Edit tour

Windows Analysis Report
xSO7sbN2j6.exe

Overview

General Information

Sample name:	xSO7sbN2j6.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	95256b28dfb85f1d5bafdec109950775733d4af82acc0512151639695c57e469
Analysis ID:	1428491
MD5:	5917c8e5a003b2c211150d1f92440f79
SHA1:	fc3dfd511d75828c56aec3be55931d42bfbdd96e
SHA256:	95256b28dfb85f1d5bafdec109950775733d4af82acc0512151639695c57e469
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found pyInstaller with non standard icon

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Queries voltage information (via WMI often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SIDT)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

xSO7sbN2j6.exe (PID: 1268 cmdline: "C:\Users\user\Desktop\xSO7sbN2j6.exe" MD5: 5917C8E5A003B2C211150D1F92440F79)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xSO7sbN2j6.exe (PID: 3424 cmdline: "C:\Users\user\Desktop\xSO7sbN2j6.exe" MD5: 5917C8E5A003B2C211150D1F92440F79)

netconn_properties.exe (PID: 1352 cmdline: C:\Users\user\AppData\Local\Temp\_MEI12682\exe/netconn_properties.exe MD5: 3B8E84142573A5E30990BDE2E574C447)

registers.exe (PID: 5784 cmdline: C:\Users\user\AppData\Local\Temp\_MEI12682\exe/registers.exe MD5: 527010682A02EE5935BAC5B2D074C49D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xSO7sbN2j6.exe	ReversingLabs: Detection: 15%
Source: xSO7sbN2j6.exe	Virustotal: Detection: 16%			Perma Link

Source: xSO7sbN2j6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239037297.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32net.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444861222.00007FF8B61C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\c\source\repos\ConsoleApplication2\Release\ConsoleApplication2.pdb source: registers.exe, registers.exe, 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239773442.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447521757.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: xSO7sbN2j6.exe
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232435962.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445898778.00007FF8B80D5000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233416251.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232106594.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pywintypes.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445592803.00007FF8B7FF1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234782736.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2237358262.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python38.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2443034874.00007FF8A8CCC000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\c\source\repos\ConsoleApplication2\Release\ConsoleApplication2.pdb%% source: registers.exe, 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239861973.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32security.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444589477.00007FF8B6191000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232822044.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python3.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2448608318.00007FF8BA4F2000.00000002.00000001.01000000.00000007.sdmp, python3.dll.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235784465.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234547266.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2236972106.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444067430.00007FF8B5711000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2230257256.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2448737746.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232218108.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233738349.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.1.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2231807921.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232341692.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2236165439.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: xSO7sbN2j6.exe, xSO7sbN2j6.exe, 00000003.00000002.2442460559.00007FF8A88B4000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\b\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: netconn_properties.exe, netconn_properties.exe, 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234146122.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: xSO7sbN2j6.exe, 00000003.00000002.2445898778.00007FF8B80D5000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2240170760.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2230430431.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2447867332.00007FF8B9F65000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pythoncom.pdb}},GCTL source: xSO7sbN2j6.exe, 00000003.00000002.2442766857.00007FF8A8901000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: MSVCP140.dll.1.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232671264.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447332028.00007FF8B93C1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: xSO7sbN2j6.exe, 00000003.00000002.2446708944.00007FF8B8F8D000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pywintypes.pdb** source: xSO7sbN2j6.exe, 00000003.00000002.2445592803.00007FF8B7FF1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: MSVCP140.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234634320.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444302392.00007FF8B6176000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: xSO7sbN2j6.exe, 00000003.00000002.2442460559.00007FF8A88B4000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233634128.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: xSO7sbN2j6.exe, 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2231902757.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32net.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444861222.00007FF8B61C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235950959.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446080851.00007FF8B8251000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233290847.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239258092.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447129812.00007FF8B90E1000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446708944.00007FF8B8F8D000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233871695.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233543724.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239479830.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2240443886.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234300243.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235634596.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234396719.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232552994.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239664904.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233028833.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pythoncom.pdb source: xSO7sbN2j6.exe, xSO7sbN2j6.exe, 00000003.00000002.2442766857.00007FF8A8901000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: xSO7sbN2j6.exe, 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232918955.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446511663.00007FF8B8CB1000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32api.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445139659.00007FF8B78A1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2238777336.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239987749.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32api.pdb!! source: xSO7sbN2j6.exe, 00000003.00000002.2445139659.00007FF8B78A1000.00000040.00000001.01000000.0000000F.sdmp

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7A69E0 FindFirstFileExW,FindClose,	1_2_00007FF73D7A69E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C0A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C0A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7A69E0 FindFirstFileExW,FindClose,	3_2_00007FF73D7A69E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4480 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FF8C610F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	3_2_00007FF8A81B4480
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A0CD11 FindFirstFileExW,	7_2_00A0CD11

Source: xSO7sbN2j6.exe, 00000003.00000002.2439755385.0000021030E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: xSO7sbN2j6.exe, 00000003.00000002.2436948556.0000021030270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://193.17.183.14:3000/
Source: xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435457331.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432907096.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431258852.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422307122.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.17.183.14:3000/)
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assure
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr, pyexpat.pyd.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiC
Source: xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCM
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: xSO7sbN2j6.exe, 00000003.00000002.2439755385.0000021030E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030211000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433468001.000002103020E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433810897.0000021030210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: xSO7sbN2j6.exe, 00000003.00000003.2423625603.0000021030163000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2427750884.0000021030164000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030111000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: xSO7sbN2j6.exe, 00000003.00000003.2426690756.00000210300F3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431068921.00000210300FB000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E62E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433190982.0000021030082000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432907096.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431258852.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422307122.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428983620.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433913042.0000021030089000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422597636.000002103007F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431770423.0000021030086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: xSO7sbN2j6.exe, 00000003.00000002.2437083752.0000021030330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: xSO7sbN2j6.exe, 00000003.00000002.2443034874.00007FF8A8CCC000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: xSO7sbN2j6.exe, 00000003.00000002.2436948556.0000021030270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: xSO7sbN2j6.exe, 00000003.00000002.2435883667.0000021030070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr, _ssl.pyd.1.dr, _lzma.pyd.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030211000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433468001.000002103020E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433810897.0000021030210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: xSO7sbN2j6.exe, 00000003.00000002.2435883667.0000021030070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: xSO7sbN2j6.exe, 00000003.00000002.2435832830.0000021030030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ntcore.com/files/richsign.htm
Source: xSO7sbN2j6.exe, 00000003.00000002.2435832830.0000021030030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: xSO7sbN2j6.exe, 00000001.00000003.2246060805.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435780956.000002102FFF0000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E62E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: xSO7sbN2j6.exe, 00000003.00000002.2435047798.000002102DFB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2437767537.00000210306C4000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2430312247.00000210306C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: xSO7sbN2j6.exe, 00000003.00000002.2437313978.0000021030500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details
Source: xSO7sbN2j6.exe, 00000003.00000002.2439890285.0000021030F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: xSO7sbN2j6.exe, 00000003.00000002.2439352613.0000021030C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2425207464.0000021030208000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243434894.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244843348.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244989268.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243739150.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2229733855.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245110481.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445756170.00007FF8B801B000.00000004.00000001.01000000.0000000C.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445273022.00007FF8B78CB000.00000004.00000001.01000000.0000000F.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445053706.00007FF8B61E1000.00000004.00000001.01000000.00000014.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2444783479.00007FF8B61BE000.00000004.00000001.01000000.00000015.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442979393.00007FF8A89BD000.00000004.00000001.01000000.0000000E.sdmp, win32security.pyd.1.dr, win32trace.pyd.1.dr, win32net.pyd.1.dr, win32api.pyd.1.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: xSO7sbN2j6.exe, 00000003.00000002.2434833250.000002102DE70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: xSO7sbN2j6.exe, 00000003.00000002.2439352613.0000021030C20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433838314.0000021030224000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431674157.000002103021F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030225000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/29200
Source: xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: xSO7sbN2j6.exe, 00000003.00000003.2420272100.000002103071B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2439890285.0000021030F80000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2437590272.0000021030675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745
Source: xSO7sbN2j6.exe, 00000003.00000003.2426690756.00000210300F3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431068921.00000210300FB000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432380367.0000021030100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2425207464.0000021030208000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: xSO7sbN2j6.exe, 00000001.00000003.2241172247.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, upx.exe.1.dr	String found in binary or memory: https://upx.github.ioT
Source: xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: xSO7sbN2j6.exe, 00000003.00000002.2439438753.0000021030CA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2241515410.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242943794.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0964A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB09649000.00000004.00000020.00020000.00000000.sdmp, python3.dll.1.dr, libssl-1_1.dll.1.dr, unicodedata.pyd.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: xSO7sbN2j6.exe, 00000003.00000002.2436994535.00000210302B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing
Source: xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442708741.00007FF8A88F1000.00000004.00000001.01000000.00000019.sdmp, libssl-1_1.dll.1.dr	String found in binary or memory: https://www.openssl.org/H
Source: xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C4EA0	1_2_00007FF73D7C4EA0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C5DEC	1_2_00007FF73D7C5DEC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7A58E0	1_2_00007FF73D7A58E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B16C4	1_2_00007FF73D7B16C4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B66C4	1_2_00007FF73D7B66C4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C2DB0	1_2_00007FF73D7C2DB0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7BFA88	1_2_00007FF73D7BFA88
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B2614	1_2_00007FF73D7B2614
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7AFD40	1_2_00007FF73D7AFD40
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B0560	1_2_00007FF73D7B0560
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7BCD64	1_2_00007FF73D7BCD64
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C58A0	1_2_00007FF73D7C58A0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B70FC	1_2_00007FF73D7B70FC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7BD878	1_2_00007FF73D7BD878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B4FC0	1_2_00007FF73D7B4FC0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7AFF44	1_2_00007FF73D7AFF44
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B0764	1_2_00007FF73D7B0764
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B2A18	1_2_00007FF73D7B2A18
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C0A34	1_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C324C	1_2_00007FF73D7C324C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7BFA88	1_2_00007FF73D7BFA88
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B21DC	1_2_00007FF73D7B21DC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7BD1F8	1_2_00007FF73D7BD1F8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C511C	1_2_00007FF73D7C511C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B0150	1_2_00007FF73D7B0150
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B8D00	1_2_00007FF73D7B8D00
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7A7420	1_2_00007FF73D7A7420
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C8BE8	1_2_00007FF73D7C8BE8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B132C	1_2_00007FF73D7B132C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B0354	1_2_00007FF73D7B0354
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C4EA0	3_2_00007FF73D7C4EA0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C5DEC	3_2_00007FF73D7C5DEC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B21DC	3_2_00007FF73D7B21DC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B132C	3_2_00007FF73D7B132C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B16C4	3_2_00007FF73D7B16C4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B66C4	3_2_00007FF73D7B66C4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C2DB0	3_2_00007FF73D7C2DB0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7BFA88	3_2_00007FF73D7BFA88
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B2614	3_2_00007FF73D7B2614
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7AFD40	3_2_00007FF73D7AFD40
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B0560	3_2_00007FF73D7B0560
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7BCD64	3_2_00007FF73D7BCD64
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C58A0	3_2_00007FF73D7C58A0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7A58E0	3_2_00007FF73D7A58E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B70FC	3_2_00007FF73D7B70FC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7BD878	3_2_00007FF73D7BD878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B4FC0	3_2_00007FF73D7B4FC0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7AFF44	3_2_00007FF73D7AFF44
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B0764	3_2_00007FF73D7B0764
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B2A18	3_2_00007FF73D7B2A18
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C0A34	3_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C324C	3_2_00007FF73D7C324C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7BFA88	3_2_00007FF73D7BFA88
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7BD1F8	3_2_00007FF73D7BD1F8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C511C	3_2_00007FF73D7C511C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B0150	3_2_00007FF73D7B0150
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B8D00	3_2_00007FF73D7B8D00
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7A7420	3_2_00007FF73D7A7420
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C8BE8	3_2_00007FF73D7C8BE8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B0354	3_2_00007FF73D7B0354
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A80912C0	3_2_00007FF8A80912C0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A80918E0	3_2_00007FF8A80918E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A84FCDE0	3_2_00007FF8A84FCDE0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4147	3_2_00007FF8A81B4147
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2121	3_2_00007FF8A81B2121
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82E69B0	3_2_00007FF8A82E69B0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A834EAF0	3_2_00007FF8A834EAF0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1AEB	3_2_00007FF8A81B1AEB
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1F82	3_2_00007FF8A81B1F82
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6A23	3_2_00007FF8A81B6A23
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B65BE	3_2_00007FF8A81B65BE
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A829AD30	3_2_00007FF8A829AD30
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6028	3_2_00007FF8A81B6028
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B673F	3_2_00007FF8A81B673F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B12A8	3_2_00007FF8A81B12A8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6104	3_2_00007FF8A81B6104
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3EBD	3_2_00007FF8A81B3EBD
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CEF00	3_2_00007FF8A81CEF00
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2680	3_2_00007FF8A81B2680
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CF060	3_2_00007FF8A81CF060
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82EF090	3_2_00007FF8A82EF090
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2437	3_2_00007FF8A81B2437
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8366120	3_2_00007FF8A8366120
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82E61A0	3_2_00007FF8A82E61A0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2351	3_2_00007FF8A81B2351
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6258	3_2_00007FF8A81B6258
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B443F	3_2_00007FF8A81B443F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B30AD	3_2_00007FF8A81B30AD
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B51F5	3_2_00007FF8A81B51F5
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B24B9	3_2_00007FF8A81B24B9
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6942	3_2_00007FF8A81B6942
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3800	3_2_00007FF8A81B3800
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4DC2	3_2_00007FF8A81B4DC2
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2B3F	3_2_00007FF8A81B2B3F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B19E2	3_2_00007FF8A81B19E2
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82927B0	3_2_00007FF8A82927B0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B105F	3_2_00007FF8A81B105F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6573	3_2_00007FF8A81B6573
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4E9E	3_2_00007FF8A81B4E9E
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3DD7	3_2_00007FF8A81B3DD7
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B283D	3_2_00007FF8A81B283D
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3C33	3_2_00007FF8A81B3C33
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A821FA00	3_2_00007FF8A821FA00
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B11DB	3_2_00007FF8A81B11DB
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A834FC50	3_2_00007FF8A834FC50
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CBD60	3_2_00007FF8A81CBD60
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B12C1	3_2_00007FF8A81B12C1
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1893	3_2_00007FF8A81B1893
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B466F	3_2_00007FF8A81B466F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82EFE50	3_2_00007FF8A82EFE50
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1B9F	3_2_00007FF8A81B1B9F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B403E	3_2_00007FF8A81B403E
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1B7C	3_2_00007FF8A81B1B7C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CBF20	3_2_00007FF8A81CBF20
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B201D	3_2_00007FF8A81B201D
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3878	3_2_00007FF8A81B3878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A834C050	3_2_00007FF8A834C050
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B135C	3_2_00007FF8A81B135C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B71C6	3_2_00007FF8A81B71C6
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B62A3	3_2_00007FF8A81B62A3
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B5227	3_2_00007FF8A81B5227
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82DF120	3_2_00007FF8A82DF120
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B51FA	3_2_00007FF8A81B51FA
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B48EA	3_2_00007FF8A81B48EA
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CF200	3_2_00007FF8A81CF200
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1EBF	3_2_00007FF8A81B1EBF
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B259A	3_2_00007FF8A81B259A
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2A3B	3_2_00007FF8A81B2A3B
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2522	3_2_00007FF8A81B2522
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B524A	3_2_00007FF8A81B524A
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B60FF	3_2_00007FF8A81B60FF
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81DB4C0	3_2_00007FF8A81DB4C0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1BD1	3_2_00007FF8A81B1BD1
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4B92	3_2_00007FF8A81B4B92
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A834B6D0	3_2_00007FF8A834B6D0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B5BB9	3_2_00007FF8A81B5BB9
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3ECC	3_2_00007FF8A81B3ECC
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B34C2	3_2_00007FF8A81B34C2
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81DB850	3_2_00007FF8A81DB850
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82DB8A0	3_2_00007FF8A82DB8A0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B643D	3_2_00007FF8A81B643D
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B381E	3_2_00007FF8A81B381E
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B5038	3_2_00007FF8A81B5038
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2941	3_2_00007FF8A81B2941
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8350B70	3_2_00007FF8A8350B70
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B60AF	3_2_00007FF8A81B60AF
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A83E8CF0	3_2_00007FF8A83E8CF0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82E4CE0	3_2_00007FF8A82E4CE0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6546	3_2_00007FF8A81B6546
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6302	3_2_00007FF8A81B6302
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2EC3	3_2_00007FF8A81B2EC3
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6EAB	3_2_00007FF8A81B6EAB
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B1041	3_2_00007FF8A81B1041
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B321A	3_2_00007FF8A81B321A
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B6014	3_2_00007FF8A81B6014
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82E4FF0	3_2_00007FF8A82E4FF0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4025	3_2_00007FF8A81B4025
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3751	3_2_00007FF8A81B3751
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3DE1	3_2_00007FF8A81B3DE1
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B515F	3_2_00007FF8A81B515F
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B66EA	3_2_00007FF8A81B66EA
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4B42	3_2_00007FF8A81B4B42
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8364260	3_2_00007FF8A8364260
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8260200	3_2_00007FF8A8260200
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82DC240	3_2_00007FF8A82DC240
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2C66	3_2_00007FF8A81B2C66
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B71E4	3_2_00007FF8A81B71E4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A82F0450	3_2_00007FF8A82F0450
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B5740	3_2_00007FF8A81B5740
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3981	3_2_00007FF8A81B3981
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CC480	3_2_00007FF8A81CC480
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2BDA	3_2_00007FF8A81B2BDA
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81CC620	3_2_00007FF8A81CC620
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B7063	3_2_00007FF8A81B7063
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B3148	3_2_00007FF8A81B3148
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B17E9	3_2_00007FF8A81B17E9
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B111D	3_2_00007FF8A81B111D
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2C07	3_2_00007FF8A81B2C07
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4E08	3_2_00007FF8A81B4E08
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B12EE	3_2_00007FF8A81B12EE
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B736A	3_2_00007FF8A81B736A
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B2770	3_2_00007FF8A81B2770
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8365970	3_2_00007FF8A8365970
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B35EE	3_2_00007FF8A81B35EE
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A1582D	7_2_00A1582D
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A10A9B	7_2_00A10A9B
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A0823C	7_2_00A0823C
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A105F0	7_2_00A105F0
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A07EFA	7_2_00A07EFA
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Code function: 10_2_002694B0	10_2_002694B0

