1118608
Entropy (8bit):	5.375765997910847
Encrypted:	false
SSDEEP:	12288:ArlBMmuZ63NNQCb5Pfhnzr0ql8L8kdM7IRG5eeme6VZyrIBHdQLhfFE+uOVg:mlBuqZV0m81MMREtV6Vo4uYOVg
MD5:	D1182BA27939104010B6313C466D49FF
SHA1:	7870134F41BA5333294C927DBD77D3F740AC87E7
SHA-256:	1AC171F51CC87F268617B4A635B2331D5991D987D32BB206DD4E38033449C052
SHA-512:	EF26A2C8B0094792E10CEABBF4D11724A9368D96F888240581A15D7A551754C1484F6B2ED1B963A73B686495C7952D9CB940021028D4F230B0B47D0794607D0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|.$z8OJ)8OJ)8OJ)17.)>OJ)j:K(:OJ)j:O(4OJ)j:N(0OJ)j:I(;OJ).:K(;OJ).=K(:OJ)8OK)iOJ).:G(9OJ).:J(9OJ).:.)9OJ).:H(9OJ)Rich8OJ)........................PE..d....y.a.........." .....B..........`*.......................................@......5.....`.............................................X...(........ .......................0......0L..T............................L..8............`..x............................text....A.......B.................. ..`.rdata......`.......F..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.984672345389008
TrID:	Win64 Executable Console (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	UiF5hKi5o7.exe
File size:	5'462'278 bytes
MD5:	e54e6d6f9a6e2abac7563407294cb9ee
SHA1:	cb0853fd275bd4fc1354742fb2bb8b98095b39fa
SHA256:	d14972c18f26fd101df4502b6d1da4c36ea30679ae0e9bd12d6148e99f3c5652
SHA512:	8f2c911ae0cf1aca5220ae7a17b954f37018f4ee45099179bbe520103893404251ac341247f0cf162986d17a065d4c59beaf68fd966c9a37badaa7fe88a659ac
SSDEEP:	98304:daB8yIFqR4awNNdtehF4423GjQ/ggIDyWbP6Hz08M7kOZJ7tzhVT:daBiFqRmvds44njQthsiHzy7kOZJ7tzh
TLSH:	21463341B39008F9E83B527E8452C525D6B67C615366C28B07F8C7B73F536E2AE7EA40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o4N..Z...Z...Z..vY...Z..v_.y.Z..v^...Z.\|r....Z.\|r_...Z.\|r^...Z.\|rY...Z..v[...Z...[...Z..s^...Z..sX...Z.Rich..Z................

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x14000b750
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x651F2180 [Thu Oct 5 20:50:08 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	380d2cbec5e800eecb6612f15b9ac012

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0BD8B189BCh
dec eax
add esp, 28h
jmp 00007F0BD8B185BFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0BD8B18F04h
test eax, eax
je 00007F0BD8B18773h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0BD8B18757h
dec eax
cmp ecx, eax
je 00007F0BD8B18766h
xor eax, eax
dec eax
cmpxchg dword ptr [00034D1Ch], ecx
jne 00007F0BD8B18740h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0BD8B18749h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00034D07h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00034CF7h], al
call 00007F0BD8B18D03h
call 00007F0BD8B19E32h
test al, al
jne 00007F0BD8B18756h
xor al, al
jmp 00007F0BD8B18766h
call 00007F0BD8B27AC1h
test al, al
jne 00007F0BD8B1875Bh
xor ecx, ecx
call 00007F0BD8B19E42h
jmp 00007F0BD8B1873Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00034CBCh], 00000000h
mov ebx, ecx
jne 00007F0BD8B187B9h
cmp ecx, 01h
jnbe 00007F0BD8B187BCh
call 00007F0BD8B18E6Ah
test eax, eax
je 00007F0BD8B1877Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ccfc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0xef8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x22ec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x55000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a200	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a0c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x378	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29e00	0x29e00	4560a34980afcc6c96a0e1538e10dcd9	False	0.5518540111940299	zlib compressed data	6.498392514737246	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12922	0x12a00	2c78f2e40293d0591db0378f28624dd2	False	0.5167654152684564	data	5.840225867607813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	38f62c5805a3d737d7c4520a894b61ae	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8272739996700293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x22ec	0x2400	f4f2fe5d7c81c6dcaac1f618fb2ee585	False	0.4762369791666667	data	5.3405110610033875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	171e51bf695b9b302bcee9e943d7cc0c	False	0.388671875	data	2.791276042982855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0xef8c	0xf000	dab73f09c5e5ae20da7ffd060277f4e9	False	0.8010091145833333	data	7.350140723239741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x55000	0x758	0x800	85a4012cedcf8819905028c517f9e06b	False	0.54638671875	data	5.23959939901847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x470b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x47958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x47ec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x50f5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x53504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x545ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x54a14	0x68	data	0.7019230769230769
RT_MANIFEST	0x54a7c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	GetWindowThreadProcessId, ShowWindow
KERNEL32.dll	GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, SetDllDirectoryW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, GetCurrentProcessId, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetConsoleWindow, GetTimeZoneInformation, GetLastError, HeapSize, WriteConsoleW, GetStartupInfoW, TlsSetValue, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, SetEndOfFile, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, HeapReAlloc, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap
ADVAPI32.dll	ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 11:19:22.412256002 CET	53	51130	1.1.1.1	192.168.2.5

Target ID:	1
Start time:	06:19:23
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\UiF5hKi5o7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UiF5hKi5o7.exe"
Imagebase:	0x7ff772610000
File size:	5'462'278 bytes
MD5 hash:	E54E6D6F9A6E2ABAC7563407294CB9EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:19:23
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:19:23
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\UiF5hKi5o7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UiF5hKi5o7.exe"
Imagebase:	0x7ff772610000
File size:	5'462'278 bytes
MD5 hash:	E54E6D6F9A6E2ABAC7563407294CB9EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00007FF7726364D0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF772636515

Part of subcall function 00007FF772635E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772635E7C

Part of subcall function 00007FF77262B13C: RtlFreeHeap.NTDLL(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B152
Part of subcall function 00007FF77262B13C: GetLastError.KERNEL32(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B15C

Part of subcall function 00007FF77262B0F4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF77262B0D3,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262B0FD
Part of subcall function 00007FF77262B0F4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF77262B0D3,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262B122

_get_daylight.LIBCMT ref: 00007FF772636504

Part of subcall function 00007FF772635EC8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772635EDC

_get_daylight.LIBCMT ref: 00007FF77263677A
_get_daylight.LIBCMT ref: 00007FF77263678B
_get_daylight.LIBCMT ref: 00007FF77263679C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7726369DC), ref: 00007FF7726367C3

Strings

Eastern Standard Time, xrefs: 00007FF772636869
Eastern Summer Time, xrefs: 00007FF772636881

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: e4fcdda70528d111a94e6187a193c53f750ddbf87f1d0e9bbf468a5a64d13a2e
Instruction ID: 0fc04d027aeb82c63f042585d02bad07d82200a62b736a36c70e797f9961d67d
Opcode Fuzzy Hash: e4fcdda70528d111a94e6187a193c53f750ddbf87f1d0e9bbf468a5a64d13a2e
Instruction Fuzzy Hash: 24D1A363A3C24245E710BF2298901BAA692EB44794FC1513BDA6DC7E86DFBCE441CF64

Function 00007FF772616B80 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000000,00000000,00000000,00000000,?,00007FF77261154F), ref: 00007FF772616C17
GetCurrentProcessId.KERNEL32 ref: 00007FF772616C1D

Part of subcall function 00007FF772616D90: GetEnvironmentVariableW.KERNEL32(00007FF772612B1C), ref: 00007FF772616DCA
Part of subcall function 00007FF772616D90: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF772616DE7

Part of subcall function 00007FF772628020: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772628039

SetEnvironmentVariableW.KERNEL32 ref: 00007FF772616CD1

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF772616BFA
_MEI%d, xrefs: 00007FF772616C25
TMP, xrefs: 00007FF772616BE0
TMP, xrefs: 00007FF772616BBA, 00007FF772616C79, 00007FF772616D07

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: be57af591ebd5ef04cd6d0e77894d8857e47ad694bebd0a6f081fcddcfe9fc4a
Instruction ID: 20517c24c6866948c0ce5556bc3a852eee6b8ff886eb716dfcb908f1cb2d4611
Opcode Fuzzy Hash: be57af591ebd5ef04cd6d0e77894d8857e47ad694bebd0a6f081fcddcfe9fc4a
Instruction Fuzzy Hash: 0E514F17B3D25251FA24B72299152BBD2939F45BC0FC44436ED2EC7E96DDACF501CA20

Function 00007FF77263741C Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF772637150: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772637191
Part of subcall function 00007FF772637150: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77263720F
Part of subcall function 00007FF772637150: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772637260

CreateFileW.KERNELBASE ref: 00007FF772637522
CreateFileW.KERNEL32 ref: 00007FF772637572
GetLastError.KERNEL32 ref: 00007FF7726375A2
GetFileType.KERNELBASE ref: 00007FF7726375B7
GetLastError.KERNEL32 ref: 00007FF7726375C1
CloseHandle.KERNEL32 ref: 00007FF7726375F4
CloseHandle.KERNEL32 ref: 00007FF772637757
CreateFileW.KERNEL32 ref: 00007FF77263778C
GetLastError.KERNEL32 ref: 00007FF77263779B

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 6b5cfb35888fc956fe8d47a7c44be9f993c906b474aae4ca8ca64600ca20d147
Instruction ID: 4d25c5e7c39d6ea14c333a9668f12a3e13c889f31c57c7791a2d5c0b6e16d117
Opcode Fuzzy Hash: 6b5cfb35888fc956fe8d47a7c44be9f993c906b474aae4ca8ca64600ca20d147
Instruction Fuzzy Hash: E7C1D333B38A4185EB11EF64C4905AE7762E74ABA8B501236DE2E97B95CF78E051CB10

Function 00007FF77263674C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77263677A

Part of subcall function 00007FF772635EC8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772635EDC

_get_daylight.LIBCMT ref: 00007FF77263678B

Part of subcall function 00007FF772635E68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772635E7C

_get_daylight.LIBCMT ref: 00007FF77263679C

Part of subcall function 00007FF772635E98: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772635EAC

Part of subcall function 00007FF77262B13C: RtlFreeHeap.NTDLL(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B152
Part of subcall function 00007FF77262B13C: GetLastError.KERNEL32(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B15C

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7726369DC), ref: 00007FF7726367C3

Strings

Eastern Standard Time, xrefs: 00007FF772636869
Eastern Summer Time, xrefs: 00007FF772636881

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6d998e9ab7433d443c26072edc04c990136b6352f2181554ab72cd749afbed9d
Instruction ID: 2f63946328e168d2e7783bb31cb66af5c6282fc84c0ee065a79b9f49d3cb3b32
Opcode Fuzzy Hash: 6d998e9ab7433d443c26072edc04c990136b6352f2181554ab72cd749afbed9d
Instruction Fuzzy Hash: 74514273A3C64245E710EF21948056AA762BB48744F815137DA6DC3E96DF7CE440CF64

Function 00007FF772631098 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 1ff2dbd24b049d570d9a80da9b89c9b9c8298d246fde8bb7cf94dd17c3f6424a
Instruction ID: 0f076eab50c5423d054f6786e51069ba84ef0dc0e6005d53b13495f92d7b2102
Opcode Fuzzy Hash: 1ff2dbd24b049d570d9a80da9b89c9b9c8298d246fde8bb7cf94dd17c3f6424a
Instruction Fuzzy Hash: F802AD63B3D64241EE51BB1294006BBA2D6AF45BA0FC45536DD7DC6BC2EEBCE441CB20

Function 00007FF772611710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fopen, xrefs: 00007FF772611797
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7726118F5
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7726118E5
fread, xrefs: 00007FF7726118FC
fseek, xrefs: 00007FF77261180D
malloc, xrefs: 00007FF77261186D
Failed to create symbolic link %s!, xrefs: 00007FF772611753
fwrite, xrefs: 00007FF7726118EC
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF772611726
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF772611866
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7726117D9
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF772611806
Failed to extract %s: failed to open target file!, xrefs: 00007FF772611790

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 0-3833288071
Opcode ID: bf262973b9ce6ca29cdde4ebd959a4152bc68f08237c31756dcb1e861480abb2
Instruction ID: 7d4a19ae3333267b99c9888e23cffa85b409267a5e3194fc38d20a7995e9984c
Opcode Fuzzy Hash: bf262973b9ce6ca29cdde4ebd959a4152bc68f08237c31756dcb1e861480abb2
Instruction Fuzzy Hash: D85164A3B3C64685EA10BB11D44016BA3A2EF45794FC45972DE2C87F96DFACF144CB20

Function 00007FF772611000 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF772613090: GetModuleFileNameW.KERNEL32(?,00007FF772612AEF), ref: 00007FF7726130C1

SetDllDirectoryW.KERNEL32 ref: 00007FF772612D30

Part of subcall function 00007FF772616D90: GetEnvironmentVariableW.KERNEL32(00007FF772612B1C), ref: 00007FF772616DCA
Part of subcall function 00007FF772616D90: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF772616DE7

Strings

hide-late, xrefs: 00007FF772612E16, 00007FF772612EDC
hide-early, xrefs: 00007FF772612C85
MEI, xrefs: 00007FF772612C18
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF772612C5D
_MEIPASS2, xrefs: 00007FF772612B10, 00007FF772612B70, 00007FF772612E99, 00007FF772612EB5
minimize-late, xrefs: 00007FF772612E30, 00007FF772612EF6
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF772612BBA
pyi-hide-console, xrefs: 00007FF772612C6E
Failed to convert DLL search path!, xrefs: 00007FF772612D18
minimize-early, xrefs: 00007FF772612C9F
_PYI_ONEDIR_MODE, xrefs: 00007FF772612B30, 00007FF772612B5B

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE$hide-early$hide-late$minimize-early$minimize-late$pyi-hide-console
API String ID: 2344891160-1364127678
Opcode ID: 914b51dba19ec1e79a9dadd87bbe8d0af0707f8dcbfb55c8e395647a02bf7781
Instruction ID: e11da39a367a34b2c7d8d6bf563b8ef6cdbf7e0521328678058fb7f1377c6a86
Opcode Fuzzy Hash: 914b51dba19ec1e79a9dadd87bbe8d0af0707f8dcbfb55c8e395647a02bf7781
Instruction Fuzzy Hash: 34D16113B3C65282FA65BB2595511BBD293AF44784FC00833E92DC6ED6EFACF505CA60

Function 00007FF772617C90 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(0000000100000001,00007FF77261331C,00007FF772616B41,?,00007FF772616F56,?,00007FF772611785), ref: 00007FF772617CD0
OpenProcessToken.ADVAPI32(?,00007FF772616F56,?,00007FF772611785), ref: 00007FF772617CE1
GetTokenInformation.KERNELBASE(?,00007FF772616F56(TokenIntegrityLevel),?,00007FF772611785), ref: 00007FF772617D03
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00007FF772611785), ref: 00007FF772617D0D
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,?,00007FF772611785), ref: 00007FF772617D4A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF772617D5C
CloseHandle.KERNEL32(?,00007FF772616F56,?,00007FF772611785), ref: 00007FF772617D74
LocalFree.KERNEL32(?,00007FF772616F56,?,00007FF772611785), ref: 00007FF772617DA6
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF772617DCD
CreateDirectoryW.KERNELBASE(?,00007FF772616F56,?,00007FF772611785), ref: 00007FF772617DDE