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: String function: 00A03FF0 appears 35 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B1055 appears 1131 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B207C appears 65 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B5E02 appears 543 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF73D7A1C50 appears 90 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B1C12 appears 98 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B4115 appears 285 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B46A6 appears 112 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF8A81B4214 appears 36 times
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: String function: 00007FF73D7A1CB0 appears 38 times

Source: win32ui.pyd.1.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: win32ui.pyd.1.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: unicodedata.pyd.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-handle-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: python3.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: xSO7sbN2j6.exe, 00000001.00000003.2230935199.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232552994.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232822044.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32wnet.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232106594.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239664904.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232918955.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231419814.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2240170760.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2235950959.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234782736.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2243434894.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234634320.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2236165439.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2243884643.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234396719.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232435962.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233290847.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231219931.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2242552349.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2230779110.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239861973.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239037297.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244516546.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234547266.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244843348.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231902757.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2238777336.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233634128.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239258092.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232341692.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2230257256.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233028833.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32wnet.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2237358262.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231615557.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231807921.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232671264.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2235634596.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233543724.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239987749.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2232218108.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234300243.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2234146122.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2230655896.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2240443886.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244989268.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32net.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244110686.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2230534838.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2243739150.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233738349.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2231035454.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2235784465.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2241172247.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupx.exe( vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2230430431.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239479830.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233416251.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2225271860.000001EB0963A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2236972106.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2239773442.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2229733855.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2245110481.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32security.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000001.00000003.2233871695.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2445756170.00007FF8B801B000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2445996971.00007FF8B8112000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2446611440.00007FF8B8CBC000.00000004.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2448841371.00007FF8BFAD6000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2443805965.00007FF8A8E07000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2441390190.00007FF8A81A1000.00000004.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2448066086.00007FF8B9F69000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2445273022.00007FF8B78CB000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2448608318.00007FF8BA4F2000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2442708741.00007FF8A88F1000.00000004.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilenamelibsslH vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2445053706.00007FF8B61E1000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamewin32net.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2447268382.00007FF8B9106000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2444783479.00007FF8B61BE000.00000004.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamewin32security.pyd0 vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2446255115.00007FF8B8269000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2444222330.00007FF8B573C000.00000004.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2444486642.00007FF8B6180000.00000004.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2447618348.00007FF8B984C000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2447462091.00007FF8B93DB000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2446968005.00007FF8B8F9D000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs xSO7sbN2j6.exe
Source: xSO7sbN2j6.exe, 00000003.00000002.2442979393.00007FF8A89BD000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs xSO7sbN2j6.exe

Source: libcrypto-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.998678197927011
Source: libssl-1_1.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9901204901603499
Source: python38.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.999271124301676
Source: pythoncom38.dll.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9918376865671642
Source: win32ui.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9930449695121951
Source: unicodedata.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9942785780669146
Source: _cffi.cp38-win_amd64.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.995086669921875
Source: backend_c.cp38-win_amd64.pyd.1.dr	Static PE information: Section: UPX1 ZLIB complexity 0.992855787803532

Source: classification engine

Classification label: mal100.evad.winEXE@8/83@0/0

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7A6670 GetLastError,FormatMessageW,WideCharToMultiByte,

1_2_00007FF73D7A6670

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI12682

Jump to behavior

Source: xSO7sbN2j6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xSO7sbN2j6.exe	ReversingLabs: Detection: 15%
Source: xSO7sbN2j6.exe	Virustotal: Detection: 16%

Source: xSO7sbN2j6.exe	String found in binary or memory: set-addPolicy
Source: xSO7sbN2j6.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

File read: C:\Users\user\Desktop\xSO7sbN2j6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xSO7sbN2j6.exe "C:\Users\user\Desktop\xSO7sbN2j6.exe"
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\Desktop\xSO7sbN2j6.exe "C:\Users\user\Desktop\xSO7sbN2j6.exe"
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/netconn_properties.exe
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/registers.exe
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\Desktop\xSO7sbN2j6.exe "C:\Users\user\Desktop\xSO7sbN2j6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/netconn_properties.exe	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/registers.exe	Jump to behavior

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: xSO7sbN2j6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xSO7sbN2j6.exe

Static file information: File size 11440768 > 1048576

Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xSO7sbN2j6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: xSO7sbN2j6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: xSO7sbN2j6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239037297.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32net.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444861222.00007FF8B61C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\c\source\repos\ConsoleApplication2\Release\ConsoleApplication2.pdb source: registers.exe, registers.exe, 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239773442.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\select.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447521757.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: xSO7sbN2j6.exe
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232435962.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445898778.00007FF8B80D5000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233416251.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232106594.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pywintypes.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445592803.00007FF8B7FF1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234782736.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2237358262.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python38.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2443034874.00007FF8A8CCC000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Users\c\source\repos\ConsoleApplication2\Release\ConsoleApplication2.pdb%% source: registers.exe, 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239861973.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32security.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444589477.00007FF8B6191000.00000040.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232822044.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\python3.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2242717820.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2448608318.00007FF8BA4F2000.00000002.00000001.01000000.00000007.sdmp, python3.dll.1.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235784465.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234547266.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2236972106.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444067430.00007FF8B5711000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2230257256.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2448737746.00007FF8BFAD1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232218108.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233738349.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.1.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2231807921.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232341692.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2236165439.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: xSO7sbN2j6.exe, xSO7sbN2j6.exe, 00000003.00000002.2442460559.00007FF8A88B4000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\b\source\repos\ConsoleApplication1\Release\ConsoleApplication1.pdb source: netconn_properties.exe, netconn_properties.exe, 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234146122.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: xSO7sbN2j6.exe, 00000003.00000002.2445898778.00007FF8B80D5000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2240170760.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2230430431.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2447867332.00007FF8B9F65000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pythoncom.pdb}},GCTL source: xSO7sbN2j6.exe, 00000003.00000002.2442766857.00007FF8A8901000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: MSVCP140.dll.1.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232671264.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447332028.00007FF8B93C1000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: xSO7sbN2j6.exe, 00000003.00000002.2446708944.00007FF8B8F8D000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pywintypes.pdb** source: xSO7sbN2j6.exe, 00000003.00000002.2445592803.00007FF8B7FF1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: MSVCP140.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234634320.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444302392.00007FF8B6176000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: xSO7sbN2j6.exe, 00000003.00000002.2442460559.00007FF8A88B4000.00000040.00000001.01000000.00000019.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233634128.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: xSO7sbN2j6.exe, 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2231902757.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32net.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2444861222.00007FF8B61C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235950959.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446080851.00007FF8B8251000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233290847.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239258092.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2447129812.00007FF8B90E1000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446708944.00007FF8B8F8D000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233871695.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233543724.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239479830.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2240443886.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234300243.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2235634596.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2234396719.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232552994.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239664904.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2233028833.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\pythoncom.pdb source: xSO7sbN2j6.exe, xSO7sbN2j6.exe, 00000003.00000002.2442766857.00007FF8A8901000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: xSO7sbN2j6.exe, 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2232918955.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2446511663.00007FF8B8CB1000.00000040.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32api.pdb source: xSO7sbN2j6.exe, 00000003.00000002.2445139659.00007FF8B78A1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2238777336.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: xSO7sbN2j6.exe, 00000001.00000003.2239987749.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.8\Release\win32api.pdb!! source: xSO7sbN2j6.exe, 00000003.00000002.2445139659.00007FF8B78A1000.00000040.00000001.01000000.0000000F.sdmp

Source: xSO7sbN2j6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xSO7sbN2j6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xSO7sbN2j6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xSO7sbN2j6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xSO7sbN2j6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-crt-process-l1-1-0.dll.1.dr

Static PE information: 0xA8F275DA [Mon Oct 27 06:36:10 2059 UTC]

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 3_2_00007FF8A84FCDE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

3_2_00007FF8A84FCDE0

Source: xSO7sbN2j6.exe	Static PE information: section name: _RDATA
Source: libffi-7.dll.1.dr	Static PE information: section name: UPX2
Source: mfc140u.dll.1.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.1.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A80991E7 push rdi; iretd	3_2_00007FF8A80991E9
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8099328 push r10; retf	3_2_00007FF8A8099391
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8099C33 push rsp; retf	3_2_00007FF8A8099C34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096C71 push r10; ret	3_2_00007FF8A8096C73
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096D16 push r8; ret	3_2_00007FF8A8096D23
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096D3A push r12; ret	3_2_00007FF8A8096D3C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8099DB1 push rsp; iretq	3_2_00007FF8A8099DB2
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A80985AF push rbp; retf	3_2_00007FF8A80985C8
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A80985F4 push r12; ret	3_2_00007FF8A8098630
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096E36 push rsp; ret	3_2_00007FF8A8096E3E
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096E7E push rdi; iretd	3_2_00007FF8A8096E80
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8098EAA push rbp; iretq	3_2_00007FF8A8098EAB
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096EC5 push rsi; ret	3_2_00007FF8A8096EC6
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096EEF push r10; retf	3_2_00007FF8A8096EF2
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096F00 push r12; ret	3_2_00007FF8A8096F1E
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8098F42 push r12; ret	3_2_00007FF8A8098F69
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096F63 push r12; ret	3_2_00007FF8A8096F7B
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8098F97 push r12; iretd	3_2_00007FF8A8098FAE
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096F88 push r8; ret	3_2_00007FF8A8096F90
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8096FC2 push r10; ret	3_2_00007FF8A8096FD5
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A809784D push rsi; ret	3_2_00007FF8A8097884
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A1B9FD push esi; ret	7_2_00A1BA06
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A15F41 push ecx; ret	7_2_00A15F54

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Process created: "C:\Users\user\Desktop\xSO7sbN2j6.exe"

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7A2F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00007FF73D7A2F20

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Code function: 10_2_00261520

10_2_00261520

Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Fan

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_MemoryDevice
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_MemoryArray
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_MemoryCapacity
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_SMBIOSMemory
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Memory
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PhysicalMemory

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_NumericSensor
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_Sensor
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_TemperatureSensor
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation

Queries voltage information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VoltageProbe
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM CIM_VoltageSensor

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 261592 second address: 26159C instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+44h], eax 0x00000006 mov dword ptr [esp+40h], edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 26159C second address: 2615A6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+3Ch], eax 0x00000006 mov dword ptr [esp+38h], edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 2615A6 second address: 2615B0 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+34h], eax 0x00000006 mov dword ptr [esp+30h], edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 2615B0 second address: 2615BA instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+2Ch], eax 0x00000006 mov dword ptr [esp+28h], edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 2615BA second address: 2615CA instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+24h], eax 0x00000006 xor eax, eax 0x00000008 push ebx 0x00000009 mov dword ptr [esp+24h], edx 0x0000000d cpuid 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 2615CA second address: 2615DC instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+1Ch], eax 0x00000006 xor ecx, ecx 0x00000008 xor eax, eax 0x0000000a mov dword ptr [esp+18h], edx 0x0000000e push ebx 0x0000000f cpuid 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	RDTSC instruction interceptor: First address: 2615DC second address: 2615EE instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+14h], eax 0x00000006 xor ecx, ecx 0x00000008 xor eax, eax 0x0000000a mov dword ptr [esp+10h], edx 0x0000000e push ebx 0x0000000f cpuid 0x00000011 pop ebx 0x00000012 rdtsc

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Code function: 10_2_00261520 rdtsc

10_2_00261520

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Code function: 10_2_00261520 sgdt fword ptr [esp+000000B0h]

10_2_00261520

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Code function: 10_2_00261520 sidt fword ptr [esp+000000A8h]

10_2_00261520

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32security.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\_cffi.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32net.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32wnet.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\backend_c.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-16586

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	API coverage: 7.9 %
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	API coverage: 6.0 %

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7A69E0 FindFirstFileExW,FindClose,	1_2_00007FF73D7A69E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7C0A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7C0A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00007FF73D7C0A34
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B6878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	3_2_00007FF73D7B6878
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7A69E0 FindFirstFileExW,FindClose,	3_2_00007FF73D7A69E0
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B4480 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FF8C610F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	3_2_00007FF8A81B4480
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A0CD11 FindFirstFileExW,	7_2_00A0CD11

Source: xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: D9SCX8F8 VMCI Bus Device
Source: xSO7sbN2j6.exe, 00000003.00000003.2424369615.00000210307E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System Product6GAYZ12ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.None
Source: xSO7sbN2j6.exe, 00000003.00000003.2424369615.00000210307E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityU8VE67KY VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityZY4E1A5N VMCI Bus DevicePCI\D_H5H1V6&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.D
Source: xSO7sbN2j6.exe, 00000003.00000002.2440026777.0000021031050000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM0
Source: xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: U8VE67KY VMCI Bus Device
Source: xSO7sbN2j6.exe, 00000003.00000003.2420878508.00000210307FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PhysicalMemoryPhysical Memory 0Win32_PhysicalMemoryPhysical MemoryPhysical MemoryPhysical MemoryRAM slot #0RAM slot #0VMware Virtual RAM00000001VMW-4096MBLMEM
Source: xSO7sbN2j6.exe, 00000003.00000003.2421755441.0000021031790000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2297584953.00000210307FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: xSO7sbN2j6.exe, 00000003.00000003.2430979576.0000021030172000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2427750884.000002103016B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423625603.0000021030163000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432460343.0000021030173000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2257911551.00000210300E3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423685730.000002103016A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030111000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436306792.0000021030174000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2430089157.0000021030171000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xSO7sbN2j6.exe, 00000003.00000002.2439982644.0000021031000000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2297912338.00000210307D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: xSO7sbN2j6.exe, 00000003.00000003.2297912338.00000210307D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure Driver{4d36e97d-e325-11ce-bfc1-08002be10318}Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID\0000System.String[]MicrosoftMicrosoft Hyper-V Virtualization Infrastructure DriverSystemROOT\VID\0000VidOKWin32_ComputerSystemuser-PC
Source: xSO7sbN2j6.exe, 00000003.00000003.2297584953.00000210307FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Generation Counter{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityMicrosoft Hyper-V Generation CounterACPI\VMW0001\7System.String[]MicrosoftMicrosoft Hyper-V Generation CounterSystemACPI\VMW0001\7gencounterOKWin32_ComputerSystemuser-PC
Source: xSO7sbN2j6.exe, 00000003.00000003.2420878508.00000210307FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityU8VE67KY VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.Stp
Source: xSO7sbN2j6.exe, 00000003.00000003.2421755441.0000021031790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countercthingp
Source: xSO7sbN2j6.exe, 00000003.00000003.2421755441.0000021031790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countercthing0
Source: xSO7sbN2j6.exe, 00000003.00000003.2421755441.0000021031790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation CountercthingP
Source: xSO7sbN2j6.exe, 00000003.00000002.2440334952.0000021031390000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ZY4E1A5N VMCI Bus Device
Source: xSO7sbN2j6.exe, 00000003.00000003.2427487296.00000210313D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc..p
Source: xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E64D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityZY4E1A5N VMCI Bus DevicePCI\D_H5H1V6&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.D
Source: xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityU8VE67KY VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityZY4E1A5N VMCI Bus DevicePCI\D_H5H1V6&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.D9SCX8F8 VMCI Bus DeviceSystemPCI\9GOTKCRT&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FvmciOKWin32_ComputerSystemuser-PC
Source: xSO7sbN2j6.exe, 00000003.00000002.2440237150.00000210312D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc..
Source: xSO7sbN2j6.exe, 00000003.00000002.2439982644.0000021031000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driverp

Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Code function: 10_2_00261520 rdtsc

10_2_00261520

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7AAA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF73D7AAA2C

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 3_2_00007FF8A84FCDE0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

3_2_00007FF8A84FCDE0

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7C2620 GetProcessHeap,

1_2_00007FF73D7C2620

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7AAA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF73D7AAA2C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7AA180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF73D7AA180
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7B9C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF73D7B9C44
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 1_2_00007FF73D7AABD4 SetUnhandledExceptionFilter,	1_2_00007FF73D7AABD4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7AAA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF73D7AAA2C
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7AA180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF73D7AA180
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7B9C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF73D7B9C44
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF73D7AABD4 SetUnhandledExceptionFilter,	3_2_00007FF73D7AABD4
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A8093354 IsProcessorFeaturePresent,00007FF8BFAC19A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BFAC19A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A8093354
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Code function: 3_2_00007FF8A81B5001 __scrt_fastfail,IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF8A81B5001
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A03906 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00A03906
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A03DAE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00A03DAE
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A08DD4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00A08DD4
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe	Code function: 7_2_00A03F10 SetUnhandledExceptionFilter,	7_2_00A03F10
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Code function: 10_2_00261805 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00261805
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Code function: 10_2_00261F77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00261F77
Source: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe	Code function: 10_2_002620D9 SetUnhandledExceptionFilter,	10_2_002620D9

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\Desktop\xSO7sbN2j6.exe "C:\Users\user\Desktop\xSO7sbN2j6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/netconn_properties.exe	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe C:\Users\user\AppData\Local\Temp\_MEI12682\exe/registers.exe	Jump to behavior

Source: xSO7sbN2j6.exe, 00000003.00000002.2437458016.00000210305D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DOF_PROGMAN0
Source: xSO7sbN2j6.exe, 00000003.00000002.2437458016.00000210305D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DOF_PROGMAN

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7C8A30 cpuid

1_2_00007FF73D7C8A30

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\0muh7zmj VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp179_cpv3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pythoncom38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp179_cpv3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp179_cpv3\gen_py\__init__.py VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp179_cpv3\gen_py\dicts.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32net.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32security.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\backend_c.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md__mypyc.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\Desktop\xSO7sbN2j6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xSO7sbN2j6.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp179_cpv3 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7AA910 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF73D7AA910

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Code function: 1_2_00007FF73D7C4EA0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

1_2_00007FF73D7C4EA0

Source: C:\Users\user\Desktop\xSO7sbN2j6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1031 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	54 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Process Injection	LSASS Memory	1351 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	54 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	444 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xSO7sbN2j6.exe	16%	ReversingLabs	Win64.Malware.Generic
xSO7sbN2j6.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140_1.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd	4%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	URL Reputation	safe
https://www.mandiant.com/resources/blog/tracking-malware-import-hashing	0%	Virustotal		Browse
https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details	0%	Virustotal		Browse
http://timgolden.me.uk/python/wmi.html	0%	Virustotal		Browse
http://193.17.183.14:3000/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030211000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433468001.000002103020E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433810897.0000021030210000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp	false		low
https://github.com/urllib3/urllib3/issues/29200	xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	false		high
http://.../back.jpeg	xSO7sbN2j6.exe, 00000003.00000002.2439755385.0000021030E90000.00000004.00001000.00020000.00000000.sdmp	false		low
http://www.python.org/	xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243434894.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244843348.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245348776.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245250027.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244989268.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2243739150.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2244711265.000001EB0964B000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2229733855.000001EB0963C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000001.00000003.2245110481.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445756170.00007FF8B801B000.00000004.00000001.01000000.0000000C.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445273022.00007FF8B78CB000.00000004.00000001.01000000.0000000F.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2445053706.00007FF8B61E1000.00000004.00000001.01000000.00000014.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2444783479.00007FF8B61BE000.00000004.00000001.01000000.00000015.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442979393.00007FF8A89BD000.00000004.00000001.01000000.0000000E.sdmp, win32security.pyd.1.dr, win32trace.pyd.1.dr, win32net.pyd.1.dr, win32api.pyd.1.dr	false		high
https://httpbin.org/post	xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.17.183.14:3000/)	xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435457331.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432907096.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431258852.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422307122.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Ousret/charset_normalizer	xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2425207464.0000021030208000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.python.org/download/releases/2.3/mro/.	xSO7sbN2j6.exe, 00000003.00000002.2435047798.000002102DFB0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://yahoo.com/	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	xSO7sbN2j6.exe, 00000003.00000003.2426690756.00000210300F3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431068921.00000210300FB000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432380367.0000021030100000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	xSO7sbN2j6.exe, 00000003.00000002.2435832830.0000021030030000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030211000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433468001.000002103020E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433810897.0000021030210000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431934560.000002103020D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	xSO7sbN2j6.exe, 00000003.00000002.2439438753.0000021030CA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html	xSO7sbN2j6.exe, 00000003.00000002.2437083752.0000021030330000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	xSO7sbN2j6.exe, 00000003.00000002.2439352613.0000021030C20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	xSO7sbN2j6.exe, 00000003.00000002.2435883667.0000021030070000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl	xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2439890285.0000021030F80000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2437590272.0000021030675000.00000004.00000020.00020000.00000000.sdmp	false		high
https://upx.github.ioT	xSO7sbN2j6.exe, 00000001.00000003.2241172247.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, upx.exe.1.dr	false		unknown
http://curl.haxx.se/rfc/cookie_spec.html	xSO7sbN2j6.exe, 00000003.00000002.2439755385.0000021030E90000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.python.org/dev/peps/pep-0205/	xSO7sbN2j6.exe, 00000001.00000003.2246060805.000001EB0963F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435780956.000002102FFF0000.00000004.00001000.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E62E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.mandiant.com/resources/blog/tracking-malware-import-hashing	xSO7sbN2j6.exe, 00000003.00000002.2436994535.00000210302B0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://json.org	xSO7sbN2j6.exe, 00000003.00000003.2254594450.000002102E62E000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433190982.0000021030082000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2432907096.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431258852.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422307122.000002102E6DF000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428983620.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433913042.0000021030089000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422597636.000002103007F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431770423.0000021030086000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	xSO7sbN2j6.exe, 00000003.00000002.2434833250.000002102DE70000.00000004.00001000.00020000.00000000.sdmp	false		high
http://python.org/dev/peps/pep-0263/	xSO7sbN2j6.exe, 00000003.00000002.2443034874.00007FF8A8CCC000.00000040.00000001.01000000.00000005.sdmp	false		high
https://httpbin.org/get	xSO7sbN2j6.exe, 00000003.00000003.2420272100.000002103071B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.17.183.14:3000/	xSO7sbN2j6.exe, 00000003.00000002.2436948556.0000021030270000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.python.org	xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp	false		high
https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details	xSO7sbN2j6.exe, 00000003.00000002.2437313978.0000021030500000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/questions/4457745#4457745	xSO7sbN2j6.exe, 00000003.00000002.2437139354.0000021030370000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	xSO7sbN2j6.exe, 00000001.00000003.2242054897.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	xSO7sbN2j6.exe, 00000003.00000002.2435883667.0000021030070000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2425207464.0000021030208000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	xSO7sbN2j6.exe, 00000003.00000003.2426690756.00000210300F3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431068921.00000210300FB000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030084000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030085000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	xSO7sbN2j6.exe, 00000003.00000003.2428147875.000002102E61C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251857001.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431983853.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251711442.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2435267835.000002102E620000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252362356.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2434678392.000002102DE25000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429262032.000002102DE24000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2429012313.000002102DE17000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2251408429.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2252165282.000002102DE23000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2428839810.000002102DE12000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423290501.000002102E669000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ntcore.com/files/richsign.htm	xSO7sbN2j6.exe, 00000003.00000002.2435832830.0000021030030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://google.com/mail/	xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	xSO7sbN2j6.exe, 00000003.00000003.2423625603.0000021030163000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2427750884.0000021030164000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423437104.0000021030111000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422434748.0000021030111000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	xSO7sbN2j6.exe, 00000003.00000003.2427260813.00000210306C3000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2437767537.00000210306C4000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2420272100.00000210306B1000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2430312247.00000210306C4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	xSO7sbN2j6.exe, 00000003.00000002.2439623686.0000021030DC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://timgolden.me.uk/python/wmi.html	xSO7sbN2j6.exe, 00000003.00000002.2436948556.0000021030270000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.openssl.org/H	xSO7sbN2j6.exe, 00000001.00000003.2242231546.000001EB0963D000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2442708741.00007FF8A88F1000.00000004.00000001.01000000.00000019.sdmp, libssl-1_1.dll.1.dr	false		high
https://docs.python.org/3/library/socket.html#socket.socket.connect_ex	xSO7sbN2j6.exe, 00000003.00000002.2439890285.0000021030F80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://google.com/mail	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423367529.0000021030687000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422877879.0000021030674000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433603496.000002103068A000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2424521540.000002103068A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	xSO7sbN2j6.exe, 00000003.00000003.2422739995.000002102DE12000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	xSO7sbN2j6.exe, 00000003.00000002.2439352613.0000021030C20000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	xSO7sbN2j6.exe, 00000003.00000003.2423714607.000002103020C000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2422096808.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2423197574.00000210301C9000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2433838314.0000021030224000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2431674157.000002103021F000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000002.2436577050.0000021030225000.00000004.00000020.00020000.00000000.sdmp, xSO7sbN2j6.exe, 00000003.00000003.2426840147.000002103021A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428491
Start date and time:	2024-04-19 02:44:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xSO7sbN2j6.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	95256b28dfb85f1d5bafdec109950775733d4af82acc0512151639695c57e469
Detection:	MAL
Classification:	mal100.evad.winEXE@8/83@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 76 Number of non-executed functions: 139