Strings

S-1-3-4, xrefs: 00007FF772617D7F
D:(A;;FA;;;%s), xrefs: 00007FF772617D89

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 4e4956c6d4438b247f3c2c53cd05ecc1b9598041c42e1c0afa8546fb2f13f484
Instruction ID: f092757435c534602c36f09810d4b983175152ae11a22d4dfb32e1ffc629e161
Opcode Fuzzy Hash: 4e4956c6d4438b247f3c2c53cd05ecc1b9598041c42e1c0afa8546fb2f13f484
Instruction Fuzzy Hash: 1A416432A3C68642E750AF20E4446BBB362FB84754F840632EA6D87ED5DF7CE544CB10

Function 00007FF772611A40 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7726174E0: _fread_nolock.LIBCMT ref: 00007FF77261758A

_fread_nolock.LIBCMT ref: 00007FF772611AF4

Strings

malloc, xrefs: 00007FF772611B7D
MEI, xrefs: 00007FF772611A82
Could not read full TOC!, xrefs: 00007FF772611BA9
Could not allocate buffer for TOC!, xrefs: 00007FF772611B76
Failed to read cookie!, xrefs: 00007FF772611AFF
Error on file., xrefs: 00007FF772611BD6
Failed to seek to cookie position!, xrefs: 00007FF772611ACC
fread, xrefs: 00007FF772611B06, 00007FF772611BB0
fseek, xrefs: 00007FF772611AD3

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _fread_nolock
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 840049012-1384898525
Opcode ID: 2ac47deee739ae8f43c8400badaca2549d9c52214ea501ad61e546da5d8b0c11
Instruction ID: 2883d9936ec507139caf53e8cb87cc2fd16842cc738da24c7a719a8fc807aca4
Opcode Fuzzy Hash: 2ac47deee739ae8f43c8400badaca2549d9c52214ea501ad61e546da5d8b0c11
Instruction Fuzzy Hash: A25191B3B39642C6EB14EB24D44017AB3A2EF48B84B955437DA2CC7B95DEBCE440CB54

Function 00007FF7726172B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF772617FE0: MultiByteToWideChar.KERNEL32 ref: 00007FF77261801A

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF772612F21), ref: 00007FF7726172FF
GetStartupInfoW.KERNEL32 ref: 00007FF77261731E

Part of subcall function 00007FF77262AC44: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77262AC58

Part of subcall function 00007FF772628864: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7726288CB

GetCommandLineW.KERNEL32 ref: 00007FF7726173BE
CreateProcessW.KERNELBASE ref: 00007FF772617400
WaitForSingleObject.KERNEL32 ref: 00007FF772617414
GetExitCodeProcess.KERNELBASE ref: 00007FF772617424

Strings

Error creating child process!, xrefs: 00007FF772617430
CreateProcessW, xrefs: 00007FF772617437

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: 8ef23c2de96b7e92f1531e934cb8a88ecc92767a1d2dd44473a1e0f604d778cb
Instruction ID: 814e816ee33704752fb5f12bbc5ead63486640ee3bef9b6860f1dd128ecf8379
Opcode Fuzzy Hash: 8ef23c2de96b7e92f1531e934cb8a88ecc92767a1d2dd44473a1e0f604d778cb
Instruction Fuzzy Hash: 18412532A2878185DA20AB24E5552ABF391FB94364F901736E5BD87AD5DFBCD044CF10

Function 00007FF772611050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7726110F8, 00007FF772611126
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF77261111F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7726110B4
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF772611249
1.2.13, xrefs: 00007FF77261107E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7726110F1

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 556d67486e3193722e3a879e208e706c90b5b8be91e04e9cf34564f4be78012c
Instruction ID: f5e16a8d9e88c9700f11da0921c832a73b2c94d3ff271188b18fb2dbe0e2a910
Opcode Fuzzy Hash: 556d67486e3193722e3a879e208e706c90b5b8be91e04e9cf34564f4be78012c
Instruction Fuzzy Hash: F351D263B3868241E624BB11A4403BBA292BB45794F845532DD6DC7F85EEBCF545CF10

Function 00007FF77262F418 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF77262F7B2,?,?,-00000018,00007FF77262B547,?,?,?,00007FF77262B43E,?,?,?,00007FF772626612), ref: 00007FF77262F594
GetProcAddress.KERNEL32(?,?,?,00007FF77262F7B2,?,?,-00000018,00007FF77262B547,?,?,?,00007FF77262B43E,?,?,?,00007FF772626612), ref: 00007FF77262F5A0

Strings

api-ms-, xrefs: 00007FF77262F4DE
ext-ms-, xrefs: 00007FF77262F4F1

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 85fd8e72ae8b763a3a2727328088619ef131e460ee903e8518073b42dfa075bd
Instruction ID: 70f0e8257fba360af78100541c1093f00faa1380b1a53207c1ebb83e963b9c57
Opcode Fuzzy Hash: 85fd8e72ae8b763a3a2727328088619ef131e460ee903e8518073b42dfa075bd
Instruction Fuzzy Hash: C641E263B3964241EA26AF16A800167A3D6BF04BE0F844536ED2DD7F85DFBCE405CA20

Function 00007FF77262C24C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77262C679

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 19639ec9a806cf5fd7b7b21da6b32e82521a3d3d14dfc93c54a317619526b4ec
Instruction ID: d5b756e063d1eb5c354e28acb50e159db3a474cda5490863eb0a4c666a80c25d
Opcode Fuzzy Hash: 19639ec9a806cf5fd7b7b21da6b32e82521a3d3d14dfc93c54a317619526b4ec
Instruction Fuzzy Hash: 6DC10623A3C68281E6116B1494402BFB7D6FB91B80FD65133D96D87B91CEFCE455CB22

Function 00007FF77262D750 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF77262D73B), ref: 00007FF77262D86C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF77262D73B), ref: 00007FF77262D8F7

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: e59e23b9ae9df683a2448d6b8a7942b821cb815a1334738b3acbe0f9f44b8420
Instruction ID: b1ddd734c97933c8964eecdfa5c4efee0b1e0ffe3511167f912811d2e65fe205
Opcode Fuzzy Hash: e59e23b9ae9df683a2448d6b8a7942b821cb815a1334738b3acbe0f9f44b8420
Instruction Fuzzy Hash: F691D623F3865185F750AF2594402BEABE2BB44B88F944136DF5EA6E85CEBCD441CB21

Function 00007FF77262FE4C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77262FF3C
_get_daylight.LIBCMT ref: 00007FF77262FF4D
_get_daylight.LIBCMT ref: 00007FF77262FF5E
_isindst.LIBCMT ref: 00007FF772630029

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 343253d67182dd2a72448d89f871ab81f98ff4614094d8d01b5f36bf0f0c1cee
Instruction ID: f1de8ad0526915968e0cc89474d516d7c88cdeb06f032887689a7dabce18ee79
Opcode Fuzzy Hash: 343253d67182dd2a72448d89f871ab81f98ff4614094d8d01b5f36bf0f0c1cee
Instruction Fuzzy Hash: 87513873F381914AEB14FF2489516BDA7A2EB04398F900236DE2D92ED6DB78A445CB10

Function 00007FF772625798 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726257C5
CreateFileW.KERNELBASE ref: 00007FF772625804
CloseHandle.KERNEL32 ref: 00007FF772625839

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: c67f5ae938835fa2502d01562ae39f89bdff0bc4628c51358d722f7e5224c2c4
Instruction ID: 67c5f44be65285e6d277aa3b636e7db5c0b99751cd1129f2ea3347335ed1891e
Opcode Fuzzy Hash: c67f5ae938835fa2502d01562ae39f89bdff0bc4628c51358d722f7e5224c2c4
Instruction Fuzzy Hash: CF41B923D3878183E764AB21951037AB2A1FF54764F509336E66C43ED6DFBCA0A0CB21

Function 00007FF77261B5CC Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF77261B5E0

Part of subcall function 00007FF77261B7AC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF77261B7CE

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77261B5F5
__scrt_release_startup_lock.LIBCMT ref: 00007FF77261B663

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 38199fdf601c02b5acd9ad8abd91950348f48aca3f3bf2bc3aa7cea76cfadc85
Instruction ID: 7136e502ec3a85c67dc321e8f639de0f2c94d590590dcb394e1350519c4d1260
Opcode Fuzzy Hash: 38199fdf601c02b5acd9ad8abd91950348f48aca3f3bf2bc3aa7cea76cfadc85
Instruction Fuzzy Hash: 11316A13B3C24281FA14BB2195513BBA293AF55784FD44836E62DC7AD7DEACB804CB71

Function 00007FF77262A1F0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF77262A1EC), ref: 00007FF77262A201
TerminateProcess.KERNEL32(?,?,?,00007FF77262A1EC), ref: 00007FF77262A20C
ExitProcess.KERNEL32 ref: 00007FF77262A21B

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 05b912e5e96d4764905faa2e8471cd5f7ff91140ef6925b9dd4b21a42b261191
Instruction ID: cf1075be9068c2600589d6c804f803f7ef9f1c7cd348e83cfe720d9cced52b03
Opcode Fuzzy Hash: 05b912e5e96d4764905faa2e8471cd5f7ff91140ef6925b9dd4b21a42b261191
Instruction Fuzzy Hash: CDD06211B3974642EB543B7058D507A92535F45711B94143AD42E86B93CDEDD84DCA21

Function 00007FF77261F7AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77261F7F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77261F8E7

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bf695e5ebd070b16d3c9dc411202ca240fffd92a741aeee788228c76a8eaa1b2
Instruction ID: 51e61464b26062e8a4516369a6e743414cb0d4d6e72b3b2eabe43c4c0105c05e
Opcode Fuzzy Hash: bf695e5ebd070b16d3c9dc411202ca240fffd92a741aeee788228c76a8eaa1b2
Instruction Fuzzy Hash: C851C823B3974245E664B925940067BA292AF44B64F944F36DE7D86BC9CEBCF401CA21

Function 00007FF77262CC08 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF77262CC81
GetFileType.KERNELBASE ref: 00007FF77262CC97

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 092bca7b1ce0229ec2977f61ae05433b611d0675e33fc3257f3191166c979508
Instruction ID: 2149772b7f1d8e2702f8eb69889681b82a962188386f5e842fa346f16f67d774
Opcode Fuzzy Hash: 092bca7b1ce0229ec2977f61ae05433b611d0675e33fc3257f3191166c979508
Instruction Fuzzy Hash: 8F31E623B38B45C1EB20AB14858003AAA91FB45BA0BA52337DB7E877F0CF78E451D711

Function 00007FF77262C924 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF77262C910,00000000,?,?,?,00007FF772611023,00007FF77262CA19), ref: 00007FF77262C970
GetLastError.KERNEL32(?,?,?,?,?,00007FF77262C910,00000000,?,?,?,00007FF772611023,00007FF77262CA19), ref: 00007FF77262C97A

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c3276691dfa54add8aab7b71501380a6f7a34088be54c00a230e3fc7dd6eaf3d
Instruction ID: 1af612bd14b39eebb704e39297689d1861373928fab0ce977c7851e9ee30e409
Opcode Fuzzy Hash: c3276691dfa54add8aab7b71501380a6f7a34088be54c00a230e3fc7dd6eaf3d
Instruction Fuzzy Hash: 7511CB63B38B4181DA10AB25A44416AF392AB44FF4F944332DEBD97BD9CEBCD051CB41

Function 00007FF7726282F0 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77262816D), ref: 00007FF772628313
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77262816D), ref: 00007FF772628329

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 8e0f84091da675c1e7d2761c5ab01bfa0fdefcc95389433c29e0bddc4b980661
Instruction ID: 14fd054cd54fd5606bc7600db53eb31c6170c13a0a8a4211a54a659dfe539b6d
Opcode Fuzzy Hash: 8e0f84091da675c1e7d2761c5ab01bfa0fdefcc95389433c29e0bddc4b980661
Instruction Fuzzy Hash: 1901702263C25286E7546B14A84123BF7A2FB41B21FA00237EAB9C19D4DBBDD014CF20

Function 00007FF77262B13C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B152
GetLastError.KERNEL32(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B15C

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: bd7fbdfdad6615661f21df08ff0b0c44ce39d2d9351f92f753fa45b11a1058ef
Instruction ID: 0b3b4b38e2c4c5907f7b2ccabdcd3363eb48c4ec86cca079fcae10fb828126a6
Opcode Fuzzy Hash: bd7fbdfdad6615661f21df08ff0b0c44ce39d2d9351f92f753fa45b11a1058ef
Instruction Fuzzy Hash: C3E04F52F3810682FF197BB2984513BA2939F48700FC04076C86DC7A52DEAC6451CA71

Function 00007FF772628058 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE ref: 00007FF77262805C
GetLastError.KERNEL32 ref: 00007FF772628066

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 297a737b59c0f26e839d53f0b452475f126c06b16928b64a19d60d2641cf8387
Instruction ID: afa2ce35ed22f5835f6fa15ccff9070767052c5c332a917b7e34fb6224648e6f
Opcode Fuzzy Hash: 297a737b59c0f26e839d53f0b452475f126c06b16928b64a19d60d2641cf8387
Instruction Fuzzy Hash: FCD0C912E3D54281E61437761C4513AA1D26F54B21FD00732C439C4AE1DDECA095C932

Function 00007FF7726288DC Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF7726288E0
GetLastError.KERNEL32 ref: 00007FF7726288EA

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: eb738eb08f60af69b1d540f13a17ed5422c5c541ba2047e2214e9b3371bf8c0d
Instruction ID: 2869c69ed5450a3b89831b987b7136ffb713869b433656e5b028914410530655
Opcode Fuzzy Hash: eb738eb08f60af69b1d540f13a17ed5422c5c541ba2047e2214e9b3371bf8c0d
Instruction Fuzzy Hash: 86D0C912E3D60281E61437751C4513BA0D22F64B21FD00632C439C1AD1DEDCA195C936

Function 00007FF77262B34C Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF77262B1C9,?,?,00000000,00007FF77262B27E), ref: 00007FF77262B3BA
GetLastError.KERNEL32(?,?,?,00007FF77262B1C9,?,?,00000000,00007FF77262B27E), ref: 00007FF77262B3C4

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b828a77dcfeb373352f2d8c7a82202e8f61f505456f082703e4500e335fd06b0
Instruction ID: d4fdbfea1f1249b3c9027afe641b0b4c1781fffb02b031e5c71eb79c293bfbf1
Opcode Fuzzy Hash: b828a77dcfeb373352f2d8c7a82202e8f61f505456f082703e4500e335fd06b0
Instruction Fuzzy Hash: 79219523F3864241EA947765954037E91C3AF98B90F844237DA3DC7AD9DEECE445CB22

Function 00007FF772616F70 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF772617FE0: MultiByteToWideChar.KERNEL32 ref: 00007FF77261801A