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiApSrv.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.29.6, 40.126.29.14, 40.126.29.10, 40.126.29.9, 40.126.29.12, 40.126.29.5, 40.126.29.8, 40.126.29.7, 20.42.73.29
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, dns.msftncsi.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://aeno.co.jp.talglfts.cc/aeon	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://scsang.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://cvn7.sa.com/invoice.html?app=	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://setteledpaineter.uk.nf/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://zmmzmnsnnbxbbxvcxv22.z13.web.core.windows.net/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://dev217.d3uf3ys8fxt6s2.amplifyapp.com/Win08ShDMeEr0887/index.html	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.huiyuan-sh.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://sdcoes.net/LandingPage/Index/122/	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://appddd08.z19.web.core.windows.net/Win0security-helpline07/index.html?ph0n=1-844-492-0415	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
	https://6a5ff6af4b0fe3e6f0bd452927dfb55b352fdd2d1bab6d1e7de2b641e2.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	whisper-faster.exe	Get hash	malicious	Unknown	Browse
	whisper-faster.exe	Get hash	malicious	Unknown	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
	ZzutQz4T6D.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
	Create_Installer_PLC0000037_2024_English_WIN64.exe	Get hash	malicious	Unknown	Browse
	webex.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	cc.exe	Get hash	malicious	Unknown	Browse
	https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-1.2.6-win64.exe	Get hash	malicious	Unknown	Browse
	valoranthack.exe	Get hash	malicious	Luna Logger	Browse
	r0gv5UI76Q.exe	Get hash	malicious	Unknown	Browse
	ip_new.exe	Get hash	malicious	Unknown	Browse
	thurs20.exe	Get hash	malicious	Python Stealer	Browse
	thurs17.exe	Get hash	malicious	Python Stealer	Browse
	thurs21.exe	Get hash	malicious	Python Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0muh7zmj