_findclose.LIBCMT ref: 00007FF7726171C9

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 86f54e799fc14d6776d83f717cd7df32fbe217db3f0ce8ed81bc5264a9db9ec6
Instruction ID: 8dd07b72848ed5fb3491c0404fe801a460ec033a51a0c5d3aea8fbd814265177
Opcode Fuzzy Hash: 86f54e799fc14d6776d83f717cd7df32fbe217db3f0ce8ed81bc5264a9db9ec6
Instruction Fuzzy Hash: EA719153E28BC581E611DB2CC5052FEA360F7A8B4CF94E721DB9C52952EF68E2D9C710

Function 00007FF77262C69C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77262C6C4

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d99b9abc4b8df377e1f0915198cf517e373d90b56daa9aa54f162d9008e272c1
Instruction ID: 6cb6a3c64467646a9f7fe97840d31ba32def5a910c9a059f2638d1ed5d307843
Opcode Fuzzy Hash: d99b9abc4b8df377e1f0915198cf517e373d90b56daa9aa54f162d9008e272c1
Instruction Fuzzy Hash: 7A41C83393864183EA24AB15E54027AB3E2EB55750FA11133D6ADC3ED5CFACE502CF62

Function 00007FF7726174E0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF77261758A

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 3563ccebc92143b4f049d558b8f52f84df90e0c4a2ad06dd2b5cf157c636f80a
Instruction ID: a272b4a459ea1dee2ab2f0813f95c3540e7c0009fe09a7a7c57c11e9ae751abc
Opcode Fuzzy Hash: 3563ccebc92143b4f049d558b8f52f84df90e0c4a2ad06dd2b5cf157c636f80a
Instruction Fuzzy Hash: EA217322B3829245FA15AA1265043BBE652BF45BD4FC84832EE1D87F86DFBCF441CA10

Function 00007FF77262C12C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77262C1B2

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5831f6cc4db2824f641be2b7722e7ce2439c7c37cfaa479adb27cb772694de6f
Instruction ID: 2990fe00ec6535c85b786d5d7eb3e13e3b77e0881b25fb40ca852e5a74bacdd0
Opcode Fuzzy Hash: 5831f6cc4db2824f641be2b7722e7ce2439c7c37cfaa479adb27cb772694de6f
Instruction Fuzzy Hash: AA318323A3861285E6117F55884237EA692AB54B52FD24237D93C87BD1CEFCE441CF72

Function 00007FF77262A121 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77262A14F

Part of subcall function 00007FF77262A248: GetModuleHandleExW.KERNEL32 ref: 00007FF77262A26D
Part of subcall function 00007FF77262A248: GetProcAddress.KERNEL32 ref: 00007FF77262A283
Part of subcall function 00007FF77262A248: FreeLibrary.KERNEL32 ref: 00007FF77262A2AA

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 819e7aaa781c8a5e0f5c2a28287252285c8c38ccda9f693ebb8c6503ee73f1d7
Instruction ID: 2fd9a9802b6bd4f551708049b91020b1edc6c8018384ac86dece673075871cb4
Opcode Fuzzy Hash: 819e7aaa781c8a5e0f5c2a28287252285c8c38ccda9f693ebb8c6503ee73f1d7
Instruction Fuzzy Hash: B2218D36A2474289EB25AF64C4442ED77E1EB44338F944A36D72C86EC5DFB8D844CB51

Function 00007FF772626668 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726265CD

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7624878a2af1481d619e4a3cb70b54330390797c8d08e01795187638a596a408
Instruction ID: 13dc8c91ed10a1f0df42a937a264acf63caea841dd5d5d579869817c27e8fcdc
Opcode Fuzzy Hash: 7624878a2af1481d619e4a3cb70b54330390797c8d08e01795187638a596a408
Instruction Fuzzy Hash: 8F116523A3C64181EA61BF11944127BE2D5BF85B80FD44036EB9D97E8ACEBCD400CF62

Function 00007FF772636E0C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF772636E2F

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 00d01c734ac26cfb90a0ff058a2250daf25875829242f4a308a5e0168494b067
Instruction ID: 1e313c998c4239aa6297e24a94a6e3f2d4bb2914359fd7e7109aa513ea5f4ea7
Opcode Fuzzy Hash: 00d01c734ac26cfb90a0ff058a2250daf25875829242f4a308a5e0168494b067
Instruction Fuzzy Hash: 1821A433A3C64186DB61AF18D44037AB6A2EB84B54F944235D66D87AD6DF7CD404CF50

Function 00007FF77261FA2C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77261FA80

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4fabe8843ae8e1237d46ca62601cadab040bf493176b279296c49385cc031cd0
Instruction ID: ce212235815fa4ea11347446eb542a30348b9b468d86b11eb54a5fb635cccc71
Opcode Fuzzy Hash: 4fabe8843ae8e1237d46ca62601cadab040bf493176b279296c49385cc031cd0
Instruction Fuzzy Hash: 6601862273878240E504AB52540016AE692BF85FE0F884A32DF7C93FE9CEBCE011CB10

Function 00007FF772627CE4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF772627D22

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 347882529515d01e963d4ad72e621cd89eb36dce10a6a01321c8ca8b0745b047
Instruction ID: 8a153fb2bd0993f099b8edec6223f1145bcbfcbc78befd81b65887c4fbac15a1
Opcode Fuzzy Hash: 347882529515d01e963d4ad72e621cd89eb36dce10a6a01321c8ca8b0745b047
Instruction Fuzzy Hash: 29018E12E3924341FE667A216941A7B92D2EF04390FD40937E93CC2ED6DEACE441CE72

Function 00007FF772628020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF772628039

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2e9c2fed31ce209c663494d0f972e01238ccad08ce398cd5f1aacec40adad3eb
Instruction ID: 32b417e8a7514c1427001efb51430ad9b14b296c82f89f008584cc610f4da7d5
Opcode Fuzzy Hash: 2e9c2fed31ce209c663494d0f972e01238ccad08ce398cd5f1aacec40adad3eb
Instruction Fuzzy Hash: 0AE04F52A3824646FA563AA00982A7E91829F14700FC05032DD28C6683DD9C68449A33

Function 00007FF772617610 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 053f510b52f7df2d75c0a03e14d6a8eb1a030f4260df6563830538c7266680a1
Instruction ID: 49931c4667595ab5a73bfd972d71603eba6d36fcd18d9e30f7e2b1e549dcd83b
Opcode Fuzzy Hash: 053f510b52f7df2d75c0a03e14d6a8eb1a030f4260df6563830538c7266680a1
Instruction Fuzzy Hash: DF41B617E3C6C581E611AB2495012BEA361FFA5744F90A733DF9D82593EF68B5C8CB20

Function 00007FF77262F3A0 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF77262BBD6,?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032), ref: 00007FF77262F3F5

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6868375eac3188523277080d0eb70b1da507264a8937f584fe917df63d68eb1e
Instruction ID: 56d8e8234759f7325952a0cb27b6277b39106ccb9a9940db931ce176b1811265
Opcode Fuzzy Hash: 6868375eac3188523277080d0eb70b1da507264a8937f584fe917df63d68eb1e
Instruction Fuzzy Hash: 5AF04942B3920641FE5976A295512BB92C26F58B50FC85436CD2EC6BC2DEECE581CA32

Function 00007FF77262DDEC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF772620294,?,?,?,00007FF7726217A6,?,?,?,?,?,00007FF77262380D), ref: 00007FF77262DE2A

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: a8f0fa57666baf12ed64fd75c1b18540ade0a6450a17d9010f36fbe4a99d2898
Instruction ID: 76541901b0ae1b92e0981966402c66287423274e03c38183920207b8d19dd19e
Opcode Fuzzy Hash: a8f0fa57666baf12ed64fd75c1b18540ade0a6450a17d9010f36fbe4a99d2898
Instruction Fuzzy Hash: 74F05413B3C24640FE5436615841277A1D25F54760FC80272DE7DC5AC2DEECE441C972

Non-executed Functions

Function 00007FF7726143E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF7726143F0
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF77261442A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF77261444F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF772614474
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF77261449C
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF7726144C4
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF7726144EC
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF772614514
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF77261453C
GetProcAddress.KERNEL32(?,?,00000000,00007FF7726125FE), ref: 00007FF772614564

Strings

PyConfig_SetString, xrefs: 00007FF7726145AA
PyErr_Fetch, xrefs: 00007FF772614622
PyUnicode_FromFormat, xrefs: 00007FF772614A32
Py_IsInitialized, xrefs: 00007FF7726144BA
PyRun_SimpleStringFlags, xrefs: 00007FF77261491A
PyObject_Str, xrefs: 00007FF7726148CA
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7726149FE
Failed to get address for Py_IsInitialized, xrefs: 00007FF7726144D6
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF77261454E
PySys_GetObject, xrefs: 00007FF77261496A
Py_PreInitialize, xrefs: 00007FF7726144E2
PyConfig_SetBytesString, xrefs: 00007FF772614582
PyMem_RawFree, xrefs: 00007FF7726147DA
PyList_Append, xrefs: 00007FF77261478A
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF772614666
Failed to get address for PyEval_EvalCode, xrefs: 00007FF772614706
PyConfig_Read, xrefs: 00007FF77261455A
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF772614A26
PyImport_ExecCodeModule, xrefs: 00007FF77261473A
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF772614896
PyUnicode_DecodeFSDefault, xrefs: 00007FF772614A0A
Failed to get address for PyUnicode_FromString, xrefs: 00007FF772614A76
Failed to get address for PyObject_Str, xrefs: 00007FF7726148E6
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7726147CE
PyErr_Occurred, xrefs: 00007FF772614672
Failed to get address for PyErr_Restore, xrefs: 00007FF7726146DE
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF77261459E
Failed to get address for PyUnicode_Join, xrefs: 00007FF772614A9E
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF772614756
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7726148BE
PyObject_GetAttrString, xrefs: 00007FF77261487A
Failed to get address for PyErr_Occurred, xrefs: 00007FF77261468E
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF7726144AE
PyConfig_Clear, xrefs: 00007FF77261450A
PyObject_SetAttrString, xrefs: 00007FF7726148A2
PyObject_CallFunctionObjArgs, xrefs: 00007FF772614852
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF77261490E
Failed to get address for PyStatus_Exception, xrefs: 00007FF77261495E
GetProcAddress, xrefs: 00007FF772614409
Failed to get address for PyImport_ImportModule, xrefs: 00007FF77261477E
PyObject_CallFunction, xrefs: 00007FF77261482A
Failed to get address for PyMem_RawFree, xrefs: 00007FF7726147F6
Py_ExitStatusException, xrefs: 00007FF772614445
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF772614A4E
Failed to get address for Py_Finalize, xrefs: 00007FF772614486
PySys_SetObject, xrefs: 00007FF772614992
Failed to get address for PyUnicode_Replace, xrefs: 00007FF772614AC6
PyEval_EvalCode, xrefs: 00007FF7726146EA
Failed to get address for PyConfig_SetString, xrefs: 00007FF7726145C6
PyModule_GetDict, xrefs: 00007FF772614802
Failed to get address for Py_DecodeLocale, xrefs: 00007FF77261443C
Py_InitializeFromConfig, xrefs: 00007FF772614492
PyUnicode_Decode, xrefs: 00007FF7726149E2
Failed to get address for PyConfig_Read, xrefs: 00007FF772614576
Failed to get address for PyObject_CallFunction, xrefs: 00007FF772614846
Py_DecodeLocale, xrefs: 00007FF772614420
PyStatus_Exception, xrefs: 00007FF772614942
PyConfig_SetWideStringList, xrefs: 00007FF7726145D2
Failed to get address for Py_ExitStatusException, xrefs: 00007FF772614461
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7726149D6
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF7726145EE
Failed to get address for Py_PreInitialize, xrefs: 00007FF7726144FE
Failed to get address for PyImport_AddModule, xrefs: 00007FF77261472E
PyUnicode_Join, xrefs: 00007FF772614A82
PyUnicode_Replace, xrefs: 00007FF772614AAA
PyConfig_InitIsolatedConfig, xrefs: 00007FF772614532
PyMarshal_ReadObjectFromString, xrefs: 00007FF7726147B2
PyErr_Restore, xrefs: 00007FF7726146C2
PyUnicode_FromString, xrefs: 00007FF772614A5A
Failed to get address for PyConfig_Clear, xrefs: 00007FF772614526
PyImport_AddModule, xrefs: 00007FF772614712
PyErr_NormalizeException, xrefs: 00007FF77261464A
Py_Finalize, xrefs: 00007FF77261446A
PyUnicode_AsUTF8, xrefs: 00007FF7726149BA
Failed to get address for PyErr_Print, xrefs: 00007FF7726146B6
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF772614936
PyErr_Print, xrefs: 00007FF77261469A
Failed to get address for PyErr_Clear, xrefs: 00007FF772614616
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7726148F2
PyImport_ImportModule, xrefs: 00007FF772614762
PyErr_Clear, xrefs: 00007FF7726145FA
Failed to get address for PySys_SetObject, xrefs: 00007FF7726149AE
Failed to get address for PyErr_Fetch, xrefs: 00007FF77261463E
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF77261486E
Failed to get address for PyModule_GetDict, xrefs: 00007FF77261481E
Py_DecRef, xrefs: 00007FF7726143E6
Failed to get address for PySys_GetObject, xrefs: 00007FF772614986
Failed to get address for Py_DecRef, xrefs: 00007FF772614402
Failed to get address for PyList_Append, xrefs: 00007FF7726147A6

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: ece4f3cf403fb028bc5f621de4105e28ef9936bcd080506c3e72f08851d14e59
Instruction ID: 0ff0fd15f8f420171480c11742216a87e227142f567cb2c6cf074689fa3f2858
Opcode Fuzzy Hash: ece4f3cf403fb028bc5f621de4105e28ef9936bcd080506c3e72f08851d14e59
Instruction Fuzzy Hash: 4D12DE67A3EB4380F915EB04A854176A3A3AF14780BC45437D87EC6A55FFFCB558CA20

Function 00007FF77263487C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7726348CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772634F36
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726350AC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77263536A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77263558A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726357C7
memcpy_s.LIBCPMT ref: 00007FF7726358A2
memcpy_s.LIBCPMT ref: 00007FF77263594D
memcpy_s.LIBCPMT ref: 00007FF772635A1C

Strings

1#QNAN, xrefs: 00007FF7726349E3
1#SNAN, xrefs: 00007FF7726349DA
1#IND, xrefs: 00007FF7726349B7
1#INF, xrefs: 00007FF7726349F3

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: b4390931dbc09bef546870a63927247bfb1623a2f9b228062280c66f96c213bb
Instruction ID: 1b1a70b30713eee108b8633a2f69cf43be398d51bc815537efeaf44a713749f1
Opcode Fuzzy Hash: b4390931dbc09bef546870a63927247bfb1623a2f9b228062280c66f96c213bb
Instruction Fuzzy Hash: 00B2DA73A3C2828BE7259E64D4407FEB7A2FB54344F905136DA2D97E89DBB8A500CF50

Function 00007FF7726177F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF772611FF4,?,?,00000000,00007FF772617A84), ref: 00007FF772617817
FormatMessageW.KERNEL32 ref: 00007FF772617846
WideCharToMultiByte.KERNEL32 ref: 00007FF77261789C

Part of subcall function 00007FF772611FC0: GetLastError.KERNEL32(?,?,00000000,00007FF772617A84,?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772611FE7