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	blat

C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	578384
Entropy (8bit):	6.524580849411757
Encrypted:	false
SSDEEP:	12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
MD5:	1BA6D1CF0508775096F9E121A24E5863
SHA1:	DF552810D779476610DA3C8B956CC921ED6C91AE
SHA-256:	74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
SHA-512:	9887D9F5838AA1555EA87968E014EDFE2F7747F138F1B551D1F609BC1D5D8214A5FDAB0D76FCAC98864C1DA5EB81405CA373B2A30CB12203C011D89EA6D069AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, Detection: malicious, Browse Filename: whisper-faster.exe, Detection: malicious, Browse Filename: whisper-faster.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse Filename: ZzutQz4T6D.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse Filename: Create_Installer_PLC0000037_2024_English_WIN64.exe, Detection: malicious, Browse Filename: webex.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..f..f.....d..o.A.p..f........c.....n.....b...........g....-.g.....g..Richf..........................PE..d................." ...$.F...V......`1....................................................`A........................................PB..h.......,................9......PO......8...p...p...........................0...@............`...............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data....8...@......................@....pdata...9.......:...<..............@..@.rsrc................v..............@..@.reloc..8............z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653424
Entropy (8bit):	6.729277267882055
Encrypted:	false
SSDEEP:	49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
MD5:	03A161718F1D5E41897236D48C91AE3C
SHA1:	32B10EB46BAFB9F81A402CB7EFF4767418956BD4
SHA-256:	E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
SHA-512:	7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe, Detection: malicious, Browse Filename: Sp#U251c#U0434ti.exe, Detection: malicious, Browse Filename: cc.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: valoranthack.exe, Detection: malicious, Browse Filename: r0gv5UI76Q.exe, Detection: malicious, Browse Filename: ip_new.exe, Detection: malicious, Browse Filename: thurs20.exe, Detection: malicious, Browse Filename: thurs17.exe, Detection: malicious, Browse Filename: thurs21.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.872892408480815
Encrypted:	false
SSDEEP:	6144:CQrI4a86uBgv9Y6z8fd8SFzaYiYAJn9Q0B5e4zEONlM+chlkCb8JrRikP9:CQLXfEgdmBjn9X3EONS/YCq1P
MD5:	376C58A0C1A4B549AA7E05759AB1B16E
SHA1:	732C31C2A945704ADE1D4D718D11FAC49D0B3CC6
SHA-256:	E7443391287D86FB914613FF642F45AD3A106A967C3C26FF8F0AF1B117E13EFB
SHA-512:	795CCFC345EC6D09E43E831CC58ED382BFB3C3688C086E2BAD49434484C9937D25EA51BF1FF137F50FE6C6B7B9E5364282ECCFF07E3A25C472FF23EDD7779D6D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.F..r...r...r..e....r."hs...r..{s...r..vs...r..hv...r..hq...r..hw...r...s...r..hs...r."h{...r."hr...r."h....r."hp...r.Rich..r.........................PE..d......d.........." ................0........................................`............`..............................................T..4...........48... ...............P.. ...........................P...(.......8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	96120
Entropy (8bit):	6.440691568981583
Encrypted:	false
SSDEEP:	1536:dkb0wrlWxdV4tyfa/PUFSAM/HQUucN2f0MFOqH+F3fecbTUEuvw:dWD4eUp+HQpcNg0MFnH+F3fecbTUED
MD5:	4A365FFDBDE27954E768358F4A4CE82E
SHA1:	A1B31102EEE1D2A4ED1290DA2038B7B9F6A104A3
SHA-256:	6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C
SHA-512:	54E4B6287C4D5A165509047262873085F50953AF63CA0DCB7649C22ABA5B439AB117A7E0D6E7F0A3E51A23E28A255FFD1CA1DDCE4B2EA7F87BCA1C9B0DBE2722
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d....R^`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..x#..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36728
Entropy (8bit):	6.340048377061949
Encrypted:	false
SSDEEP:	384:nNn62MCmWEPhUcSLt5a9Y6v4HOE5fY/ntz5BBW0O3+XfeuncS79+pWrQKWhD/HRj:YdCm5PhUcxgHY/ntXBzxvV7KtDvCTO
MD5:	9CFF894542DC399E0A46DEE017331EDF
SHA1:	D1E889D22A5311BD518517537CA98B3520FC99FF
SHA-256:	B1D3B6B3CDEB5B7B8187767CD86100B76233E7BBB9ACF56C64F8288F34B269CA
SHA-512:	CA254231F12BDFC300712A37D31777FF9D3AA990CCC129129FA724B034F3B59C88ED5006A5F057348FA09A7DE4A0C2E0FB479CE06556E2059F919DDD037F239E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8@..9...8}..9...8.._8...8...8...8}..9...8}..9...8}..9...8}..9...8}.38...8}..9...8Rich...8........PE..d....R^`.........." .....:...4......`A....................................................`A.........................................k......<l..x....................l..x#......<...(b..T............................b..8............P..X............................text...u9.......:.................. ..`.rdata..P!...P..."...>..............@..@.data... ............`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..<............j..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47792
Entropy (8bit):	7.759135237425322
Encrypted:	false
SSDEEP:	768:fSt1pAaIL2thxk3rjQgofeVaIqCGoDFQ7yqnuIJ7TpcgIIMVGpDG4yAehFj:C1pAaIaes3feV1iizgIIMVGry7
MD5:	5F464B4F06DFE3AB504169FFDC7F53AE
SHA1:	2942CF1F492213842D7BB8E8198355D3607B2F3B
SHA-256:	0DD68268A9D47CE935FF932C3FE281E7A6D57E9CD424299D05560E56A773EF4B
SHA-512:	D66C3C238A1EBDFB6F81436F8D0481F3ED8A0FF1212E3EFE466D6820E36DB50C31DCDB1019E46DCEDB753149A6CEF3F9485FC232F3DD42B96B7B0604DBAD6040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[..>...m...m...m...m...ms..l...my.bm...ms..l...ms..l...ms..l...m..l...mD..l...m...m~..m..l...m..l...m.`m...m..l...mRich...m........................PE..d.....`.........." ..................... ................................................`.........................................`...H......\|............P..4.......................................................8...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58032
Entropy (8bit):	7.837553293459017
Encrypted:	false
SSDEEP:	1536:GCwIk2ERK2HZqd6d93oXrCedXfxsYazzIIBPt0yzl:GHTPok3oXr5dvxsYafIIBPtbl
MD5:	332D773008E12399AB98D085CD60C583
SHA1:	C3AA78E9BA7732B989A3CAB996E63791EAF46A7F
SHA-256:	19B813BCD356F37E73FE7D367051EB0BD901F2BD14CA8AD4662B1503B1459CEA
SHA-512:	381C2083CCFDB39F3986060B21FF168EE87CFAFC4AD53B34DE3AE473A4FC0204615AF87E9EE69407D07528064C7B2A7D9F23A94939DE0E26C614169B8CC418AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t....x...x...x..m...x..ay...x..a}...x..a\|...x..a{...x..ay...x..}\|...x..}y...x.@\|y...x...y.?.x..au...x..ax...x..a....x..az...x.Rich..x.................PE..d...\|.`.........." ................ F.......................................p............`..........................................l.......i.......`.......................m......................................0R..8...........................................UPX0....................................UPX1................................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	78512
Entropy (8bit):	7.903168272994478
Encrypted:	false
SSDEEP:	1536:Ss4deEa1XFe+dq9uHZH6FMpNCL51ngCDVWNSIIkftTy5:wdrAZdj5aOpNCrnBWoIIkfto
MD5:	5F8A8DA577CE431C77F5D4B8F972E5E0
SHA1:	23306304175383DE4C6E039C9A106000BB28DA31
SHA-256:	5A32E12FDE1F4E8A805D598E6CFBEC1E4AEAA9F9C1744BC3B1BF8B2AB9706686
SHA-512:	1438C0DD7881CA76CCBCEAB054413C3E08EA373ECF6A109C9C1F4896585B5F12B0FBC9E954EB5DBAABDED498DF713FE96555A8ED861707982DC46D603363F939
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aG.M%&..%&..%&..,^d.)&..IR..'&..IR...&..IR..-&..IR..&&...R..'&..~N..&&..%&...&...R..!&...R..$&...R..$&...R..$&..Rich%&..................PE..d...n.`.........." .........................................................0............`..........................................,..X....)....... ..........x...........(-..........................................8...........................................UPX0....................................UPX1................................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28336
Entropy (8bit):	7.503409203437653
Encrypted:	false
SSDEEP:	384:EpNTVr+yTLZuSNa0x/iwRvz4SQ1ilQYHTMN6RoZa7gJX78IIYILyDG4y8XRShMpp:EpN7/dKwCSQoMppr8IIYILyDG4ybhMD
MD5:	7A323C4FCE36AB53DA167E4074A68A77
SHA1:	78A0E1EBBC7B357DBD37FCEE32589C4D0DC94DFE
SHA-256:	07419B0862EDABE485317C199EE61B4DE838EC730789B12B8D660B6A1E5AAF76
SHA-512:	8DAD82FA63917FF035271E8ED73C9F2ECDF5414E98D48A144F302C68CB16EA6D8DACF4FBFE11458B5D78715089EBAA45CD157AD53FB7989FD2FA81AFCE39E49A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^..^..^..&e.^.....^.....^.....^.....^..U..^...6..^..)7..^..^...^..U..^..U..^..U..^..U*..^..Rich.^..........................PE..d.....`.........." .....@................................................................`.............................................P...............................................................................8...........................................UPX0....................................UPX1.....@.......@..................@....rsrc................D..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86704
Entropy (8bit):	7.922392665313969
Encrypted:	false
SSDEEP:	1536:r1mzwAeL7Ij2wtqklnNNxP/SxbtYOndQqUAVGd+fP3S+9kAUmIID1tmyPx:Io3wDNNxP/6btYUUEGd+HTPVIID1tNx
MD5:	6CF80DCA091DAD17790A6B1AF4E85381
SHA1:	BCB4052A4F960B429EB9DB019734FC00B41C4427
SHA-256:	2B41390D1BFFA9C5B7018BC0544B0A2C188ECB9B00EBC56DF5A864DC47E32697
SHA-512:	DA00F86C7A4168FA46FAEC79605831D26E4C86DD1D009B89F5087AC756BDFC32E0C036471639131EB881BCC53B8F1F92D947F3EF47F3DC7E56BB2E99D1357CF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 4%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0.C.0.C.0.C.HOC.0.C.D.B.0.C.D.B.0.C.D.B.0.C.D.B.0.C>D.B.0.C.X.B.0.C.0.C.0.C>D.B.0.C>D.B.0.C>D#C.0.C>D.B.0.CRich.0.C........................PE..d.....`.........." .....0.......... .....................................................`.........................................\|...L....................`...................................................... ...8...........................................UPX0....................................UPX1.....0.......&..................@....rsrc................*..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22704
Entropy (8bit):	7.303940313534979
Encrypted:	false
SSDEEP:	384:LubMpgolBKHStjxZHfdqWQ6Za7gJXW5IImUbMvkDG4y8e8C97hP:wM5Bzjj/dp9pm5IImUbMsDG4yaC97hP
MD5:	7A9EAB9B45B38B485AD540FCD60FD1C2
SHA1:	8FC5679207187B8E37F73C3826A0F1CEF06BC7D9
SHA-256:	3E97629DB46D159DB614A2AF447A8FCD3CDEA807D7BDB8B32ADADB372B8ED3AE
SHA-512:	1FA6745B5B9444D9AFEE8E8852B8BAF6790C40D6AF9C8ACE0AA5B5A242C1825CF7EEE467515270C55833D11878B1D6E36E67AAD3090A2BD7D504F8CC75D3E81D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%a.ZD..ZD..ZD..S<..XD..60..XD..60..QD..60..RD..60..YD..0..YD...,..XD..ZD...D..0..[D..0..[D..0..[D..0..[D..RichZD..........PE..d...o.`.........." .....0.......... .....................................................`.........................................8...L.......P............`..0................................................... ...8...........................................UPX0....................................UPX1.....0.......,..................@....rsrc................0..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41136
Entropy (8bit):	7.669436133022269
Encrypted:	false
SSDEEP:	768:Y2N9l9nLOO9DF7h5c5pZEVLxWQ+rHqKw1pAT9IIBwmS3F94DG4ytU9h/:PNZnv9c5p40KgT9IIBwmA4yin
MD5:	15A40AFE3A6A996DA1ED9C9EB13362B8
SHA1:	FB7A8827FD244642A1BDA9E863E8A1137A791554
SHA-256:	55C9F10D31037738DA2110BB88074CF4B6D65E256C9411560000330ED27704C1
SHA-512:	F75213237180FE0395908F5E272217F8287A19083A00D23C5934061F27E07E00B5130CCD44453C2633B2406433D3E537F45923E4712EF420BB60CC9307030990
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<.......<...=...<...9...<...8...<...?...<.'.=...<...=...<...=.I.<.'.1...<.'.<...<.'....<.'.>...<.Rich..<.................PE..d.....`.........." .................r....................................................`............................................P...................0..8...........@... ....................................~..8...........................................UPX0....................................UPX1.............r..................@....rsrc................v..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59056
Entropy (8bit):	7.8302873217993465
Encrypted:	false
SSDEEP:	1536:kMAft6h1P/xN70ArkFOwFU3Q6ji9OaIIM7dU40y8j:kM0t81BhrkQwU3g9vIIM7dc
MD5:	A61613B2A31FB6C1D0F11A2AB42C3A9E
SHA1:	A51069C3AEB3C7C8D802CF076005B1C1717CA12A
SHA-256:	1B39EAC9D666211E670E37420D9FD43516695E7EF53832F4DBD86B6E97FC9BF3
SHA-512:	A35283C7FB47E79580917252CB08329C5F302A77322FFD8A0FE5CD8C081130C5FA28C5E7EB3D7EB8C6D0DCA25A7D423CB303AB2EC82296EAC41C91E38369CCAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4b{.p...p...p...y{..v....w..r....w..\|....w..x....w..s....w..r....j..t...+k..w...p........w..r....w..q....w.q....w..q...Richp...........PE..d.....`.........." ......................................................................`.............................................d....................@..........................................................8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.608323768366966
Encrypted:	false
SSDEEP:	192:KFOWWthWzWf9BvVVWQ4mWqyVT/gqnajKsrCS81:uZWthWeN01IlGsrCt
MD5:	07EBE4D5CEF3301CCF07430F4C3E32D8
SHA1:	3B878B2B2720915773F16DBA6D493DAB0680AC5F
SHA-256:	8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F
SHA-512:	6C7E4DF62EBAE9934B698F231CF51F54743CF3303CD758573D00F872B8ECC2AF1F556B094503AAE91100189C0D0A93EAF1B7CAFEC677F384A1D7B4FDA2EEE598
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0............`A........................................p...,............ ...................!..............p............................................................................rdata..d...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11736
Entropy (8bit):	6.6074868843808785
Encrypted:	false
SSDEEP:	192:PUWthW6Wf9BvVVWQ4SWZifvXqnajJ6HNbLet:MWthW3NhXll6HZm
MD5:	557405C47613DE66B111D0E2B01F2FDB
SHA1:	DE116ED5DE1FFAA900732709E5E4EEF921EAD63C
SHA-256:	913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD
SHA-512:	C2B326F555B2B7ACB7849402AC85922880105857C616EF98F7FB4BBBDC2CD7F2AF010F4A747875646FCC272AB8AA4CE290B6E09A9896CE1587E638502BD4BEFB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...p.~..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.622854484071805
Encrypted:	false
SSDEEP:	192:tlWthWFWf9BvVVWQ4mWIzWLiP+CjAWqnajKsNb7:/WthWANnWLiP+CcWlGsNb7
MD5:	624401F31A706B1AE2245EB19264DC7F
SHA1:	8D9DEF3750C18DDFC044D5568E3406D5D0FB9285
SHA-256:	58A8D69DF60ECBEE776CD9A74B2A32B14BF2B0BD92D527EC5F19502A0D3EB8E9
SHA-512:	3353734B556D6EEBC57734827450CE3B34D010E0C033E95A6E60800C0FDA79A1958EBF9053F12054026525D95D24EEC541633186F00F162475CEC19F07A0D817
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...YJ..........." .........................................................0.......s....`A........................................p................ ...................!..............p............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.670771733256744
Encrypted:	false
SSDEEP:	192:1mxD3+HWthWiWf9BvVVWQ4WWuhD7DiqnajKswz3:19HWthWfN/GlGswz3
MD5:	2DB5666D3600A4ABCE86BE0099C6B881
SHA1:	63D5DDA4CEC0076884BC678C691BDD2A4FA1D906
SHA-256:	46079C0A1B660FC187AAFD760707F369D0B60D424D878C57685545A3FCE95819
SHA-512:	7C6E1E022DB4217A85A4012C8E4DAEE0A0F987E4FBA8A4C952424EF28E250BAC38B088C242D72B4641157B7CC882161AEFA177765A2E23AFCDC627188A084345
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....^[..........." .........................................................0......@^....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15328
Entropy (8bit):	6.561472518225768
Encrypted:	false
SSDEEP:	192:RaNYPvVX8rFTsoWthWgWf9BvVVWQ4SWfMaPOoI80Hy5qnajslBE87QyX:HPvVXqWthWlN2WlslEE87Qw
MD5:	0F7D418C05128246AFA335A1FB400CB9
SHA1:	F6313E371ED5A1DFFE35815CC5D25981184D0368
SHA-256:	5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9
SHA-512:	7555D9D3311C8622DF6782748C2186A3738C4807FC58DF2F75E539729FC4069DB23739F391950303F12E0D25DF9F065B4C52E13B2EBB6D417CA4C12CFDECA631
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...*.;A.........." .........................................................@.......m....`A........................................p................0...................!..............p............................................................................rdata..<...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.638884356866373
Encrypted:	false
SSDEEP:	192:jlWaWthWAWf9BvVVWQ4WWloprVP+CjAWqnajKsNWqL:jIaWthWFNxtVP+CcWlGsNxL
MD5:	5A72A803DF2B425D5AAFF21F0F064011
SHA1:	4B31963D981C07A7AB2A0D1A706067C539C55EC5
SHA-256:	629E52BA4E2DCA91B10EF7729A1722888E01284EED7DDA6030D0A1EC46C94086
SHA-512:	BF44997C405C2BA80100EB0F2FF7304938FC69E4D7AE3EAC52B3C236C3188E80C9F18BDA226B5F4FDE0112320E74C198AD985F9FFD7CEA99ACA22980C39C7F69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...=+vj.........." .........................................................0.......N....`A........................................p...L............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11744
Entropy (8bit):	6.744400973311854
Encrypted:	false
SSDEEP:	96:imdzvQzEWthWwMVDEs3f0DHDsVBIwgmqvrnDD0ADEs3TDL2L4m2grMWaLN5DEs3r:v3WthWyWf9BvVVWQ4SWVVFJqqnajW2y
MD5:	721B60B85094851C06D572F0BD5D88CD
SHA1:	4D0EE4D717AEB9C35DA8621A545D3E2B9F19B4E7
SHA-256:	DAC867476CAA42FF8DF8F5DFE869FFD56A18DADEE17D47889AFB69ED6519AFBF
SHA-512:	430A91FCECDE4C8CC4AC7EB9B4C6619243AB244EE88C34C9E93CA918E54BD42B08ACA8EA4475D4C0F5FA95241E4AACB3206CBAE863E92D15528C8E7C9F45601B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........................................................0......T`....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11736
Entropy (8bit):	6.638488013343178
Encrypted:	false
SSDEEP:	192:frWthWFWf9BvVVWQ4SWNOfvXqnajJ6H4WJ:frWthWANRXll6H4WJ
MD5:	D1DF480505F2D23C0B5C53DF2E0E2A1A
SHA1:	207DB9568AFD273E864B05C87282987E7E81D0BA
SHA-256:	0B3DFB8554EAD94D5DA7859A12DB353942406F9D1DFE3FAC3D48663C233EA99D
SHA-512:	F14239420F5DD84A15FF5FCA2FAD81D0AA9280C566FA581122A018E10EBDF308AC0BF1D3FCFC08634C1058C395C767130C5ABCA55540295C68DF24FFD931CA0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....(..........." .........................................................0......;.....`A........................................p...`............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12256
Entropy (8bit):	6.588267640761022
Encrypted:	false
SSDEEP:	192:txlkWthW2Wf9BvVVWQ4SWBBBuUgxfzfqnaj0OTWv:txlkWthW7NkIrloFv
MD5:	73433EBFC9A47ED16EA544DDD308EAF8
SHA1:	AC1DA1378DD79762C6619C9A63FD1EBE4D360C6F
SHA-256:	C43075B1D2386A8A262DE628C93A65350E52EAE82582B27F879708364B978E29
SHA-512:	1C28CC0D3D02D4C308A86E9D0BC2DA88333DFA8C92305EC706F3E389F7BB6D15053040AFD1C4F0AA3383F3549495343A537D09FE882DB6ED12B7507115E5A263
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....pi..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..<...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.678828474114903
Encrypted:	false
SSDEEP:	192:4TWthWckWf9BvVVWQ4mWQAyUD7DiqnajKswzjdg:4TWthWcRNqGlGswzji
MD5:	7C7B61FFA29209B13D2506418746780B
SHA1:	08F3A819B5229734D98D58291BE4BFA0BEC8F761
SHA-256:	C23FE8D5C3CA89189D11EC8DF983CC144D168CB54D9EAB5D9532767BCB2F1FA3
SHA-512:	6E5E3485D980E7E2824665CBFE4F1619B3E61CE3BCBF103979532E2B1C3D22C89F65BCFBDDBB5FE88CDDD096F8FD72D498E8EE35C3C2307BACECC6DEBBC1C97F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....\|............" .........................................................0.......3....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.602852377056617
Encrypted:	false
SSDEEP:	192:Us13vuBL3B5LoWthW7Wf9BvVVWQ4mWgB7OQP+CjAWqnajKsN9arO:Us13vuBL3B2WthWmNVXP+CcWlGsN9P