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF7726178A6
WideCharToMultiByte, xrefs: 00007FF7726177F0, 00007FF7726178AD
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7726178B9
FormatMessageW, xrefs: 00007FF772617857
No error messages generated., xrefs: 00007FF772617850
PyInstaller: FormatMessageW failed., xrefs: 00007FF772617863

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: 063a19e7e4e938bc7e9332b8f0eaf0cb0266979bb0a85abf393a2baae1b6ea9d
Instruction ID: 6ae62282b55b87a664c16a8c334e2cb99878483b5d4166917017bc02371d21de
Opcode Fuzzy Hash: 063a19e7e4e938bc7e9332b8f0eaf0cb0266979bb0a85abf393a2baae1b6ea9d
Instruction Fuzzy Hash: 84215662B3CA4281E750AB11E8502BBA366BB48344FC44536D66DC2A95DFBCE505CF20

Function 00007FF77261BADC Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF77261BAF8
RtlCaptureContext.KERNEL32 ref: 00007FF77261BB25
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77261BB3F
RtlVirtualUnwind.KERNEL32 ref: 00007FF77261BB80
IsDebuggerPresent.KERNEL32 ref: 00007FF77261BBD4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77261BBF5
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77261BC00

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: cd294871893556a2dccf655154be2bf3df3767e75769f0a36af62d0025b7db43
Instruction ID: dc0fd8ed2b7e64ebd0130689e540c2a972cc6e30198f78e92096edea8efe4f83
Opcode Fuzzy Hash: cd294871893556a2dccf655154be2bf3df3767e75769f0a36af62d0025b7db43
Instruction Fuzzy Hash: 57311073729A8186EB60AF60E8403EEB365FB44744F84443ADA5D87B99DF78D548CB20

Function 00007FF77262AE08 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF77262AE81
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77262AE99
RtlVirtualUnwind.KERNEL32 ref: 00007FF77262AED4
IsDebuggerPresent.KERNEL32 ref: 00007FF77262AF0D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77262AF17
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77262AF22

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5c909bc5f961fe557bd935f3351fe35852182fda8fef980a068ed3a21c5f954e
Instruction ID: 44c3a35d5d4707a8045506201209b6327d96e38b2a14787f751ff0f851737b20
Opcode Fuzzy Hash: 5c909bc5f961fe557bd935f3351fe35852182fda8fef980a068ed3a21c5f954e
Instruction Fuzzy Hash: 85318333638B8185D720DF25E8402AEB3A5FB88754F900136EA9D83B55DF7CD545CB10

Function 00007FF772632044 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF772632090
FindFirstFileExW.KERNEL32 ref: 00007FF77263219A

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ac7b40576828fb79284637305c18dc54aad877062e0664899b88566ec7425f19
Instruction ID: 090be1543cf54910807072574d5ce489337a698d596359e78516aa6b8061fe0c
Opcode Fuzzy Hash: ac7b40576828fb79284637305c18dc54aad877062e0664899b88566ec7425f19
Instruction Fuzzy Hash: 0AB19B13B3C69242EA51AB1599041BBE353FB44BD4F845133DA6D87E96DEBCE841CB10

Function 00007FF7726343E0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF772634446
memcpy_s.LIBCPMT ref: 00007FF772634471

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 3e1c606eba0650565448b18a4a15b9c45dcea4b6ad8678d9c8c25ba82bdcd015
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 5DC1E373B3D2C587D7249F1AA44466AF7A2F785B84F808136DB5A83B45DB7CE801CB40

Function 00007FF77263A158 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF77263A3A7
RaiseException.KERNEL32 ref: 00007FF77263A3B8

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 14b0b223727ce09c818a2636dcd22f4f349b013c5bbbaf2d02418f2d406c5508
Instruction ID: e8ae47f02598492dbb1155dc596ce1861fb688e125ad09ae2ef81a3bbdabfce7
Opcode Fuzzy Hash: 14b0b223727ce09c818a2636dcd22f4f349b013c5bbbaf2d02418f2d406c5508
Instruction Fuzzy Hash: AAB19E73628B848BE715CF29C88636D77E1F744B48F188922DA6DC3BA5CB79D851CB10

Function 00007FF772617BB0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF772617BE1
FindClose.KERNEL32 ref: 00007FF772617BF0

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5ef671962e715da3c8a8e416d99f93764277d8f402abbd57efef7bd2dac3d53b
Instruction ID: 4944770361966f80d86826fbc459055ce64fa5c1ce3c7f54a39e5117136363c2
Opcode Fuzzy Hash: 5ef671962e715da3c8a8e416d99f93764277d8f402abbd57efef7bd2dac3d53b
Instruction Fuzzy Hash: C1F0A23763C28186F7A09B60A484367B352EB44724F400636D57D42AD4DF7CE048CE10

Function 00007FF772623AC8 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF772623C36
, xrefs: 00007FF772623E78

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 5f0767ddc937569d83b1029b76995e48451a7ec732ae4a2b8629df9491cfb095
Instruction ID: 6372b3dce5d88579280cb44b3d91f7866c1bd5df20d7fdeb41218cb08a84065b
Opcode Fuzzy Hash: 5f0767ddc937569d83b1029b76995e48451a7ec732ae4a2b8629df9491cfb095
Instruction Fuzzy Hash: 8CE1F733A3864282E768AE25805013EB3E2FF45B44F945137DA6E87A90CF79D861CB52

Function 00007FF77262E6E0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF77262E86A
e+000, xrefs: 00007FF77262E7ED

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 34786c9ff5a1a3317b9d56e91dc6f7680ce2ce63c5fb23e1dfbeb465e7250596
Instruction ID: abb21a00c08876bdc98f23ada5d2ec2d6b5ef9a7972eff4f6f4528e80eaf149d
Opcode Fuzzy Hash: 34786c9ff5a1a3317b9d56e91dc6f7680ce2ce63c5fb23e1dfbeb465e7250596
Instruction Fuzzy Hash: F3513F67B382C545E7249A35980076AB7D2F744B94F888232CBB887FC5CEBDE445CB11

Function 00007FF77262E24C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF77262E58E

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 8ac5862cb3248682a3be254f9b10f16ec2de46e882c07099e16768db122d88d1
Instruction ID: c316084e055e9fea7a0e3ade4e465f1d57a2a1247bc99b58b27a409dd2e88dd1
Opcode Fuzzy Hash: 8ac5862cb3248682a3be254f9b10f16ec2de46e882c07099e16768db122d88d1
Instruction Fuzzy Hash: 1AA18967B387C586EB21DF25A0107AEB7D6AB54780F448032DEAD87B81DE7DE401CB12

Function 00007FF772628904 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF772628923

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 7f91ca7fa574998dcb546e47ec08620b83c190e5d2876444cf799c44a103b84f
Instruction ID: df49b8fdec37aed3a6efe1c72af9b5a8733fa1787cf074c88345cd8aa8735580
Opcode Fuzzy Hash: 7f91ca7fa574998dcb546e47ec08620b83c190e5d2876444cf799c44a103b84f
Instruction Fuzzy Hash: 3F51A313F3824241EA64B6265D0517BD2D2AF45F84F885036DE2DD3FD6EEBCE441CA26

Function 00007FF772633C50 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF772633C54

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: aac3723c2b6a238aefd16b7154bc2a8422277b696578f47c41093f4a2a161188
Instruction ID: 8586df31c44b6429fbd06011cee509cb364432ca0622bc8e3a9a057726b09cb3
Opcode Fuzzy Hash: aac3723c2b6a238aefd16b7154bc2a8422277b696578f47c41093f4a2a161188
Instruction Fuzzy Hash: EBB09B11F3B605C1E74437115C4111562557F44700FD44076C01C81710DD6C10A58B10

Function 00007FF77262328C Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322cb2c86716cdece9c726e9e2c975567fe12a8aa85f98836abd6a4efd61a654
Instruction ID: 10e24edf180a67c77293c71ed689e93e255c542b99dd982ba66ed01180e9a0e7
Opcode Fuzzy Hash: 322cb2c86716cdece9c726e9e2c975567fe12a8aa85f98836abd6a4efd61a654
Instruction Fuzzy Hash: 82E1F733A3864285E764AA28C15437EA7D3EB45B54F944133CE2D86BD4CFBDE851CB22

Function 00007FF7726236C4 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05b78add0f2b40b7b087ea5cffa0dec983d100235567ed1e4da1ebc7fff721b
Instruction ID: 09ac7c5e5c61b6395023933e5bb82a9c269e90d5b6e7c357ff0b457d899ed377
Opcode Fuzzy Hash: b05b78add0f2b40b7b087ea5cffa0dec983d100235567ed1e4da1ebc7fff721b
Instruction Fuzzy Hash: 29D1E963E3864245EB28AE25805027FB7E2EB05B48F944137CE2D97E84DFBDD461CB12

Function 00007FF7726184D0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f178bcea31f42b4bc64690478f9f96677cb58666e765d6cdeb9d82255686b749
Instruction ID: d372ee007f77625c444069f1fbf060350a08ba65dace4a50951f10db5cd60e1c
Opcode Fuzzy Hash: f178bcea31f42b4bc64690478f9f96677cb58666e765d6cdeb9d82255686b749
Instruction Fuzzy Hash: FCC1F8732241E04BE289EB29E85947A73E1F788349BD4413BEB8787785D63CF415EB20

Function 00007FF7726223DC Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6930fb774978e8bd2e23ea1159758c6b57f5e6197580d07e4b645cf5423f36d5
Instruction ID: bda94d45cc228b8db526da62ceaa1022ed7e2656ff95dfffbe4eb054c396ff1e
Opcode Fuzzy Hash: 6930fb774978e8bd2e23ea1159758c6b57f5e6197580d07e4b645cf5423f36d5
Instruction Fuzzy Hash: E6B1047353864287E7649F24C06023EBBE7E705B48F644136CA5D97B95CFB9D880CB62

Function 00007FF772622774 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fa8dc11ed81710ce6b292fa711a018f65c6a2741825e179c54963bcefd4b70
Instruction ID: 57e588d81ae73fe316eb698eb6cbc3c0776ba5da381fc49b1693d22a43575c6e
Opcode Fuzzy Hash: a7fa8dc11ed81710ce6b292fa711a018f65c6a2741825e179c54963bcefd4b70
Instruction Fuzzy Hash: 9BB1BE7393868586E7649F29C04023EBBE3F745B48FA44136CA5E87B95CFB9D441CB22

Function 00007FF77262ED60 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1b3bde9e0c906050d36d4556dfde39456ce6978caf9c2efe7239a5fedb6bbf
Instruction ID: f6e6cf4a05ecf7c0c90c9fbecbf0228222d25b213bd52cd2a0ea28fadd100ab3
Opcode Fuzzy Hash: 3a1b3bde9e0c906050d36d4556dfde39456ce6978caf9c2efe7239a5fedb6bbf
Instruction Fuzzy Hash: D481D277A386C186E774DB19904036BA6D2FB45794F84423ADAAD83F95CE7DE400CF12

Function 00007FF772636ED0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb0d7b43a1028ce40fdf7312490b9c01e59fcbcc0c8d1ac85de18c55be6dc943
Instruction ID: 1231396fb31ffce69ced8cbf56f734a600746381455e45d7dbd2e2d4a721392f
Opcode Fuzzy Hash: eb0d7b43a1028ce40fdf7312490b9c01e59fcbcc0c8d1ac85de18c55be6dc943
Instruction Fuzzy Hash: 6C61A863A3C19246FB65A928545027BD5C3AF42760F95423BD67DC6EC6DEFDE800CE20

Function 00007FF772621404 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245e9c4bc0e0b9f18a3364aab59be83cbd96958e997944c25b022b0bfdd10beb
Instruction ID: e3dd7bb6faa6a5cf0c4826ff8c4d1f544ab30276d40cf48684f5bbc2bfa742a0
Opcode Fuzzy Hash: 245e9c4bc0e0b9f18a3364aab59be83cbd96958e997944c25b022b0bfdd10beb
Instruction Fuzzy Hash: C551EAB3A3C65182E7249B28C44033A73E2EB44B58F645172CE5D97B95CB7AEC43CB91

Function 00007FF772621814 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cfbc186101e0a77f1890a1c7e808c8c6087910b00f1974ef122b20eb5bde20
Instruction ID: d7134bdb692e5122a422469e5b2b906fe765fb95aa0167a7700da68f8e449806
Opcode Fuzzy Hash: 36cfbc186101e0a77f1890a1c7e808c8c6087910b00f1974ef122b20eb5bde20
Instruction Fuzzy Hash: 1751F9B7E3C65182E7249B28C44023A73E2EB44B58F649172CE5C97B95CB7AE843CB51

Function 00007FF772620FF4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8186251b5f2d9343d3d72692f21d58eaac1bc924a39335db57a069b4ce12c81
Instruction ID: b3a09e7153412214aff2725f8d0cc022d0d18b02751ea83f8e687875f9c4e17a
Opcode Fuzzy Hash: c8186251b5f2d9343d3d72692f21d58eaac1bc924a39335db57a069b4ce12c81
Instruction Fuzzy Hash: DF51FA73A3C69181E7249B24C44423A73E2EB44F58F645172CE5C97B95CFBAE843CB51

Function 00007FF772621200 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9412276bc5eb2fa85696182c8cfd52c2e9645a9302085a3d80f1ecd3ea1c0082
Instruction ID: c1140dc1406bbc666304faedf254b35a1407837066de195dd1be76fe17a5ed40
Opcode Fuzzy Hash: 9412276bc5eb2fa85696182c8cfd52c2e9645a9302085a3d80f1ecd3ea1c0082
Instruction Fuzzy Hash: A151E6B3A3D65181EB249B29C44023E73E2EB44B58F645072DE5C87B96CB79E843CF51

Function 00007FF772621610 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a877b357e31cd599e68a74dbaf5c8661608319cea2a418fc02a8a2ced54dbdec
Instruction ID: 391273d2aea44435453b06887ddb85ad570201ac14829987e39d4a14213dd507
Opcode Fuzzy Hash: a877b357e31cd599e68a74dbaf5c8661608319cea2a418fc02a8a2ced54dbdec
Instruction Fuzzy Hash: 0D51F577A3C65182E7249B28C44022E73E2EB84B58F795172CE5C87B95CF7AE843CB51

Function 00007FF772620DF0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b95b690bf34b7a50a36fd66378ab931284c1144445f06a5a46fd3f94635bebb
Instruction ID: 492f7b515b02367f5b7628ee71205e6d459526084ef770ba832e2f43bb69e823
Opcode Fuzzy Hash: 0b95b690bf34b7a50a36fd66378ab931284c1144445f06a5a46fd3f94635bebb
Instruction Fuzzy Hash: 8A51CB3763465185E724AB19C04023E77E2EB54F58F644132CE9C97B94CF7AE883CB91

Function 00007FF7726260F0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction ID: 98492aa33a577ba3792c5529e06da7ba3a7c5703226db80e05bbaf0bb1ee1ebc
Opcode Fuzzy Hash: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction Fuzzy Hash: 7E411A83C3A66A44FD91991C05086B696D29F127E0ED822BECCBDA7BD3CC4D3546C732