MD5:	6D0550D3A64BD3FD1D1B739133EFB133
SHA1:	C7596FDE7EA1C676F0CC679CED8BA810D15A4AFE
SHA-256:	F320F9C0463DE641B396CE7561AF995DE32211E144407828B117088CF289DF91
SHA-512:	5DA9D490EF54A1129C94CE51349399B9012FC0D4B575AE6C9F1BAFCFCF7F65266F797C539489F882D4AD924C94428B72F5137009A851ECB541FE7FB9DE12FEB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...]. ,.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14800
Entropy (8bit):	6.528059454770997
Encrypted:	false
SSDEEP:	384:On2OMw3zdp3bwjGfue9/0jCRrndbZWWthWdNHhfVlGsSH:/OMwBprwjGfue9/0jCRrndbLEKv
MD5:	1ED0B196AB58EDB58FCF84E1739C63CE
SHA1:	AC7D6C77629BDEE1DF7E380CC9559E09D51D75B7
SHA-256:	8664222823E122FCA724620FD8B72187FC5336C737D891D3CEF85F4F533B8DE2
SHA-512:	E1FA7F14F39C97AAA3104F3E13098626B5F7CFD665BA52DCB2312A329639AAF5083A9177E4686D11C4213E28ACC40E2C027988074B6CC13C5016D5C5E9EF897B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...w............" .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.659218747104705
Encrypted:	false
SSDEEP:	192:2E+tWthWvWf9BvVVWQ4mWxHD7DiqnajKswzGIAf:T+tWthWiNcGlGswzLAf
MD5:	721BAEA26A27134792C5CCC613F212B2
SHA1:	2A27DCD2436DF656A8264A949D9CE00EAB4E35E8
SHA-256:	5D9767D8CCA0FBFD5801BFF2E0C2ADDDD1BAAAA8175543625609ABCE1A9257BD
SHA-512:	9FD6058407AA95058ED2FDA9D391B7A35FA99395EC719B83C5116E91C9B448A6D853ECC731D0BDF448D1436382EECC1FA9101F73FA242D826CC13C4FD881D9BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...,OT..........." .........................................................0...........`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.739082809754283
Encrypted:	false
SSDEEP:	192:vdWthW8Wf9BvVVWQ4mWG2P+CjAWqnajKsNt:lWthWJNUP+CcWlGsNt
MD5:	B3F887142F40CB176B59E58458F8C46D
SHA1:	A05948ABA6F58EB99BBAC54FA3ED0338D40CBFAD
SHA-256:	8E015CDF2561450ED9A0773BE1159463163C19EAB2B6976155117D16C36519DA
SHA-512:	7B762319EC58E3FCB84B215AE142699B766FA9D5A26E1A727572EE6ED4F5D19C859EFB568C0268846B4AA5506422D6DD9B4854DA2C9B419BFEC754F547203F7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...X.j..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.601112204637961
Encrypted:	false
SSDEEP:	192:GFPWthW5Wf9BvVVWQ4mWc0ZD7DiqnajKswzczr:GFPWthWsNiGlGswzq
MD5:	89F35CB1212A1FD8FBE960795C92D6E8
SHA1:	061AE273A75324885DD098EE1FF4246A97E1E60C
SHA-256:	058EB7CE88C22D2FF7D3E61E6593CA4E3D6DF449F984BF251D9432665E1517D1
SHA-512:	F9E81F1FEAB1535128B16E9FF389BD3DAAAB8D1DABF64270F9E563BE9D370C023DE5D5306DD0DE6D27A5A099E7C073D17499442F058EC1D20B9D37F56BCFE6D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...ig............" .........................................................0......H.....`A........................................p...H............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14288
Entropy (8bit):	6.521808801015781
Encrypted:	false
SSDEEP:	192:/uUk1Jzb9cKcIzWthWzaWf9BvVVWQ4mWmrcLUVT/gqnajKsrCOV:/bk1JzBcKcIzWthWzXNz1IlGsrCOV
MD5:	0C933A4B3C2FCF1F805EDD849428C732
SHA1:	B8B19318DBB1D2B7D262527ABD1468D099DE3FB6
SHA-256:	A5B733E3DCE21AB62BD4010F151B3578C6F1246DA4A96D51AC60817865648DD3
SHA-512:	B25ED54345A5B14E06AA9DADD07B465C14C23225023D7225E04FBD8A439E184A7D43AB40DF80E3F8A3C0F2D5C7A79B402DDC6B9093D0D798E612F4406284E39D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....U..........." .........................................................0......Y.....`A........................................p................ ...................!..............p............................................................................rdata..4...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.671157737548847
Encrypted:	false
SSDEEP:	192:7oDfIeVWthWZWf9BvVVWQ4mWaHvP+CjAWqnajKsNZ:7oDfIeVWthWMNVP+CcWlGsNZ
MD5:	7E8B61D27A9D04E28D4DAE0BFA0902ED
SHA1:	861A7B31022915F26FB49C79AC357C65782C9F4B
SHA-256:	1EF06C600C451E66E744B2CA356B7F4B7B88BA2F52EC7795858D21525848AC8C
SHA-512:	1C5B35026937B45BEB76CB8D79334A306342C57A8E36CC15D633458582FC8F7D9AB70ACE7A92144288C6C017F33ECFC20477A04432619B40A21C9CDA8D249F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........................................................0......N.....`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.599056003106114
Encrypted:	false
SSDEEP:	192:gR7WthWTVWf9BvVVWQ4mWg2a5P+CjAWqnajKsNQbWl:gVWthWkN/P+CcWlGsNMg
MD5:	8D12FFD920314B71F2C32614CC124FEC
SHA1:	251A98F2C75C2E25FFD0580F90657A3EA7895F30
SHA-256:	E63550608DD58040304EA85367E9E0722038BA8E7DC7BF9D91C4D84F0EC65887
SHA-512:	5084C739D7DE465A9A78BCDBB8A3BD063B84A68DCFD3C9EF1BFA224C1CC06580E2A2523FD4696CFC48E9FD068A2C44DBC794DD9BDB43DC74B4E854C82ECD3EA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....X4.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.602527553095181
Encrypted:	false
SSDEEP:	192:zGeVfcWthW+Wf9BvVVWQ4mWMiSID7DiqnajKswz5g:zGeVfcWthWjN6SIGlGswza
MD5:	9FA3FC24186D912B0694A572847D6D74
SHA1:	93184E00CBDDACAB7F2AD78447D0EAC1B764114D
SHA-256:	91508AB353B90B30FF2551020E9755D7AB0E860308F16C2F6417DFB2E9A75014
SHA-512:	95AD31C9082F57EA57F5B4C605331FCAD62735A1862AFB01EF8A67FEA4E450154C1AE0C411CF3AC5B9CD35741F8100409CC1910F69C1B2D807D252389812F594
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....P..........." .........................................................0.......`....`A........................................p................ ...................!..............p............................................................................rdata..P...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.6806369134652055
Encrypted:	false
SSDEEP:	192:qyMv0WthWPWf9BvVVWQ4mWIv/r+YVqnajKsSF:qyMv0WthWCNBfVlGsSF
MD5:	C9CBAD5632D4D42A1BC25CCFA8833601
SHA1:	09F37353A89F1BFE49F7508559DA2922B8EFEB05
SHA-256:	F3A7A9C98EBE915B1B57C16E27FFFD4DDF31A82F0F21C06FE292878E48F5883E
SHA-512:	2412E0AFFDC6DB069DE7BD9666B7BAA1CD76AA8D976C9649A4C2F1FFCE27F8269C9B02DA5FD486EC86B54231B1A5EBF6A1C72790815B7C253FEE1F211086892F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....E.=.........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13776
Entropy (8bit):	6.573983778839785
Encrypted:	false
SSDEEP:	384:miwidv3V0dfpkXc0vVauzIWthWLN3fVlGsStY:nHdv3VqpkXc0vVaKbiYlY
MD5:	4CCDE2D1681217E282996E27F3D9ED2E
SHA1:	8EDA134B0294ED35E4BBAC4911DA620301A3F34D
SHA-256:	D6708D1254ED88A948871771D6D1296945E1AA3AEB7E33E16CC378F396C61045
SHA-512:	93FE6AE9A947AC88CC5ED78996E555700340E110D12B2651F11956DB7CEE66322C269717D31FCCB31744F4C572A455B156B368F08B70EDA9EFFEC6DE01DBAB23
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....k,..........." .........................................................0......3.....`A........................................p...X............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.7137872023984055
Encrypted:	false
SSDEEP:	192:TtZ3KjWthWzWf9BvVVWQ4mWXU0P+CjAWqnajKsN2v:TtZ3KjWthWeNwP+CcWlGsNa
MD5:	E86CFC5E1147C25972A5EEFED7BE989F
SHA1:	0075091C0B1F2809393C5B8B5921586BDD389B29
SHA-256:	72C639D1AFDA32A65143BCBE016FE5D8B46D17924F5F5190EB04EFE954C1199A
SHA-512:	EA58A8D5AA587B7F5BDE74B4D394921902412617100ED161A7E0BEF6B3C91C5DAE657065EA7805A152DD76992997017E070F5415EF120812B0D61A401AA8C110
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...jN/..........." .........................................................0............`A........................................p...x............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.614330511483598
Encrypted:	false
SSDEEP:	192:vgdKIMFYJWthW2Wf9BvVVWQ4SW2zZ7uUgxfzfqnaj0OGWh:0hJWthW7NBzIrloYh
MD5:	206ADCB409A1C9A026F7AFDFC2933202
SHA1:	BB67E1232A536A4D1AE63370BD1A9B5431335E77
SHA-256:	76D8E4ED946DEEFEEFA0D0012C276F0B61F3D1C84AF00533F4931546CBB2F99E
SHA-512:	727AA0C4CD1A0B7E2AFFDCED5DA3A0E898E9BAE3C731FF804406AD13864CEE2B27E5BAAC653BAB9A0D2D961489915D4FCAD18557D4383ECB0A066902276955A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....~y..........." .........................................................0............`A........................................p...H............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.704366348384627
Encrypted:	false
SSDEEP:	192:Ha2WthWKOWf9BvVVWQ4mWNOrVT/gqnajKsrCkb:Ha2WthWKTNz1IlGsrCo
MD5:	91A2AE3C4EB79CF748E15A58108409AD
SHA1:	D402B9DF99723EA26A141BFC640D78EAF0B0111B
SHA-256:	B0EDA99EABD32FEFECC478FD9FE7439A3F646A864FDAB4EC3C1F18574B5F8B34
SHA-512:	8527AF610C1E2101B6F336A142B1A85AC9C19BB3AF4AD4A245CFB6FD602DC185DA0F7803358067099475102F3A8F10A834DC75B56D3E6DED2ED833C00AD217ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....%j.........." .........................................................0......\|B....`A........................................p...P............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.623077637622405
Encrypted:	false
SSDEEP:	192:jWthWYWf9BvVVWQ4mWd8l1P+CjAWqnajKsNeCw:jWthW9NnP+CcWlGsNex
MD5:	1E4C4C8E643DE249401E954488744997
SHA1:	DB1C4C0FC907100F204B21474E8CD2DB0135BC61
SHA-256:	F28A8FE2CD7E8E00B6D2EC273C16DB6E6EEA9B6B16F7F69887154B6228AF981E
SHA-512:	EF8411FD321C0E363C2E5742312CC566E616D4B0A65EFF4FB6F1B22FDBEA3410E1D75B99E889939FF70AD4629C84CEDC88F6794896428C5F0355143443FDC3A3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....R..........." .........................................................0............`A........................................p...<............ ...................!..............p............................................................................rdata..p...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.643812426159955
Encrypted:	false
SSDEEP:	192:fSWthWvWf9BvVVWQ4mWFl5P+CjAWqnajKsNifl:aWthWiN+5P+CcWlGsNiN
MD5:	FA770BCD70208A479BDE8086D02C22DA
SHA1:	28EE5F3CE3732A55CA60AEE781212F117C6F3B26
SHA-256:	E677497C1BAEFFFB33A17D22A99B76B7FA7AE7A0C84E12FDA27D9BE5C3D104CF
SHA-512:	F8D81E350CEBDBA5AFB579A072BAD7986691E9F3D4C9FEBCA8756B807301782EE6EB5BA16B045CFA29B6E4F4696E0554C718D36D4E64431F46D1E4B1F42DC2B8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................" .........................................................0......l.....`A........................................P................ ...................!..............p............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15824
Entropy (8bit):	6.438848882089563
Encrypted:	false
SSDEEP:	192:yjQ/w8u4cyNWthWYWf9BvVVWQ4mWhu1BVT/gqnajKsrC74m:8yNWthW9Np1IlGsrCEm
MD5:	4EC4790281017E616AF632DA1DC624E1
SHA1:	342B15C5D3E34AB4AC0B9904B95D0D5B074447B7
SHA-256:	5CF5BBB861608131B5F560CBF34A3292C80886B7C75357ACC779E0BF98E16639
SHA-512:	80C4E20D37EFF29C7577B2D0ED67539A9C2C228EDB48AB05D72648A6ED38F5FF537715C130342BEB0E3EF16EB11179B9B484303354A026BDA3A86D5414D24E69
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....P............" .........................................................@............`A........................................P................0...................!..............p............................................................................rdata..>...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.6061629057490245
Encrypted:	false
SSDEEP:	192:vWOPWthWAWf9BvVVWQ4mWWbgftmP+CjAWqnajKsNURPblh:BWthWFN+f8P+CcWlGsNURzv
MD5:	7A859E91FDCF78A584AC93AA85371BC9
SHA1:	1FA9D9CAD7CC26808E697373C1F5F32AAF59D6B7
SHA-256:	B7EE468F5B6C650DADA7DB3AD9E115A0E97135B3DF095C3220DFD22BA277B607
SHA-512:	A368F21ECA765AFCA86E03D59CF953500770F4A5BFF8B86B2AC53F1B5174C627E061CE9A1F781DC56506774E0D0B09725E9698D4DC2D3A59E93DA7EF3D900887
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...t............." .........................................................0......H.....`A........................................P..."............ ...................!..............p............................................................................rdata..r...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13776
Entropy (8bit):	6.65347762698107
Encrypted:	false
SSDEEP:	192:WxSnWlC0i5ClWthWTWf9BvVVWQ4mW+hkKVT/gqnajKsrCw/:WxSnWm5ClWthW+NkK1IlGsrCY
MD5:	972544ADE7E32BFDEB28B39BC734CDEE
SHA1:	87816F4AFABBDEC0EC2CFEB417748398505C5AA9
SHA-256:	7102F8D9D0F3F689129D7FE071B234077FBA4DD3687071D1E2AEAA137B123F86
SHA-512:	5E1131B405E0C7A255B1C51073AFF99E2D5C0D28FD3E55CABC04D463758A575A954008EA1BA5B4E2B345B49AF448B93AD21DFC4A01573B3CB6E7256D9ECCEEF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...1............" .........................................................0......':....`A........................................P................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.58394079658593
Encrypted:	false
SSDEEP:	192:YFY17aFBRQWthWIWf9BvVVWQ4mWHhOP+CjAWqnajKsNngJ:YQtWthWNNdP+CcWlGsNI
MD5:	8906279245F7385B189A6B0B67DF2D7C
SHA1:	FCF03D9043A2DAAFE8E28DEE0B130513677227E4
SHA-256:	F5183B8D7462C01031992267FE85680AB9C5B279BEDC0B25AB219F7C2184766F
SHA-512:	67CAC89AE58CC715976107F3BDF279B1E78945AFD07E6F657E076D78E92EE1A98E3E7B8FEAE295AF5CE35E00C804F3F53A890895BADB1EED32377D85C21672B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d................." .........................................................0.......l....`A........................................P................ ...................!..............p............................................................................rdata..f...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.696904963591775
Encrypted:	false
SSDEEP:	192:m8qWthWLWf9BvVVWQ4WWLXlyBZr+YVqnajKsS1:mlWthWWN0uZfVlGsS1
MD5:	DD8176E132EEDEA3322443046AC35CA2
SHA1:	D13587C7CC52B2C6FBCAA548C8ED2C771A260769
SHA-256:	2EB96422375F1A7B687115B132A4005D2E7D3D5DC091FB0EB22A6471E712848E
SHA-512:	77CB8C44C8CC8DD29997FBA4424407579AC91176482DB3CF7BC37E1F9F6AA4C4F5BA14862D2F3A9C05D1FDD7CA5A043B5F566BD0E9A9E1ED837DA9C11803B253
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...r..[.........." .........................................................0.......P....`A........................................P...e............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20944
Entropy (8bit):	6.216554714002396
Encrypted:	false
SSDEEP:	384:rQM4Oe59Ckb1hgmLRWthW0N0JBJ1IlGsrC5W:sMq59Bb1jYNABHJc
MD5:	A6A3D6D11D623E16866F38185853FACD
SHA1:	FBEADD1E9016908ECCE5753DE1D435D6FCF3D0B5
SHA-256:	A768339F0B03674735404248A039EC8591FCBA6FF61A3C6812414537BADD23B0
SHA-512:	ABBF32CEB35E5EC6C1562F9F3B2652B96B7DBD97BFC08D918F987C0EC0503E8390DD697476B2A2389F0172CD8CF16029FD2EC5F32A9BA3688BF2EBEEFB081B2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d..............." .........,...............................................P............`A........................................P....%...........@...............0...!..............p............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.194200929301547
Encrypted:	false
SSDEEP:	384:8A/kPLPmIHJI6/CpG3t2G3t4odXLRWthW/N5GlGswz3:3/kjPmIHJI6manp3
MD5:	B5C8AF5BADCDEFD8812AF4F63364FE2B
SHA1:	750678935010A83E2D83769445F0D249E4568A8D
SHA-256:	7101B3DFF525EA47B7A40DD96544C944AE400447DF7A6ACD07363B6D7968B889
SHA-512:	A2A8D08D658F5ED368F9FB556BFB13B897F31E9540BFDFFF6567826614D6C5F0D64BD08FEC66C63E74D852AB6B083294E187507E83F2BC284DFB7CA5C86AE047
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d......:.........." .........(...............................................P......uM....`A........................................P.... ...........@...............,...!..............p............................................................................rdata..D".......$..................@..@.rsrc........@.......(..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.604643094751227
Encrypted:	false
SSDEEP:	192:uFdyqjd7NWthWxWf9BvVVWQ4mW+JZD7DiqnajKswzR1:YQsWthWkNfZGlGswzR1
MD5:	074B81A625FB68159431BB556D28FAB5
SHA1:	20F8EAD66D548CFA861BC366BB1250CED165BE24
SHA-256:	3AF38920E767BD9EBC08F88EAF2D08C748A267C7EC60EAB41C49B3F282A4CF65
SHA-512:	36388C3EFFA0D94CF626DECAA1DA427801CC5607A2106ABDADF92252C6F6FD2CE5BF0802F5D0A4245A1FFDB4481464C99D60510CF95E83EBAF17BD3D6ACBC3DC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....u..........." .........................................................0............`A........................................P...x............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.449023660091811
Encrypted:	false
SSDEEP:	192:eUW9MPrpJhhf4AN5/KihWthWBWf9BvVVWQ4mWRXwsD7DiqnajKswzK:eUZr7HWthWUNkGlGswzK
MD5:	F1A23C251FCBB7041496352EC9BCFFBE
SHA1:	BE4A00642EC82465BC7B3D0CC07D4E8DF72094E8
SHA-256:	D899C2F061952B3B97AB9CDBCA2450290B0F005909DDD243ED0F4C511D32C198
SHA-512:	31F8C5CD3B6E153073E2E2EDF0CA8072D0F787784F1611A57219349C1D57D6798A3ADBD6942B0F16CEF781634DD8691A5EC0B506DF21B24CB70AEE5523A03FD9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....h.y.........." .........................................................@............`A........................................P...4............0...................!..............p............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17872
Entropy (8bit):	6.3934828478655685
Encrypted:	false
SSDEEP:	192:hA2uWYFxEpahDWthWDWf9BvVVWQ4mWR3ir+YVqnajKsSO:hIFVhDWthWONlfVlGsSO
MD5:	55B2EB7F17F82B2096E94BCA9D2DB901
SHA1:	44D85F1B1134EE7A609165E9C142188C0F0B17E0
SHA-256:	F9D3F380023A4C45E74170FE69B32BCA506EE1E1FBE670D965D5B50C616DA0CB
SHA-512:	0CF0770F5965A83F546253DECFA967D8F85C340B5F6EA220D3CAA14245F3CDB37C53BF8D3DA6C35297B22A3FA88E7621202634F6B3649D7D9C166A221D3456A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d......w.........." ......... ...............................................@......>>....`A........................................P...a............0...............$...!..............p............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	6.279474608881223
Encrypted:	false
SSDEEP:	384:jvEvevdv8vPozmVx0C5yguNvZ5VQgx3SbwA7yMVIkFGlPWthWXNjqujGlGswz7:2ozmT5yguNvZ5VQgx3SbwA71IkFFaJft
MD5:	9B79965F06FD756A5EFDE11E8D373108
SHA1:	3B9DE8BF6B912F19F7742AD34A875CBE2B5FFA50
SHA-256:	1A916C0DB285DEB02C0B9DF4D08DAD5EA95700A6A812EA067BD637A91101A9F6
SHA-512:	7D4155C00D65C3554E90575178A80D20DC7C80D543C4B5C4C3F508F0811482515638FE513E291B82F958B4D7A63C9876BE4E368557B07FF062961197ED4286FB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...$............" ........."...............................................@............`A........................................P................0...............&...!..............p............................................................................rdata../...........................@..@.rsrc........0......."..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14288
Entropy (8bit):	6.547753630184197
Encrypted:	false
SSDEEP:	192:ENDCWthWHWf9BvVVWQ4mWG5xqcVT/gqnajKsrC/V:TWthW6N/xqc1IlGsrC/V
MD5:	1D48A3189A55B632798F0E859628B0FB
SHA1:	61569A8E4F37ADC353986D83EFC90DC043CDC673
SHA-256:	B56BC94E8539603DD2F0FEA2F25EFD17966315067442507DB4BFFAFCBC2955B0
SHA-512:	47F329102B703BFBB1EBAEB5203D1C8404A0C912019193C93D150A95BB0C5BA8DC101AC56D3283285F9F91239FC64A66A5357AFE428A919B0BE7194BADA1F64F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d...E............" .........................................................0......f.....`A........................................P................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12240
Entropy (8bit):	6.686357863452704
Encrypted:	false
SSDEEP:	192:ZjfHQdufWthWCWf9BvVVWQ4mWMlUteSP+CjAWqnajKsN0c:ZfZWthW/Nd4P+CcWlGsN0c
MD5:	DBC27D384679916BA76316FB5E972EA6
SHA1:	FB9F021F2220C852F6FF4EA94E8577368F0616A4
SHA-256:	DD14133ADF5C534539298422F6C4B52739F80ACA8C5A85CA8C966DEA9964CEB1
SHA-512:	CC0D8C56749CCB9D007B6D3F5C4A8F1D4E368BB81446EBCD7CC7B40399BBD56D0ACABA588CA172ECB7472A8CBDDBD4C366FFA38094A832F6D7E343B813BA565E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d....@n#.........." .........................................................0............`A........................................P...^............ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\base_library.zip