Function 00007FF77262A660 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 2096fc0deaccd63eba972606d3676cbfca06e60653cd97219181f616f74d57e3
Instruction ID: a63da70e8cf6dd5626969766aebfd74895f22dcee87fc4c5342aa264d8591ace
Opcode Fuzzy Hash: 2096fc0deaccd63eba972606d3676cbfca06e60653cd97219181f616f74d57e3
Instruction Fuzzy Hash: C4411167734A9482EE14DF2AD92416AB3A2A748FD0B889033DE1DC7B58DEBCD581C710

Function 00007FF772627ECC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58efc7a4840026da8c2ee224b25c6e4052394f130e4aebb15c57cb528e7ae9d
Instruction ID: 67b65637064004ea53ca5fd7b67c13d25b0427b04a26f7c4c9bd98ec376f799f
Opcode Fuzzy Hash: e58efc7a4840026da8c2ee224b25c6e4052394f130e4aebb15c57cb528e7ae9d
Instruction Fuzzy Hash: 1B310833B3DB4142E715EF21644012FA6D6AB85B90F544239EA6D93FD5DF7CD0018B10

Function 00007FF772639FA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0754fbf4391b08832e62d9f9ec49176088946d616d14b97ca79cf869398b42df
Instruction ID: 0ed7e6eaaabb68961f8e11117523a5ab3d14272cf616ec47e5c8c72a5cadc597
Opcode Fuzzy Hash: 0754fbf4391b08832e62d9f9ec49176088946d616d14b97ca79cf869398b42df
Instruction Fuzzy Hash: 52F068B27382958ADB94DF29A41262A77D1F7083C4F80D4BAD59DC3F14D67C9450CF14

Function 00007FF77261BC84 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fa6bc1ba7292d5aca8c23be0546c73b69cb3dc5911c13ad77fb1461f7435d6
Instruction ID: d0ed3dc8db3f59bf8de7a5bbafe7106ff3ec3b5295fca2edf13867f75290272c
Opcode Fuzzy Hash: 76fa6bc1ba7292d5aca8c23be0546c73b69cb3dc5911c13ad77fb1461f7435d6
Instruction Fuzzy Hash: F9A00223A7CC0AD4E644AB50E858032B332FB54341BC00433D02DC19B1AFBCB401CF24

Function 00007FF772616120 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF772616137
GetProcAddress.KERNEL32 ref: 00007FF772616176
GetProcAddress.KERNEL32 ref: 00007FF77261619B
GetProcAddress.KERNEL32 ref: 00007FF7726161C0
GetProcAddress.KERNEL32 ref: 00007FF7726161E8
GetProcAddress.KERNEL32 ref: 00007FF772616210
GetProcAddress.KERNEL32 ref: 00007FF772616238
GetProcAddress.KERNEL32 ref: 00007FF772616260
GetProcAddress.KERNEL32 ref: 00007FF772616288

Strings

Failed to get address for Tcl_EvalEx, xrefs: 00007FF772616542
Failed to get address for Tcl_GetVar2, xrefs: 00007FF7726163DA
Tcl_FinalizeThread, xrefs: 00007FF772616206
Failed to get address for Tcl_Alloc, xrefs: 00007FF772616592
Tk_Init, xrefs: 00007FF7726165C6
Failed to get address for Tcl_SetVar2, xrefs: 00007FF772616402
Tcl_MutexLock, xrefs: 00007FF7726162A6
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF7726161AD
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF772616362
Tcl_EvalFile, xrefs: 00007FF7726164FE
Failed to get address for Tcl_Free, xrefs: 00007FF7726165BA
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF77261647A
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF77261660A
Tcl_Free, xrefs: 00007FF77261659E
Tcl_CreateObjCommand, xrefs: 00007FF77261640E
Tcl_DeleteInterp, xrefs: 00007FF77261622E
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF77261633A
Failed to get address for Tcl_EvalFile, xrefs: 00007FF77261651A
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF7726163B2
Failed to get address for Tcl_GetString, xrefs: 00007FF772616452
Tcl_GetVar2, xrefs: 00007FF7726163BE
GetProcAddress, xrefs: 00007FF772616150
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF7726162EA
Tcl_ConditionFinalize, xrefs: 00007FF7726162F6
Tcl_CreateThread, xrefs: 00007FF772616256
Tcl_CreateInterp, xrefs: 00007FF77261616C
Failed to get address for Tcl_Finalize, xrefs: 00007FF7726161FA
Tcl_EvalObjv, xrefs: 00007FF77261654E
Tcl_EvalEx, xrefs: 00007FF772616526
Tcl_ThreadAlert, xrefs: 00007FF772616396
Tcl_GetCurrentThread, xrefs: 00007FF77261627E
Tcl_MutexUnlock, xrefs: 00007FF7726162CE
Failed to get address for Tcl_MutexLock, xrefs: 00007FF7726162C2
Tk_GetNumMainWindows, xrefs: 00007FF7726165EE
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF7726161D2
Tcl_NewByteArrayObj, xrefs: 00007FF772616486
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF77261656A
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF7726164CA
Tcl_ConditionNotify, xrefs: 00007FF77261631E
Tcl_Init, xrefs: 00007FF772616130
Tcl_Finalize, xrefs: 00007FF7726161DE
Tcl_GetObjResult, xrefs: 00007FF7726164D6
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF772616312
Tcl_Alloc, xrefs: 00007FF772616576
Failed to get address for Tcl_Init, xrefs: 00007FF772616149
Tcl_GetString, xrefs: 00007FF772616436
Failed to get address for Tcl_CreateThread, xrefs: 00007FF772616272
Tcl_FindExecutable, xrefs: 00007FF772616191
Tcl_SetVar2Ex, xrefs: 00007FF7726164AE
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF77261642A
Failed to get address for Tk_Init, xrefs: 00007FF7726165E2
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF7726164F2
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF7726164A2
Tcl_ThreadQueueEvent, xrefs: 00007FF77261636E
Tcl_ConditionWait, xrefs: 00007FF772616346
Tcl_SetVar2, xrefs: 00007FF7726163E6
Tcl_NewStringObj, xrefs: 00007FF77261645E
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF77261638A
Tcl_DoOneEvent, xrefs: 00007FF7726161B6
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF772616222
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF77261624A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF77261629A
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF772616188

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 58f48e0339e39b57c848ce72b595bd14467f06102aa010257a61c7e5a99d3338
Instruction ID: 596ab3c1aca73385a430e4da0bbb3aafadfe2b917edef67ed783ae4b01f1f73b
Opcode Fuzzy Hash: 58f48e0339e39b57c848ce72b595bd14467f06102aa010257a61c7e5a99d3338
Instruction Fuzzy Hash: 05E1EC6AE3DB4390FA14BB08A840176A3A3AF05790BC45437C57D86B66EFFCB554CB20

Function 00007FF772617E20 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF772617E5C

Part of subcall function 00007FF772611FC0: GetLastError.KERNEL32(?,?,00000000,00007FF772617A84,?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772611FE7

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF772617ED6
Out of memory., xrefs: 00007FF772617EA0, 00007FF772617F42
WideCharToMultiByte, xrefs: 00007FF772617F7C
Failed to get wchar_t buffer size., xrefs: 00007FF772617E69
win32_wcs_to_mbs, xrefs: 00007FF772617F3B
Failed to get ANSI buffer size., xrefs: 00007FF772617F1D
Failed to encode filename as ANSI., xrefs: 00007FF772617F75
MultiByteToWideChar, xrefs: 00007FF772617E70, 00007FF772617EDD
win32_utils_from_utf8, xrefs: 00007FF772617E99

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: a3dc191e6d3a7e30e6d3ca50687f8f113d99b437230db18f3ecdd854ec68b56a
Instruction ID: 60175e855f75b442a7a78727669389a6c407dd81f728ae039cfb960f7a13a5fd
Opcode Fuzzy Hash: a3dc191e6d3a7e30e6d3ca50687f8f113d99b437230db18f3ecdd854ec68b56a
Instruction Fuzzy Hash: B2418062B3CA4285E610BB15A84017BE2D7AF447D0F844536E96D87E96EFBCF501CB60

Function 00007FF7726112B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF772611499

Strings

malloc, xrefs: 00007FF772611377
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7726114BF
\, xrefs: 00007FF7726113F5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF772611370
%s%c%s, xrefs: 00007FF7726113EE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7726112FE
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77261132B
fread, xrefs: 00007FF7726114C6
fseek, xrefs: 00007FF772611332

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _fread_nolock
String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
API String ID: 840049012-2316137593
Opcode ID: 4c95dd0d34d37db03b0c7629831d949fcc18f1294afb2a9d06a67c8a76cf6a06
Instruction ID: 37f75f845922618817cd6c99bb314ad5a9fd5cdad307fadcd576bfc6b0525edc
Opcode Fuzzy Hash: 4c95dd0d34d37db03b0c7629831d949fcc18f1294afb2a9d06a67c8a76cf6a06
Instruction Fuzzy Hash: 28518663B3868245EA20B711A4512BBA356EF44784FC05833EA6DC7E8ADEBCF545CB10

Function 00007FF772626964 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726269A7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772626D94
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772627030

Strings

:, xrefs: 00007FF772626B60
f, xrefs: 00007FF772626AC9
p, xrefs: 00007FF772626A59
p, xrefs: 00007FF772626AD1
-, xrefs: 00007FF772626A3D

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: d4cdf2ad873fcc1a55b2f356b6780668518a34574565391aeb310e891ef93fd5
Instruction ID: 13c0b452683dad776b509f3e36a4b292cfafca8261ec9b1a161469ad5028d65a
Opcode Fuzzy Hash: d4cdf2ad873fcc1a55b2f356b6780668518a34574565391aeb310e891ef93fd5
Instruction Fuzzy Hash: 2112B363A3C14786FB20AA15D05467BE6D3EB40754FD4443BE6A986EC4DEBCE580CF22

Function 00007FF772620678 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726206B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772620A80
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772620D1F

Strings

f, xrefs: 00007FF7726207BA
f, xrefs: 00007FF772620750
p, xrefs: 00007FF7726207C2
f, xrefs: 00007FF772620905
p, xrefs: 00007FF77262075D

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: c0a981aa494adbb3b7342c3752dce4118702a1c34e2079eb9dc52d78b32a8c41
Instruction ID: f74394175cb911872debf82f5078dd92d57ffab3643e815308cc68c828fcb2a0
Opcode Fuzzy Hash: c0a981aa494adbb3b7342c3752dce4118702a1c34e2079eb9dc52d78b32a8c41
Instruction Fuzzy Hash: DC128263A3C14385FB207A14A05427BF6E3EBA0754FD44136D6A986DC4DBBDE884CF62

Function 00007FF7726115A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF772611640
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7726116C2
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF772611639
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7726115D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF772611609
fread, xrefs: 00007FF7726116C9
fseek, xrefs: 00007FF772611610

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 90ce6babe0c5ccd43897601d73f0a6ba32a96eb65b1f49866d0d65fb14adb7b9
Instruction ID: 1188d321481240f6a8fd923b544ee662094b8418a1529b5a83a8747170a8aea0
Opcode Fuzzy Hash: 90ce6babe0c5ccd43897601d73f0a6ba32a96eb65b1f49866d0d65fb14adb7b9
Instruction Fuzzy Hash: 5A317263B3864245EA24BB11A8001BBE3A2EB047D4FD45833DE6D87E56DEBDF541CB50

Function 00007FF77261E040 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF77261E09D

Part of subcall function 00007FF77261EFB0: __GetUnwindTryBlock.LIBCMT ref: 00007FF77261EFF3
Part of subcall function 00007FF77261EFB0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF77261F018

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF77261E175
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF77261E3CA
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF77261E4D6

Strings

csm, xrefs: 00007FF77261E198
csm, xrefs: 00007FF77261E0B7
csm, xrefs: 00007FF77261E11E

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: ed4df90f0730f50539a8535a21476c0a1de0d4e3aa9e3d66922077705c9def21
Instruction ID: 1e2799b3c08a0274c30488776ef96531bc1146cd0c37fd55185fe4379eba59f9
Opcode Fuzzy Hash: ed4df90f0730f50539a8535a21476c0a1de0d4e3aa9e3d66922077705c9def21
Instruction Fuzzy Hash: 29E17037B3878186EB24AF6594412AEB7A2FB49798F400936DE5D97B55CF78F080CB10

Function 00007FF772617940 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF7726179DF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772617A2F

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF772617A58
Out of memory., xrefs: 00007FF772617A61
WideCharToMultiByte, xrefs: 00007FF772617A78
Failed to get UTF-8 buffer size., xrefs: 00007FF772617A71
win32_utils_to_utf8, xrefs: 00007FF772617A68

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 283b9852074a23623f78ed3985db15c4f61d23f1de9df3a16f6eda00b8e02162
Instruction ID: 1aed322353b2c3ed622bd756e7ba3e4c86c7247ee4eb81cd6c2e3e3ec82b9753
Opcode Fuzzy Hash: 283b9852074a23623f78ed3985db15c4f61d23f1de9df3a16f6eda00b8e02162
Instruction Fuzzy Hash: E141A43363CB8281D621AF15E84016BE7A6FB84790F944436DAAD83F99DFBCE551CB10

Function 00007FF7726180F0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF7726130F5), ref: 00007FF772618131

Part of subcall function 00007FF772611FC0: GetLastError.KERNEL32(?,?,00000000,00007FF772617A84,?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772611FE7

WideCharToMultiByte.KERNEL32(00000000,00007FF7726130F5), ref: 00007FF7726181A5

Strings

Failed to encode wchar_t as UTF-8., xrefs: 00007FF7726181AF
Out of memory., xrefs: 00007FF77261816B
WideCharToMultiByte, xrefs: 00007FF772618145, 00007FF7726181B6
Failed to get UTF-8 buffer size., xrefs: 00007FF77261813E
win32_utils_to_utf8, xrefs: 00007FF772618172

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: 1a6fdf0e1fc89b618f804e67e1824ecb1242a7be15b819eb949045da6c87acc4
Instruction ID: 8470bd92ce48835c57a7773a75e94931062c1d4cd9b055ec32c29b89f9188f78
Opcode Fuzzy Hash: 1a6fdf0e1fc89b618f804e67e1824ecb1242a7be15b819eb949045da6c87acc4
Instruction Fuzzy Hash: F9216F62B38B4385E710AF16A84116AB7A7BB44B80F944536DA6D83B55EFBCE501CB10

Function 00007FF7726167D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF772616946

Part of subcall function 00007FF77261F780: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77261F794

Part of subcall function 00007FF77261F754: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77261F768

Strings

\, xrefs: 00007FF77261681C
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF772616862
ERROR: file already exists but should not: %s, xrefs: 00007FF7726168AC
%s%c%s, xrefs: 00007FF772616815
WARNING: file already exists but should not: %s, xrefs: 00007FF7726168C8

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_fread_nolock
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 3231891352-3501660386
Opcode ID: 45c82e91027f4a79a680c82a92934e320928fddaa14633864d4e615379ae879d
Instruction ID: 7850547135b73835c8204fff9fb1b49769abd7978bebf097ee666278dacb3b02
Opcode Fuzzy Hash: 45c82e91027f4a79a680c82a92934e320928fddaa14633864d4e615379ae879d
Instruction Fuzzy Hash: 99516056B3D68241FA54BB11A5002BBD2929F45780F844836EA6DC6EDADEACF504CF70

Function 00007FF77261D2F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF77261D5AA,?,?,?,00007FF77261D29C,?,?,00000001,00007FF77261CEB9), ref: 00007FF77261D37D
GetLastError.KERNEL32(?,?,?,00007FF77261D5AA,?,?,?,00007FF77261D29C,?,?,00000001,00007FF77261CEB9), ref: 00007FF77261D38B
LoadLibraryExW.KERNEL32(?,?,?,00007FF77261D5AA,?,?,?,00007FF77261D29C,?,?,00000001,00007FF77261CEB9), ref: 00007FF77261D3B5
FreeLibrary.KERNEL32(?,?,?,00007FF77261D5AA,?,?,?,00007FF77261D29C,?,?,00000001,00007FF77261CEB9), ref: 00007FF77261D3FB
GetProcAddress.KERNEL32(?,?,?,00007FF77261D5AA,?,?,?,00007FF77261D29C,?,?,00000001,00007FF77261CEB9), ref: 00007FF77261D407

Strings

api-ms-, xrefs: 00007FF77261D39D

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 401bf44a21d796c7bc3e63b3c41fdd6ef2024785226a2e5070dcc91098cb9f6a
Instruction ID: e32399ee695f01f06f558bede020575cdab6a29640ce3bf58ff9e8972f08bb07
Opcode Fuzzy Hash: 401bf44a21d796c7bc3e63b3c41fdd6ef2024785226a2e5070dcc91098cb9f6a
Instruction Fuzzy Hash: 58319523B3A64281EE15BB02940056AA396BF45BA0F950936DE3DC6B81DFBCF445CB20

Function 00007FF772616650 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF772617FE0: MultiByteToWideChar.KERNEL32 ref: 00007FF77261801A

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF772616BD1,00000000,00000000,00000000,00000000,?,00007FF77261154F), ref: 00007FF7726166AF

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF772616686
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7726166C3
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF77261670A

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 5a9a66fd2af3f3c10d5c7f75e4296a5dff3031b550318f5ebae2e3d37a800bd5
Instruction ID: 7834a8cbac0264a767203dc1bf122a29fd7d63137d624692c17dab12d647434f
Opcode Fuzzy Hash: 5a9a66fd2af3f3c10d5c7f75e4296a5dff3031b550318f5ebae2e3d37a800bd5
Instruction Fuzzy Hash: 2C316857B3D78640FA25B721D5553BB9192AF88780FC44837DA6DC2E96EEACF104CE20

Function 00007FF772617FE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF77261801A

Part of subcall function 00007FF772611FC0: GetLastError.KERNEL32(?,?,00000000,00007FF772617A84,?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772611FE7

MultiByteToWideChar.KERNEL32 ref: 00007FF7726180A0

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7726180AA
Out of memory., xrefs: 00007FF772618062
Failed to get wchar_t buffer size., xrefs: 00007FF772618027
MultiByteToWideChar, xrefs: 00007FF77261802E, 00007FF7726180B1
win32_utils_from_utf8, xrefs: 00007FF772618069

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 99d0c13c7fcb40935d26c9aca5e49299c1bd3538adca28ac103b13db73bad913
Instruction ID: 84eeec4a7bee9c1f9503e5168ccfdcc6cb040ffabd6700a9f4072fd48dc2b91b
Opcode Fuzzy Hash: 99d0c13c7fcb40935d26c9aca5e49299c1bd3538adca28ac103b13db73bad913
Instruction Fuzzy Hash: 83215422B3CA4281E650EB19F44016AE3A2EB857C4F984536DB6C83F69EF6CE551CB10

Function 00007FF77262B940 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF77262B94F
FlsGetValue.KERNEL32 ref: 00007FF77262B964
FlsSetValue.KERNEL32 ref: 00007FF77262B985
FlsSetValue.KERNEL32 ref: 00007FF77262B9B2
FlsSetValue.KERNEL32 ref: 00007FF77262B9C3
FlsSetValue.KERNEL32 ref: 00007FF77262B9D4
SetLastError.KERNEL32 ref: 00007FF77262B9EF

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 536890598da63789cafebb39ab7a1b9b197f7be4c8ab1447fe8c2ed6f16a9d87
Instruction ID: 37f245e7100e67b607a74e712f096af61ad5208b00b7df69807967a4679a0014
Opcode Fuzzy Hash: 536890598da63789cafebb39ab7a1b9b197f7be4c8ab1447fe8c2ed6f16a9d87
Instruction Fuzzy Hash: C7216D22E3C64242F9587721565123BE1C39F497A0F904737D87E97ED6DDECA400CE22

Function 00007FF77263871C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF77263874D
GetLastError.KERNEL32 ref: 00007FF772638759
CloseHandle.KERNEL32 ref: 00007FF772638771
CreateFileW.KERNEL32 ref: 00007FF77263879C
WriteConsoleW.KERNEL32 ref: 00007FF7726387BB

Strings

CONOUT$, xrefs: 00007FF77263877D

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 782d7be382e6ca21b379f32368c73bb8775f466e7ed2cdd0d278672f00c346f0
Instruction ID: 40cd43c9a79dc2c76273a6a555d6af845286dbd21ba553accf20b8926fd3c0d2
Opcode Fuzzy Hash: 782d7be382e6ca21b379f32368c73bb8775f466e7ed2cdd0d278672f00c346f0
Instruction Fuzzy Hash: 77119D26B3CA4186E3506B01E85432AB3A2FB58FE4F444235DA6DC7B95DFBCD544CB50

Function 00007FF77262BAB8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BAC7
FlsSetValue.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BAFD
FlsSetValue.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BB2A
FlsSetValue.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BB3B
FlsSetValue.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BB4C
SetLastError.KERNEL32(?,?,?,00007FF772627BC1,?,?,?,?,00007FF77262F407,?,?,00000000,00007FF77262BBD6,?,?,?), ref: 00007FF77262BB67

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 23f6f2c62d004cfd5574e5c3f868082861320257ec1f712a364159cd7c87468a
Instruction ID: 650bb620273940e0dfe780474f3945e038f10fd81ae430da037f24558b4a0a87
Opcode Fuzzy Hash: 23f6f2c62d004cfd5574e5c3f868082861320257ec1f712a364159cd7c87468a
Instruction Fuzzy Hash: 87115B22A3C28242FA187731564127BE1C3DF487B0F944736D83E87ED6DEACA441CE22

Function 00007FF77261CCB8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77261CCE3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF77261CD78
RtlUnwindEx.KERNEL32 ref: 00007FF77261CDC7

Strings

csm, xrefs: 00007FF77261CD5E
f, xrefs: 00007FF77261CCF6

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 441ec2522eb67d11a7ea9a1300faeb4b4fa433f0a030fc2c64f19feb19168e88
Instruction ID: 9657ae973a8752aa4bb5b37f0267794782e6f08e08d4c078b5982cfbe9a909c6
Opcode Fuzzy Hash: 441ec2522eb67d11a7ea9a1300faeb4b4fa433f0a030fc2c64f19feb19168e88
Instruction Fuzzy Hash: E051A433B3960286D714EB15D404A2EB757FB44B94F908932DA6AC3B88DFB8F941CB51

Function 00007FF77262A248 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF77262A26D
GetProcAddress.KERNEL32 ref: 00007FF77262A283
FreeLibrary.KERNEL32 ref: 00007FF77262A2AA

Strings

CorExitProcess, xrefs: 00007FF77262A27C
mscoree.dll, xrefs: 00007FF77262A264

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 49a44557b6c7559572de52d78303139dcb5ac6347d4980437b0fa0186231bfbf
Instruction ID: 8bdb3f3e84b3c58a904394539bcf6c2c1e606ff4c138121095c114a8d522aade
Opcode Fuzzy Hash: 49a44557b6c7559572de52d78303139dcb5ac6347d4980437b0fa0186231bfbf
Instruction Fuzzy Hash: CAF0442263960642EA106B24A88477BB362FF857A1F940236C57D859E5CFADD549CB20

Function 00007FF772639DA0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF772639DC8
_set_statfp.LIBCMT ref: 00007FF772639DE3
_set_statfp.LIBCMT ref: 00007FF772639DFF
_set_statfp.LIBCMT ref: 00007FF772639E3B

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction ID: 8b1da268690544b2ce3e64c1f040675fb3a851573872c3467d88885141adbbad
Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
Instruction Fuzzy Hash: E3118F33E3DA0301F6543525E64637790826F58370FC41636EABE86BD7AEACAE41DD60

Function 00007FF77262BB80 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262BB9F
FlsSetValue.KERNEL32(?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262BBBE
FlsSetValue.KERNEL32(?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262BBE6
FlsSetValue.KERNEL32(?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262BBF7
FlsSetValue.KERNEL32(?,?,?,00007FF77262AD97,?,?,00000000,00007FF77262B032,?,?,?,?,?,00007FF772622AF0), ref: 00007FF77262BC08

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 826f2a2bb5259ecdca222a4e952b5921e6103acacb5b4ea23dd563de8f2b1a04
Instruction ID: 431f262b93833ac008c057eb6d67c25874122c153ded59667ae2e33bc83c35f7
Opcode Fuzzy Hash: 826f2a2bb5259ecdca222a4e952b5921e6103acacb5b4ea23dd563de8f2b1a04
Instruction Fuzzy Hash: B9119022F3824241F9587731654127BE1C39F497A0F846336E83E86ED6DDACA441CA22

Function 00007FF77262BA14 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF77262BA25
FlsSetValue.KERNEL32 ref: 00007FF77262BA44
FlsSetValue.KERNEL32 ref: 00007FF77262BA6C
FlsSetValue.KERNEL32 ref: 00007FF77262BA7D
FlsSetValue.KERNEL32 ref: 00007FF77262BA8E

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 07fc115f0ab617edcc5ddaf63fb37d7a13bf2c82535a12df9d3141224ca85f6c
Instruction ID: 0c03cada3fd6bb12ed7c99fcc1cfe90a9b9523173aac0d167c243c85404320d0
Opcode Fuzzy Hash: 07fc115f0ab617edcc5ddaf63fb37d7a13bf2c82535a12df9d3141224ca85f6c
Instruction Fuzzy Hash: 08113622E7924742F9687631581227BA1C3CF49360E944736D83E8AAD2DDECB401CA72

Function 00007FF772626674 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726266B0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726267DA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF772626890

Strings

verbose, xrefs: 00007FF772626684

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: fe1e8efda0cf6c93562b921e4ec050f1932563884317df94160744cb1de47bce
Instruction ID: 6e859f74ae1cc6a7443a412c039f6bd867a7bf80aacaf7f83b86b603fd3e16eb
Opcode Fuzzy Hash: fe1e8efda0cf6c93562b921e4ec050f1932563884317df94160744cb1de47bce
Instruction Fuzzy Hash: 6391D323A3864681F725AE25E45077EB7D2AB00B54FC4413BDA6D87BC4DEBCE441CB62

Function 00007FF772630708 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726309E7

Part of subcall function 00007FF772636B24: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772636B41

Strings

UTF-16LEUNICODE, xrefs: 00007FF772630985
UTF-8, xrefs: 00007FF772630966
ccs, xrefs: 00007FF772630922

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: b2cc363805ca20447a25c8f81cd7393a480cab13a7b6463fd57a1b4c48298ff2
Instruction ID: aebfc29cb05eda0daff5bb8ab6206a1763868221a60b5fc061d5484e309ed4a5
Opcode Fuzzy Hash: b2cc363805ca20447a25c8f81cd7393a480cab13a7b6463fd57a1b4c48298ff2
Instruction Fuzzy Hash: 0E81B273D3D24385FA64BE25811027AA6A2EF10B44FD55033CA6DD3AC6CABCE509DF61

Function 00007FF77261E518 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF77261E564
_CallSETranslator.LIBVCRUNTIME ref: 00007FF77261E5B3

Strings

RCC, xrefs: 00007FF77261E581
MOC, xrefs: 00007FF77261E578

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: e30b001a65ecbac323d64855d84c7dd7b86801db1d6a53d41dfb75bd32efedcc
Instruction ID: 61061877ae35aa08ed0f0cbcbeed25d12263717bb1bc618127a30b12efbde3ad
Opcode Fuzzy Hash: e30b001a65ecbac323d64855d84c7dd7b86801db1d6a53d41dfb75bd32efedcc
Instruction Fuzzy Hash: 1A619A3BA28B858AE710DF65D4403AEB7A1FB44B88F544626EF5D47B95DFB8E040CB10

Function 00007FF77261E874 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77261E89C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF77261E984

Strings

csm, xrefs: 00007FF77261E8BE
csm, xrefs: 00007FF77261E9D6

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: bdee17589bf75213b8a05d91e8f1b92ccfe5eb3b40fb346315327662de68e928
Instruction ID: 6bf78d46fe22729971cf06b1ab35b2a4d7aadcc6311ef279768cce2cf95d8d34
Opcode Fuzzy Hash: bdee17589bf75213b8a05d91e8f1b92ccfe5eb3b40fb346315327662de68e928
Instruction Fuzzy Hash: C4519237A382C287EA649B11904036AB6A2FB54B84F584537DAAC87ED5CFBCF450CB10

Function 00007FF772613090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF772612AEF), ref: 00007FF7726130C1

Part of subcall function 00007FF772611FC0: GetLastError.KERNEL32(?,?,00000000,00007FF772617A84,?,?,?,?,?,?,?,?,?,?,?,00007FF772611023), ref: 00007FF772611FE7

Strings

GetModuleFileNameW, xrefs: 00007FF7726130D2
Failed to convert executable path to UTF-8., xrefs: 00007FF7726130FA
Failed to get executable path., xrefs: 00007FF7726130CB

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 49f1ecf3d94381de7c8fcc3105cc7b5bdb7d10445a3a2172c696d0a4c51e4e0e
Instruction ID: ce651e0b12194cfe69373884a95303fd5deb0d1db2840517a33b192a07dea226
Opcode Fuzzy Hash: 49f1ecf3d94381de7c8fcc3105cc7b5bdb7d10445a3a2172c696d0a4c51e4e0e
Instruction Fuzzy Hash: C8015252B3C64655FA60B710D8463B7A292AF4C784FC00833D86EC5A86EEACF158CE20

Function 00007FF77262CD90 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF77262CE0F
WriteFile.KERNEL32 ref: 00007FF77262D0D7
WriteFile.KERNEL32 ref: 00007FF77262D11D
GetLastError.KERNEL32 ref: 00007FF77262D1D3

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6eb07c62c7f2be5fe310762afd6a0bfddb871e62887f4110a816b6a1868fb288
Instruction ID: 0ef5e4a0f1b97d440bcf19685e8cfe065e773c2398f4ab401a1f91764eec212c
Opcode Fuzzy Hash: 6eb07c62c7f2be5fe310762afd6a0bfddb871e62887f4110a816b6a1868fb288
Instruction Fuzzy Hash: A1D1F033B38A8189E710DF65D4402AD77B2FB48798B904226CF6E97F99DE78D406CB50

Function 00007FF7726258EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF77262591F
GetFileInformationByHandle.KERNEL32 ref: 00007FF772625981
GetLastError.KERNEL32 ref: 00007FF772625A12
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,00007FF772625824), ref: 00007FF772625A5E