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1032264
Entropy (8bit):	5.502997687157409
Encrypted:	false
SSDEEP:	24576:fhidCutosQNRs54PK4IMpVw597fCEb3avESWGR326V:fhidCutosQNRs54PK4Ir9avjWMHV
MD5:	8A2AF800E6C75ABE6D2FA4060655DD50
SHA1:	68B5B5B2F9BC3A951B47841957C03923C47D5C12
SHA-256:	E5D9CE91DAF8D8330E34D1E3856BD2B481EF55F374EB3836A429125E1F8E51C0
SHA-512:	913F829A36370F949BA055303E270A414646CE7D269B7E0FD6EB91D82B9CA5E337CE6714404386A48BB22C84034B9F92823DFA6CF104662D56FDFA27B28CD27A
Malicious:	false
Preview:	PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...\|.r.t...t.j.j.r.d.S.t...t.j...}.\|.s2t.j.d.k.r2d.}.\|.S.).Nr......darwin....A

C:\Users\user\AppData\Local\Temp\_MEI12682\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281617
Entropy (8bit):	6.048201407322743
Encrypted:	false
SSDEEP:	6144:QW1H/M8fRR1mNplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5f:QWN/TR8NLWURrI55MWavdF0f
MD5:	78D9DD608305A97773574D1C0FB10B61
SHA1:	9E177F31A3622AD71C3D403422C9A980E563FE32
SHA-256:	794D039FFDF277C047E26F2C7D58F81A5865D8A0EB7024A0FAC1164FEA4D27CF
SHA-512:	0C2D08747712ED227B4992F6F8F3CC21168627A79E81C6E860EE2B5F711AF7F4387D3B71B390AA70A13661FC82806CC77AF8AB1E8A8DF82AD15E29E05FA911BF
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.599679776617318
Encrypted:	false
SSDEEP:	96:Id0Mp/QthczuG47NfGTJiWpjy9h+laGgazukYBbPJBj34lVhXg246ae7sXtpHqrY:It6tq4hfGNp2azdzukYj273QJXpHIH
MD5:	3EC61DACFBE1E165DE5FE35FB92FA6D4
SHA1:	A7605431D0A9BABE59CDBD5D39C292D5AB8BBF43
SHA-256:	3ACEA3CB557E4A7DF92FC34AD2CB1D654CF3C2254C00C690DA32C1A1F27BA4FA
SHA-512:	8E1DD08528C3A04086C914094D3A21A78962249A65EE31A7A2AAE37D59A004E1586D16254DA8FACCBB9386025BE538041C968A1DC4AD90FD35921A12910DECFE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B1...P...P...P...(...P.../...P..M(...P.../...P.../...P.../...P...$...P...P.. P..?...P..?...P..?.a..P..?...P..Rich.P..........................PE..d....gAe.........." ...%. .......p........................................................`.........................................@...l......P............@..........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	7.8391240913672435
Encrypted:	false
SSDEEP:	768:4ULF2V3+5GZkuG1xI0EcbOkA6BgKjxbcg3opQAsiMOvpBel:Tc3wGrc4FqgrLOAsiBel
MD5:	599D207F2DEBB191A262B407C4CC72F4
SHA1:	3BD74DA03C4FE18566E5AEF38B871FAC759FB2D8
SHA-256:	004CF0FE91F3A5837CD7BABFE21F5C8461E7A181B7C94AEF92EEE7CF7B327FC8
SHA-512:	6DB4B491E8AC9EBFF482A38FE2AB26592B1610D3A53DF9F630F604FE2EE8B8B7F8020D2BE9F37870F7E942A857B84E90FD7A3DB92E2F1119273DCC35CA21B9C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............pr..pr..pr......pr...s..pr...s..pr...w..pr...v..pr...q..pr.#.s..pr..ps..pr...z..pr...r..pr......pr...p..pr.Rich.pr.........................PE..d....gAe.........." ...%.............3.......................................`............`..........................................R..`....P.......P......................8S.......................................?..@...........................................UPX0....................................UPX1................................@....rsrc........P......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.921620889726641
Encrypted:	false
SSDEEP:	1536:HQDJbWAHTCQezq6UT9fLUwTEJ6hh9BUusFvQrnouy8:cJiES2RfYEhyusFvaout
MD5:	3B8E84142573A5E30990BDE2E574C447
SHA1:	C3EB3D19655F022B404E6F35764BBF80931FACB6
SHA-256:	844BC565498F3C7B74E46770EDC35EB3A20F16F0EB619250C83E40ECA1C0F493
SHA-512:	3AD2BE91CEDCC261227A496C51A39F69933B6396735E15E51458D48BD69F444201BA948A5E639345222B18981833F47F19538375DBE2C4C37014377B2031DA2D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... 7..Nd..Nd..Nd..Me..Nd..Ke..Nd..Je..Nd..Me..Nd..Ke..Nd..Je..Nd..Oe..Nd..Od..Nd+.Ge..Nd+.d..Nd+.Le..NdRich..Nd........PE..L......d...............".........p...Z.......p....@.......................................@..................................q.......p.......................r.. ...................................\|f..............................................UPX0.....p..............................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.941070129699565
Encrypted:	false
SSDEEP:	192:29c0mnxpjAz4YtdRinGDoPNm0aFFaNJhLkwcud2DH9VwGfct0nDs:cmnx+MYUnmoPHaTaNJawcudoD7Uws
MD5:	527010682A02EE5935BAC5B2D074C49D
SHA1:	868586F9C46F0BE6F33E732BFB25885608DD760F
SHA-256:	6F5CF5FB3EC821E23D3B7039B45084FB746335E87609523E97559AA464CECFAA
SHA-512:	F78983EC4168478730573C108A1F6463B0479A3C07091E66A07E84FD5641788434D6FCA8D9C659692337095FE55E3DFCF748F8712334832AA8B602EB68AFCB8C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.P...P...P...Y..\.....+.H.....*.\.....-.Q...../.U..../.R...P./.....F.'.Q...F...Q...F.,.Q...RichP...........................PE..L...6..e...............$.0.......p................@.......................................@.................................................................... ...................................\|...............................................UPX0.....p..............................UPX1.....0......."..................@....rsrc................&..............@..............................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

C:\Users\user\AppData\Local\Temp\_MEI12682\exe\upx.exe

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	537600
Entropy (8bit):	7.929208677101443
Encrypted:	false
SSDEEP:	12288:fOHsWPQsJdQmiR0eYG16fyP8RHzS75CaNgMYqIW7I2:2QmiWK16rRHzS7U6ip2
MD5:	8A98406E32ED6139BD9E75342D452948
SHA1:	ED77737B88A7351D0BC5F542DDB7CE84F8F95588
SHA-256:	A4240EA0E8A916D15F8391EDEF9705AB4DE1F516DD360F0A336C5358686D434B
SHA-512:	F5B17975560D97308A6EE66845225715E82BADE9DF7BC36821C76FE67FCF8D22929BF21B85E28DD11B7399D0109AB1F3786FD2010C2E5023D3A93D2BD5CF678B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./......0..........@. .......@..............................0 ............... ..............................................% ...... ......P................................................ .(...................................................UPX0....................................UPX1.....0.........................@....rsrc........ ......,..............@...4.02.UPX!.$...............%...h..I.....m....D..f.....H..(H..58..1.......$.6.9..K..7.5f.8MZu.Hc...P<H..PE4tiR..._.........uF.i....d...B..6.y.7......`....o.,..1.8.tS1.L.(...~t@........P....wm..JE..u.........~...c...........#ha.............\|..3.xtuD...wEzy7...f.^84%6L..w....^.......^....;..48..D$ R.....A.qt..8..AUATU....WVSH........lL...H....x=x6...........le&.%0...4..p.1.L.....%......H9...X......_.......H..3H..p5.g.};h.....Q#.2.........]..=8...Y,.Un...3..t.EX....?M..n.......

C:\Users\user\AppData\Local\Temp\_MEI12682\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1173184
Entropy (8bit):	7.943479776599919
Encrypted:	false
SSDEEP:	24576:R+bGt1aXDUPxepW5HoZS4F4Z7KMUZVZ2OADo2ksJY1CPwDv3uFfJ:4KnYwwpsTOLnNt2kWY1CPwDv3uFfJ
MD5:	EB33B1A0A12A1BFCB69FD2467F5C6B8C
SHA1:	D30782A6BED3FD889846787D733D14519D757808
SHA-256:	E631BFE0B26A864F61311A03BF1F0819ABDFFC7BC00D14D263714F934A085069
SHA-512:	BEE2412914003AD4697D6A22CFE7550DE0E13C2A16DC5C8C1528CE361A84F987E8D43F58F0EABDACF6A09A01F7EDF04B310DCE41F02C4E809B04446D8DFF40E2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<.<.<.5.;...n...>.n...7.n...4.n...?.g...7.<.......!.....E.....=...W.=.....=.Rich<.................PE..d....El`.........." ..............%...4.. %...................................6...........`......................................... .4.......4.h.....4.......1...............6.......................................4.............................................UPX0......%.............................UPX1......... %.....................@....rsrc.........4.....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24088
Entropy (8bit):	7.527291720504194
Encrypted:	false
SSDEEP:	384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
MD5:	6F818913FAFE8E4DF7FEDC46131F201F
SHA1:	BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
SHA-256:	3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
SHA-512:	5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	202432
Entropy (8bit):	7.916943155937212
Encrypted:	false
SSDEEP:	6144:2KEAslm/r4HLTmpLdH29Vam7bJnm8yPR:2U6+mTmpcram7NNy
MD5:	88803AAC099CCCF4AF3496BFABDC8865
SHA1:	3EEE4E685E0084F13935870BE3E2C7DDDB1975E4
SHA-256:	C524B961D036C9E95AE4D9E40E8B4F897A4F0772CF1D78AC0287AF84FE918CAD
SHA-512:	50BD41771E50E9C20AD871BE9433F6E88C3CD799A6F64D7AD19265228468A8572904EC2D9B3B8FF053B23230EC1326A175DF09CB0380E60D8EFDD11AB446F8FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...BkT.BkT.BkT.:.T.BkT.jU.BkT.jU.BkT.nU.BkT.oU.BkT.*hU.BkT(+jU.BkT.BjThCkT(+oU.BkT(+kU.BkT(+.T.BkT(+iU.BkTRich.BkT........................PE..d....El`.........." .........P...P..P....`...................................`............`.............................................4@.......................K...........V......................................P...............................................UPX0.....P..............................UPX1.........`......................@....rsrc....P.......H..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.756084875002629
Encrypted:	false
SSDEEP:	768:nrA/j6Vq1p3Kuu42ShVZmBKDRAdlq9gYe7JSp+AG:Wjz1p3dVZmBJQgpNA
MD5:	FA4A63CC5BBC7B119DDEB9469B17A55D
SHA1:	72EF6F8E5E7FE13EA64973E05DB297C8455754FB
SHA-256:	EE2EACA1473E460BEFEBBC0149BA1A4537A9C9303C10AAA2FF6D8C8F74AC8BA3
SHA-512:	77D0E34A46D0C05C9DE527283F726E6A7C96FE473D0C6A6F707EEA14F3BE4D1383BBD03B552C27455175ECC66CFF242177829154CA6EA4A12D704DE285693F41
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.][~.3.~.3.~.3.w...t.3.,.2.\|.3.,.6.r.3.,.7.v.3.,.0.z.3...2.\|.3.5.2.o.3.~.2...3...;.r.3...3...3.......3...1...3.Rich~.3.........PE..d.....ic.........." ............. .......0................................................`.........................................8...`......H............P..4......................................................8...........................................UPX0..... ..............................UPX1.........0...~..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83120
Entropy (8bit):	7.907238064399988
Encrypted:	false
SSDEEP:	1536:Xp6V6J1lSnf2bGaeYiO3YM6gl7Sm24a1WUxCosj8dVu4pFUr9j2nNYsvkBExg9IE:oVY1InOb3ezY7Sm1a11xC/8SsMIIBh91
MD5:	5F5C5041C392FA352223F248F056639F
SHA1:	5FB30449F84653B3B26B1E2820577A67FD52AFB0
SHA-256:	044751B6EB51B5D2E75394F7DA265747063101F2310E1D0AB6AB79DF7F589BE3
SHA-512:	DE0F31D3B11DC45AB62EE0696B2031814A3D7F7DBAED98A27E87191850038A3930769B49826CB1D8E44D4F29A632EAB65277BB52156C917B599CC06E9F0B1718
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.;f..U5..U5..U5...5..U5s.T4..U5s.P4..U5s.Q4..U5s.V4..U5..T4..U5D.T4..U5..T5o.U5..X4..U5..U4..U5..5..U5..W4..U5Rich..U5........PE..d...u.`.........." ..... ..........p(... ...................................P............`.........................................tL..P....I.......@.......................L......................................p4..8...........................................UPX0....................................UPX1..... ... ......................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\python3.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59568
Entropy (8bit):	5.881803359169673
Encrypted:	false
SSDEEP:	768:bS99q+0o22ByfbEap+VCBQ53gUiT5pLFdBk4/yFi1nuVwWBjChtFyrUdmd9RSxD0:M9xiEAnUvdy5IIB0/ya7
MD5:	C9F0B55FCE50C904DFF9276014CEF6D8
SHA1:	9F9AE27DF619B695827A5AF29414B592FC584E43
SHA-256:	074B06AE1D0A0B5C26F0CE097C91E2F24A5D38B279849115495FC40C6C10117E
SHA-512:	8DD188003D8419A25DE7FBB37B29A4BC57A6FD93F2D79B5327AD2897D4AE626D7427F4E6AC84463C158BCB18B6C1E02E83ED49F347389252477BBEEB864AC799
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d...d...d.0.l...d.0.d...d.0.....d.0.f...d.Rich..d.................PE..d...j.`.........." ......................................................................`.........................................` ..@............................................ ..T............................................................................text............................... ..`.rdata..d.... ......................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\python38.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1436848
Entropy (8bit):	7.991911842353948
Encrypted:	true
SSDEEP:	24576:4x/FMCGq6fqOD+5QKiQ6SqHPz5nTD8DRr7iNh+PyteisMfU5cSNdFHpFetZv710+:sSCYfqVmK56SK9TD80ptebRNXHpFeg+
MD5:	7AB78070CA047F134156169C60CCA0A3
SHA1:	F3FE769A202936D4C533A643F9A8B7CBDDA61CA4
SHA-256:	C57BD27215609ECA66BEA7F88F4B5CE3BF39486DFDBAB7D5C684270507627D22
SHA-512:	2F3CD43BEB3E0E1EA1581337289566159A707F3314852DC88C0353A65DD4A6D549AAC1EA66974893EC99A3C1E28B932D7D3AB9E612D102CB6211772F594181F1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`....................................................................j...q...j.......j.....j.......Rich............................PE..d...a.`.........." .............`...\C..p...................................PD...........`.........................................8.C......yC.L....pC......p@..............AD......................................hC.8...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........pC.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pythoncom38.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	200192
Entropy (8bit):	7.903772238406268
Encrypted:	false
SSDEEP:	3072:s7yyhL4NvlJyiWXG3OfJHe3ACEVXTCTWoKQnJhHkKwONMGsnG2bQUHJPpdir:sRhL4rsiWsWBibwevEKwO2GEGAtpd
MD5:	E66C96A48F85B9F0B44D5006AEA7DAAC
SHA1:	2E5ADB142EA5BB79DCDA2B72671B76855B85F633
SHA-256:	EAEA8C3093EA2F566F7EF3F95CEF86E58FB9889E6D0423D6F0E182C86D6472FC
SHA-512:	6659451D4495A8697A36205F80CF5174070BE354796B4618ED3C615D3335E4E4A5D47CFD1C4F8D3516A36FEAF8E81D5CB6F53006F2A3BEB2977D105C71975763
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+.P+...+......+......+......+......+......+.....+.....+.....+...+...+......+......+...*...+Rich...+................PE..d...a..d.........." .........p... .......0...................................@............`......................................... ....c..`...........`........z...........:..........................................8...........................................UPX0..... ..............................UPX1.........0......................@....rsrc....p.......l..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\pywin32_system32\pywintypes38.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	7.595690275773314
Encrypted:	false
SSDEEP:	1536:48yGA8d6epdvLhWVhLAS1FjL9NxFRgCbTp4SZt8ei:9x7hYLAgFjLnxFV/p4le
MD5:	C9B84B1AC14813C7C8FC5E7AB6EF788B
SHA1:	C5EED330F129E5C6A9B817AD081CF8722E9EB147
SHA-256:	F1D4431DA1300B9FE40DBE6C1E2C8311CD7F458EA1D8F2DB234137CF57C5D2D2
SHA-512:	BD4B3AF8C9B87110197EA64572E97EA027EAD198EB24DE8EEE43BB70913E53BF96368FF2C1BF4D2BB5DB3EAB24DDB9F043760CF5A64EF6BBAF09DC63000ECA26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.$.J.w.J.w.J.w.2Kw.J.w.?.v.J.w.%%w.J.w.?.v.J.w.?.v.J.w.?.v.J.w.!.v.J.w.,.v.J.w.!.v.J.w.J.wNJ.wh?.v.J.wh?.v.J.wh?.v.J.wRich.J.w................PE..d......d.........." .........P...........................................................`.........................................h...`B..h...........h....0.........................................................8...........................................UPX0....................................UPX1................................@....rsrc....P.......J..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\select.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22192
Entropy (8bit):	7.347287608561872
Encrypted:	false
SSDEEP:	384:Q9Pj6VLmXzJIGHkjCc4PevAZa7gJXdMrIImGbJ7EDG4y8iD0hS:1VSXzSIpNMrIImGbJYDG4y+hS
MD5:	BFCE179B385145F6C0CB73AAC30318C1
SHA1:	FF59AB14CBEB00A9C68369D998B101102673B6E2
SHA-256:	04F0936EC038FF18927B5DEF896DB658B64F6DC9E6275E6AD03A7436D4F9A80A
SHA-512:	A82ED3398C4F1C0D0AB8A5F5E75735D6D05D6F02C9B0A97EDB478482A0F3BEE0F49FEA35C5AFDFE373C33ADE510D0EBFF8DD02B0131D961BE7E5B5DDCBFDB88F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J.D.J.D.J.D.C...H.D.&.E.H.D.&.A.A.D.&.@.B.D.&.G.N.D...E.H.D...E.O.D.J.E.t.D...I.K.D...D.K.D....K.D...F.K.D.RichJ.D.........PE..d...o.`.........." .....0.......