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: a644cbf01c450c3453b8346303d2a41b57d7119f4d028b80f2dbef41ef418b95
Instruction ID: 7fcca234c491ea9f42ad9591d834b7f3ac6e9383469a4239f8580b3b7339b71f
Opcode Fuzzy Hash: a644cbf01c450c3453b8346303d2a41b57d7119f4d028b80f2dbef41ef418b95
Instruction Fuzzy Hash: E651C323E3824185FB24EF70D49137E63E2BB44758F544536DE1997A49DF78D044CB21

Function 00007FF772617C30 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00007FF772617C36
GetCurrentProcessId.KERNEL32 ref: 00007FF772617C49
GetWindowThreadProcessId.USER32 ref: 00007FF772617C59
ShowWindow.USER32 ref: 00007FF772617C71

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Window$Process$ConsoleCurrentShowThread
String ID:
API String ID: 242035731-0
Opcode ID: f142a766af94d23a34c50566ceeff269ea394bc3c7539ab27bbf2cb06ea8d491
Instruction ID: bd576fb9b0b676bea64dc10f0b648b457c1e1e5be12bc6c51979432563ced811
Opcode Fuzzy Hash: f142a766af94d23a34c50566ceeff269ea394bc3c7539ab27bbf2cb06ea8d491
Instruction Fuzzy Hash: B9F01222B3C746C2FA516B11A48413AA252FF48794F441032D96E87A55DF7CF455CB20

Function 00007FF772617AE0 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00007FF772617AE6
GetCurrentProcessId.KERNEL32 ref: 00007FF772617AF9
GetWindowThreadProcessId.USER32 ref: 00007FF772617B09
ShowWindow.USER32 ref: 00007FF772617B1E

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: Window$Process$ConsoleCurrentShowThread
String ID:
API String ID: 242035731-0
Opcode ID: 3b045ef48ad9d1fcfb93a413f8f0a976a15e26462fa612dd2a279bb063aa5ba7
Instruction ID: 43d0567b54d87984666920a0b8c1dbc7db389a0592395c7dfa2d1b2004e26302
Opcode Fuzzy Hash: 3b045ef48ad9d1fcfb93a413f8f0a976a15e26462fa612dd2a279bb063aa5ba7
Instruction Fuzzy Hash: C7F03722B3D74681EE556B26A48413AA2A2FF88790F481032D96E83A55DF7CF455CA20

Function 00007FF7726363EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF772631F30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF772631F63

_get_daylight.LIBCMT ref: 00007FF772636504
_get_daylight.LIBCMT ref: 00007FF772636515

Strings

?, xrefs: 00007FF772636495

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 5e4ebd1a5459c2e423b2534f2a9cbc7097c5d613e404f6a657933abeadd07c2a
Instruction ID: da69bfff6794991ca30fefc4fb50e6791e946011d0374634596cfa2f28511798
Opcode Fuzzy Hash: 5e4ebd1a5459c2e423b2534f2a9cbc7097c5d613e404f6a657933abeadd07c2a
Instruction Fuzzy Hash: CB41FB23A3C28141F7656B15944137B9692EB807A4F94423AEF6C87EDBDEBCD441CF14

Function 00007FF7726297D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77262980A

Part of subcall function 00007FF77262B13C: RtlFreeHeap.NTDLL(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B152
Part of subcall function 00007FF77262B13C: GetLastError.KERNEL32(?,?,?,00007FF7726334F2,?,?,?,00007FF77263352F,?,?,00000000,00007FF7726339F5,?,?,00000000,00007FF772633927), ref: 00007FF77262B15C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF77261B535), ref: 00007FF772629828

Strings

C:\Users\user\Desktop\UiF5hKi5o7.exe, xrefs: 00007FF772629816

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\UiF5hKi5o7.exe
API String ID: 3580290477-2226567000
Opcode ID: 4dbf1527d4e58d516c7ee72884490de61766f176bacbb8e5bffd339a416dd47e
Instruction ID: 6760be6dc69a1dce3353eb45f205975254ae1359a95ac1efbf6031760dc44886
Opcode Fuzzy Hash: 4dbf1527d4e58d516c7ee72884490de61766f176bacbb8e5bffd339a416dd47e
Instruction Fuzzy Hash: 9041A433A3971285EB15BF2294410BEA2D6EF84790BA44037E96D83F45EE7DD581CB21

Function 00007FF77262D428 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF77262D53F
GetLastError.KERNEL32 ref: 00007FF77262D561

Strings

U, xrefs: 00007FF77262D4EB

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 2dd23d861f39fa8c48265a5b090f5e727a49fb98d456b98054fc3ae4b3cee164
Instruction ID: 076bfab05ae5abb859fc2348a6a8667ddae7c348c9eb8c299f2104c8d2ccb8bb
Opcode Fuzzy Hash: 2dd23d861f39fa8c48265a5b090f5e727a49fb98d456b98054fc3ae4b3cee164
Instruction Fuzzy Hash: 3A41A323B3964185DB20AF25E4443AAA7A5F798794F844032EE5D87B58DFBCE441CB50

Function 00007FF77262FA78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF77262FAB8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF77262FB0A

Strings

:, xrefs: 00007FF77262FACE

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: c951c9f5a06786afa9f7a1c5b602e5650f2703f1cd8c2b6b9cec0e97c1d1868a
Instruction ID: 35cf7e4fa8dd087b30e721d98bc68fd336e266b75bc3c6e0f31cd6139e525d4a
Opcode Fuzzy Hash: c951c9f5a06786afa9f7a1c5b602e5650f2703f1cd8c2b6b9cec0e97c1d1868a
Instruction Fuzzy Hash: 0521B663A3828181EB24AB11905426FB3F2FB84B44FC54136DAAC83A84CFBCE545CB61

Function 00007FF77261F3C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF77261F404
RaiseException.KERNEL32 ref: 00007FF77261F44A

Strings

csm, xrefs: 00007FF77261F437

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6516e85e4b84e47353546abe8fa16ce7e0c12dcece2dedf88f831252cdda500d
Instruction ID: fa8a830d25b155307026a968afc89686affe4bb41207d23fccd05f7272019150
Opcode Fuzzy Hash: 6516e85e4b84e47353546abe8fa16ce7e0c12dcece2dedf88f831252cdda500d
Instruction Fuzzy Hash: 23113D32628B4582EB609F15F44026AB7A1FB88B88F584231DF9C87B65DF7CD551CB00

Function 00007FF77263057C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7726305AC
GetDriveTypeW.KERNEL32 ref: 00007FF7726305EC

Strings

:, xrefs: 00007FF7726305D5

Memory Dump Source

Source File: 00000001.00000002.2248053225.00007FF772611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF772610000, based on PE: true

Associated: 00000001.00000002.2248031395.00007FF772610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248090145.00007FF77263B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF77264E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248116199.00007FF772650000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2248161354.00007FF772652000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff772610000_UiF5hKi5o7.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 30ecb463a9293d5892dedd1a0e3f87856f73a65bf087bf20bcac9d3b0060f559
Instruction ID: 2a3494ddd854c39e1f729120cfd7fb46d5325d30e1eb6640dba2a858f7ebd56b
Opcode Fuzzy Hash: 30ecb463a9293d5892dedd1a0e3f87856f73a65bf087bf20bcac9d3b0060f559
Instruction Fuzzy Hash: F7017163A3C24285FB61BF60946127FA3A1EF54714FC40437D96DC6A82DEACE548CE24

Analysis Process: UiF5hKi5o7.exePID: 6364, Parent PID: 5516COMMON

Non-executed Functions

Function 00007FF8BFB98C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9913D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99175
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB991AF

Strings

short, xrefs: 00007FF8BFB98CE0
volatile, xrefs: 00007FF8BFB98FF8
auto, xrefs: 00007FF8BFB98F3F
__w64 , xrefs: 00007FF8BFB98E3A
long, xrefs: 00007FF8BFB98CBC
__int64, xrefs: 00007FF8BFB98EC9
long , xrefs: 00007FF8BFB98D31
const, xrefs: 00007FF8BFB98FDD
wchar_t, xrefs: 00007FF8BFB990A8
bool, xrefs: 00007FF8BFB99056
unsigned , xrefs: 00007FF8BFB990FA
double, xrefs: 00007FF8BFB98D48
decltype(auto), xrefs: 00007FF8BFB990C6
<unknown>, xrefs: 00007FF8BFB98F1B
__int32, xrefs: 00007FF8BFB98EDB
char32_t, xrefs: 00007FF8BFB990B7
char, xrefs: 00007FF8BFB98CF2
float, xrefs: 00007FF8BFB98D74
UNKNOWN, xrefs: 00007FF8BFB9908D
int, xrefs: 00007FF8BFB98CCE
char8_t, xrefs: 00007FF8BFB98F2D
__int8, xrefs: 00007FF8BFB98E2E
char16_t, xrefs: 00007FF8BFB99065
void, xrefs: 00007FF8BFB98D86
volatile, xrefs: 00007FF8BFB99025
signed , xrefs: 00007FF8BFB9910A
__int16, xrefs: 00007FF8BFB98E1C
__int128, xrefs: 00007FF8BFB98EB7

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1388207849
Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction ID: 59a814306d2f6ba551000e7c7c98938950be1e176704c9972e7a7bcb6dd64de7
Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
Instruction Fuzzy Hash: ACF16A72F18A1299FB548BACC8542BC27B1BF157C4F80953ADB1D16AA8DF3DE644C340

Function 00007FF8BFB9C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C459
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C492
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C566
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C577
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C5DA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C5EA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C636
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C648
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C7BB
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C83B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C84A

Strings

`anonymous namespace', xrefs: 00007FF8BFB9C71B

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction ID: 10074a9a50bb3f19e6ab12a978becd0af82d1b5e55508cd567abcfba44b5485f
Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
Instruction Fuzzy Hash: 58E17DB2A08B8696EB10CFA8E8801ED77A0FB45788F949036EB5D17B95DF3CE555C700

Function 00007FF8BFB9A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A88D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A969
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A9B2
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A9C3

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction ID: e1307a64a4be5e025d1e02855915364b4a12bbf23f2fb4e4b3210a4e13a5a7c4
Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
Instruction Fuzzy Hash: 98F16976B08A829AEB10DFA8D4901FC77B5EB0578CB448036EB4D67A99DF38D55AC340

Function 00007FF8BFB9D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9D712

Strings

`template-type-parameter-, xrefs: 00007FF8BFB9D6D0
`generic-class-parameter-, xrefs: 00007FF8BFB9D6C7
nullptr, xrefs: 00007FF8BFB9D3FA
NULL, xrefs: 00007FF8BFB9D2D7
`generic-method-parameter-, xrefs: 00007FF8BFB9D6B7

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
API String ID: 2943138195-2309034085
Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction ID: 701d136f32e5d2497fdcff3afa9f05bae8a9140dc7294649162de79ebe66683d
Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
Instruction Fuzzy Hash: 84E17E62E0C61294FB15ABFEC9941BC27A1AF497C4F54813ACF8D26B99DF3CA905C340

Function 00007FF8BFB92CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF8BFB92D40

Part of subcall function 00007FF8BFB95010: _GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF8BFB95045
Part of subcall function 00007FF8BFB95010: __GetUnwindTryBlock.LIBCMT ref: 00007FF8BFB95053
Part of subcall function 00007FF8BFB95010: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF8BFB95078

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BFB92E18
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB92E25
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF8BFB93060
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9308E
_GetEstablisherFrame.LIBVCRUNTIME ref: 00007FF8BFB930CC

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB93154
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BFB93189

Strings

csm, xrefs: 00007FF8BFB92E3D
csm, xrefs: 00007FF8BFB92D5A
csm, xrefs: 00007FF8BFB92DC1

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3436797354-393685449
Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction ID: 59c1d873dee27303ad6f4f3d39c5b1faf4c9964f628174750bf9f57642c04c10
Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
Instruction Fuzzy Hash: 0DD17032A08B418AEB609FA9D4843AD77A4FB857D8F14813ADF8D57B59CF38E494C700

Function 00007FF8BFB9E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

`generic-type-, xrefs: 00007FF8BFB9E491
generic-type-, xrefs: 00007FF8BFB9E45E
template-parameter-, xrefs: 00007FF8BFB9E417
`template-parameter-, xrefs: 00007FF8BFB9E44A

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction ID: ef01b05fdb72ad420aad5c2749f6f328c8a981ed4181199881e4f12f50e84918
Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
Instruction Fuzzy Hash: E5919C62B08A8689FB11CFADD4502BC37A1AB55BC4F889036DB5D03795EF3CE906C760

Function 00007FF8BFB9A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A198

Part of subcall function 00007FF8BFB9722C: DName::operator+=.LIBVCRUNTIME ref: 00007FF8BFB97247

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A2C5

Strings

coclass , xrefs: 00007FF8BFB9A27E
union , xrefs: 00007FF8BFB9A2F2
class , xrefs: 00007FF8BFB9A2DA
struct , xrefs: 00007FF8BFB9A2E9
enum , xrefs: 00007FF8BFB9A287
`unknown ecsu', xrefs: 00007FF8BFB9A164
cointerface , xrefs: 00007FF8BFB9A26C

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction ID: 3d1362c2a29b626f704d40892af7e8b921ce30f37e9e77f6d1a6bfeebabc3ee3
Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
Instruction Fuzzy Hash: 26513772F18A2689FB14DBA8E8805BC77B5BB153C8F508139EF0D66A98DF39E545C700

Function 00007FF8BFB988E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB989AE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB989BE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98A0A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98A1A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98A2A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98A9D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98AAE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98AC0
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98AEC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB98AFB

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction ID: 545931b1767d8c5e526291caf36c5c70402d4b8059c5bbabae51e318836041da
Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
Instruction Fuzzy Hash: 4F614A62B14B6698FB00DBE8D8801EC37B1BB45788F909436EF4D6BA99DF78D545C340

Function 00007FF8BFB931A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BFB9333E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9334B

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB935F9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB93644
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BFB93679

Strings

csm, xrefs: 00007FF8BFB93285
csm, xrefs: 00007FF8BFB93367
csm, xrefs: 00007FF8BFB932E7

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction ID: 9ea84510a9673dd87d538fa2eebefa4001fee448f7c3055c1b49fbaba37fb1b2
Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
Instruction Fuzzy Hash: 4FE1A073A086828AE7109FB8D4802AD7BA5FB85BD8F19813ADF9D47755CF38E495C700

Function 00007FF8BFB9BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9BFD8

Part of subcall function 00007FF8BFB98C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9913D
Part of subcall function 00007FF8BFB98C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99175

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9BF8A

Strings

cli::array<, xrefs: 00007FF8BFB9BF57
cli::pin_ptr<, xrefs: 00007FF8BFB9BFA1
void , xrefs: 00007FF8BFB9BE96
void, xrefs: 00007FF8BFB9BE6E
std::nullptr_t, xrefs: 00007FF8BFB9BF03
std::nullptr_t , xrefs: 00007FF8BFB9BF16

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction ID: 9ea80375222b62fdd824682f0d8eb4b1aafdb87d051a526bdbdf06319f5ed3e1
Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
Instruction Fuzzy Hash: CC518C62E18B5698FB11CBA8D8852BC77B4BB58788F44C13ADF4D12B95DF3CA244CB10

Function 00007FF8BFB95F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB963F0: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB96434
Part of subcall function 00007FF8BFB963F0: RaiseException.KERNEL32 ref: 00007FF8BFB9647A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB95FA7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FF8BFB96003

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FF8BFB96108
Attempted a typeid of nullptr pointer!, xrefs: 00007FF8BFB960E5
Access violation - no RTTI data!, xrefs: 00007FF8BFB95F0A, 00007FF8BFB9612B
Bad dynamic_cast!, xrefs: 00007FF8BFB96072

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction ID: 07c77ad30da301d77144d21f4f3d6a0758b2c9013d33546275bb46cae5b65968
Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
Instruction Fuzzy Hash: 6451C162A19A4692EE60CBACE8906B963A1FF44BD4F408436DB8E07765EF3CE505C700

Function 00007FF8BFB9E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9E1BC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9E1CB
DName::operator+=.LIBVCRUNTIME ref: 00007FF8BFB9E2E8

Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C459
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C492
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9E26B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9E27B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9E325

Strings

{for , xrefs: 00007FF8BFB9E1F4

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction ID: f03fe6c83707e6d69bbcb166ac463e9d75e182d12c67f7c4bf21ee11812c5f59
Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
Instruction Fuzzy Hash: 81515772A08A86AAEB119FA8D4413ED33A1FB45788F80D035EB4C4BB95DF7CE555C310

Function 00007FF8BFB968AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB96931
GetLastError.KERNEL32(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB9693F
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB96958
LoadLibraryExW.KERNEL32(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB9696A
FreeLibrary.KERNEL32(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB969B0
GetProcAddress.KERNEL32(?,?,?,00007FF8BFB96A6B,?,?,00000000,00007FF8BFB9689C,?,?,?,?,00007FF8BFB965E5), ref: 00007FF8BFB969BC

Strings

api-ms-, xrefs: 00007FF8BFB96951

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction ID: d03c2c8cf1a09aa18da2c20488f5606b70ab7929933c65165812047b57ec4d75
Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
Instruction Fuzzy Hash: 5831E521B0AB5691EE51DB9AD8002B523A5FF08BE0F59853AEF2D07394EF3CE544C710

Function 00007FF8BFB927CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB92886
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB928A5
__AdjustPointer.LIBCMT ref: 00007FF8BFB928E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB928F3
__AdjustPointer.LIBCMT ref: 00007FF8BFB9292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB92944
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB92989
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB92990

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction ID: 0b86b1501308bb0f8685659f83e4dc30a8a190d899f1cd59fb9f99b3605ffced
Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
Instruction Fuzzy Hash: 38518D61E0AA9781FA699BDDD88467877A4AF44FD0F19C439CF4D06B99DF2CE4428310

Function 00007FF8BFB925E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB926A0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB926BE
__AdjustPointer.LIBCMT ref: 00007FF8BFB926FF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9270C
__AdjustPointer.LIBCMT ref: 00007FF8BFB92748
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9275D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB927A2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB927A9

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction ID: cc12bbe9b5d1f8d061891f795ee06781c1af38a86d23a4323cad4e174f7882ef
Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
Instruction Fuzzy Hash: 6951BB26E0AA4681FEA69FED99846387390AF55FD0F1AC035CF5D16F95DE2CE842C300

Function 00007FF8BFB95520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB955E9
_local_unwind.LIBVCRUNTIME ref: 00007FF8BFB9568C

Strings

RCC, xrefs: 00007FF8BFB9556E
MOC, xrefs: 00007FF8BFB95562
csm, xrefs: 00007FF8BFB95584
csm, xrefs: 00007FF8BFB956D0

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction ID: 844427b66b8f5502d0369f3051f6f2a02060f7797de5c4e01edc1e859397835d
Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
Instruction Fuzzy Hash: 68518D76A0961286EA609FA9D80477D27E0FF84BD4F15A036EF9C42389DF3CE4418A01

Function 00007FF8BFB9D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8BFB9CE14), ref: 00007FF8BFB9D803
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9D822

Strings

`template-parameter, xrefs: 00007FF8BFB9D830
void, xrefs: 00007FF8BFB9D786

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction ID: a0598c63d22a055deabbf05f02413da5bff08d0a83f2336de15ca94e29ce1746
Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
Instruction Fuzzy Hash: 28410566F08A5688FB01DBA9D8512BC23B1BB08BC8F949139DF4D16B59DF7CA545C340

Function 00007FF8BFB98624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB986DB

Strings

,..., xrefs: 00007FF8BFB986A8
<ellipsis>, xrefs: 00007FF8BFB98734
,<ellipsis>, xrefs: 00007FF8BFB986B8
void, xrefs: 00007FF8BFB98759
..., xrefs: 00007FF8BFB98724

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction ID: aedea82ee705562226f1c1f10190eb2634951507de7c5b74d92e84ba62d02051
Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
Instruction Fuzzy Hash: 6F4124B2A18B4A88FB118FACD8802BC3BA4BB48788F949136DB5D57764DF3CE545C750

Function 00007FF8BFB9A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A40F

Strings

long , xrefs: 00007FF8BFB9A37E
int , xrefs: 00007FF8BFB9A38D
short , xrefs: 00007FF8BFB9A39C
unsigned , xrefs: 00007FF8BFB9A3E3
char , xrefs: 00007FF8BFB9A3A5

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction ID: 624d6d48bbc97b99997222cd1fd0f0a212d61dae01a92d412029d30d0f902525
Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
Instruction Fuzzy Hash: 83415672E1CA5689EB128FACE8841BC77B5BB08788F44D139DB0C56BA8DF3CA544C710

Function 00007FF8BFB962D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FF8BFB96326
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB96369
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BFB96393
InterlockedPushEntrySList.KERNEL32 ref: 00007FF8BFB963B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB963BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BFB963C5

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction ID: de39f78b5c8bb3f2e357d97f3235e3d743efa5fc3e0b9cc466a8083c16c5c6bf
Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
Instruction Fuzzy Hash: 5331D126B19B9590EB51DB6EA80457933A1FF09FD4B598639DF2D03380EE3DE442C300

Function 00007FF8BFB938A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

EncodePointer.KERNEL32 ref: 00007FF8BFB93918
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BFB93963
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB93B91

Strings

MOC, xrefs: 00007FF8BFB9392C
RCC, xrefs: 00007FF8BFB93934

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction ID: 5356225f34f08308a2e741a6caf7e2eb01f3b9eb7e583189e80b2fad81aabd53
Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
Instruction Fuzzy Hash: FF916073A087958AE750CBA9E8802AD7BB4F7447C8F14812AEF8D57B65DF38D1A5C700

Function 00007FF8BFB9BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9BC50

Part of subcall function 00007FF8BFB98C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9913D
Part of subcall function 00007FF8BFB98C24: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99175

Strings

volatile , xrefs: 00007FF8BFB9BBD3, 00007FF8BFB9BD21
volatile, xrefs: 00007FF8BFB9BBE2, 00007FF8BFB9BD30
std::nullptr_t, xrefs: 00007FF8BFB9BDF1
std::nullptr_t , xrefs: 00007FF8BFB9BDC5

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction ID: 06f8f51171b040c01a3fcc5817ed7610b10ea8bb59e92893b010c82e630aa980
Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
Instruction Fuzzy Hash: 9C7149B6A08A4684EB148FACD9511BC77A5BF157C4F44D539DB5E07AA8DF3CE650C300

Function 00007FF8BFB93690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

EncodePointer.KERNEL32 ref: 00007FF8BFB936DC
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BFB9372B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9389F

Strings

MOC, xrefs: 00007FF8BFB936F0
RCC, xrefs: 00007FF8BFB936F9

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction ID: eadd4040517a35ec0bd00425cad08d1b68abd5ef624b4ce7c26e4b51a9a26427
Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
Instruction Fuzzy Hash: 24613977A08A858AE714CFA9D4807AD77A5FB84BC8F188125EF4D13B58DF38E055C700

Function 00007FF8BFB99FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A01D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A03F
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A052
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A089
DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A094

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction ID: 15bb7aaf1f47cae7791f23f31d5cb07f53516d67497b2d2c38cfc47beba19fbd
Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
Instruction Fuzzy Hash: D4418C32B08B5684EB10CBA9D8901BD77B8BB59BC0BA48036EB5D53795DF3CE955C300

Function 00007FF8BFB94044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB941C3

Strings

, xrefs: 00007FF8BFB94114
csm, xrefs: 00007FF8BFB941FD
csm, xrefs: 00007FF8BFB94093

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction ID: 859f935e81d3805313f97a93b73663e86c8a761090893c3ca45e697f9e39e197
Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
Instruction Fuzzy Hash: 2271AD32A08691C6DB688FAA94507B97BA1FB45BC9F14C135DF8C07A99CB3CE491C740

Function 00007FF8BFB93E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB93F13
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BFB93F23

Strings

csm, xrefs: 00007FF8BFB93E66
csm, xrefs: 00007FF8BFB93F75

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction ID: 979f038200b5db12fc09df913a7110e96bfbaeddf1440c24bfc0250e24178c25
Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
Instruction Fuzzy Hash: 0A513A3290868286EB748F9AA44436877A4FB94BD5F18C136EB9D47BD5CF3CE461CB01

Function 00007FF8BFB9A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A778

Strings

%lf, xrefs: 00007FF8BFB9A7BE

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction ID: c7321a7b7c6bae8a351dab48d344368d6c5d5e4dcbeb004634f1179c11f7ab32
Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
Instruction Fuzzy Hash: 7631B076A0CA8185EA20CBA9E85127AB7A5FB89BC4F54C135EB9E47645CF3CE502C700

Function 00007FF8BFB92400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9243E

Strings

RCC, xrefs: 00007FF8BFB92410
csm, xrefs: 00007FF8BFB92420
MOC, xrefs: 00007FF8BFB92418

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction ID: 6081b4bd373506fd1ad32b0dbd51f56f45ebaf748aa9b919ff640e745ab17d42
Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
Instruction Fuzzy Hash: 81F0F93691864686EB506FA9E18106937A5FB88BC4F0AD476DB5807792CF3CE4A0CA42

Function 00007FF8BFB9E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FF8BFB9E9F0

Part of subcall function 00007FF8BFB9EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BFB9ECF0
Part of subcall function 00007FF8BFB9EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BFB9E9F5), ref: 00007FF8BFB9ED3F

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB9EA1A

Strings

f, xrefs: 00007FF8BFB9E9F5
csm, xrefs: 00007FF8BFB9E9FB

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 2451123448-629598281
Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction ID: b26ceb9be158d231e2fb2ea12a05ba04cf82c163fe377b8f2f8585c7e3479f6a
Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
Instruction Fuzzy Hash: 2EE09236D1C38681EB606FE9B18113D27A5FF25BD4F15C039DB8807796CE3CE8A08611

Function 00007FF8BFB99CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C459
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C492
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99E19
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99E78
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99EAA
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99EBA

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction ID: f5b4cb19c80e133e9869be8571df65a2a438ca18891eedcbcd180ce939206afe
Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
Instruction Fuzzy Hash: 18916962E08B5689FB918BE8D8803BC37B1BB14788F54903ADF5D176A5DF7CA846C340

Function 00007FF8BFB9A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BFB9A4F1
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A501
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A51E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9A553

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction ID: 66dcf7a77a53776eedc68467be17f5e45bb7491c17c86acd9cda35d82b0196d3
Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
Instruction Fuzzy Hash: 265186B2E18A5689EB10CFA8E8403BD77A9BB85B88F548035DB1E47B95DF3DE441C340

Function 00007FF8BFB9C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C459
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C492
Part of subcall function 00007FF8BFB9C3C8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C7BB

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C8F7
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C906
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C982
DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB9C991

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction ID: 0148a451bd8665bb4edb4516ee673b93a7252c8eabc50aaea0697eadbbe5b036
Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
Instruction Fuzzy Hash: 0E4108B2A08B968AFB02CFA8D8413AC77B0FB55B88F548039DB4D5775ADF789541C710

Function 00007FF8BFB94710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB96710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BFB9239E), ref: 00007FF8BFB9671E

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8BFB947E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BFB94844

Strings

csm, xrefs: 00007FF8BFB948EA

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction ID: a52a1f19d88308d377c5747548d0a799d0a9eafbf859d3e5eec1de7b6150ba2a
Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
Instruction Fuzzy Hash: F2514C36A1978186E660AF59E08026E77A5FB89BD0F148539DF8D07B55CF3CE461CB00

Function 00007FF8BFB99BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BFB99CAA

Strings

void , xrefs: 00007FF8BFB99C34
void, xrefs: 00007FF8BFB99C0C

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction ID: aeceb7f233bc73a7b4bc56bc9db263a723cc190e6e0cfb7d5cc271773406ca09
Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
Instruction Fuzzy Hash: 11312662E18B6998FB10CBA8E8410FC37B4BB48788B44813AEF4E62B59DF3C9144C750

Function 00007FF8BFB9604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BFB963F0: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB96434
Part of subcall function 00007FF8BFB963F0: RaiseException.KERNEL32 ref: 00007FF8BFB9647A

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB960BF

Strings

Access violation - no RTTI data!, xrefs: 00007FF8BFB9604F
Bad dynamic_cast!, xrefs: 00007FF8BFB96072

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction ID: 05c269f8d8d97ae2e558294d98dc07500205ead954dc2610aa73993014389b34
Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
Instruction Fuzzy Hash: 3601A265A2DA4AE1EF40DB9CE8911B86361FF90BC4F80A435E74E076A9EF7CD509C700

Function 00007FF8BFB963F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BFB96434
RaiseException.KERNEL32 ref: 00007FF8BFB9647A

Strings

csm, xrefs: 00007FF8BFB96467

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction ID: c01eb0993129f9d3bb597ff2c1e759d555c527c4c1ea18d21540c46505371af9
Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
Instruction Fuzzy Hash: EA114C32A18B8582EB618F69F440269BBA5FB88BC4F588235DF8C07B58DF3CD551CB00

Function 00007FF8BFB9672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8BFB965B9,?,?,?,?,00007FF8BFB9FB22,?,?,?,?,?), ref: 00007FF8BFB9674B
SetLastError.KERNEL32(?,?,?,00007FF8BFB965B9,?,?,?,?,00007FF8BFB9FB22,?,?,?,?,?), ref: 00007FF8BFB967D4

Memory Dump Source

Source File: 00000004.00000002.2247322827.00007FF8BFB91000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8BFB90000, based on PE: true

Associated: 00000004.00000002.2247299680.00007FF8BFB90000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247370423.00007FF8BFBA6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8bfb90000_UiF5hKi5o7.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction ID: d87610e8c624524a597633017e84312b9672516bc219dbb15bfd063c06a64c3a
Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
Instruction Fuzzy Hash: BC111F24E0D65682FA649BA9A8641352392AF48BE0F15C63CDF7F077E5DE2CF8518710

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UiF5hKi5o7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll

C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd

C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

UDP Packets

Statistics

Windows Analysis Report
UiF5hKi5o7.exe

Function 00007FF7726364D0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Function 00007FF772616B80 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Function 00007FF77263741C Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 00007FF77263674C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Function 00007FF772611710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148
COMMON

Function 00007FF772611000 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 327
COMMON

Function 00007FF772617C90 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Function 00007FF772611A40 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135
COMMON

Function 00007FF7726172B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Function 00007FF772611050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Function 00007FF77262F418 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Function 00007FF77262C24C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Function 00007FF77262D750 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Function 00007FF77262FE4C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON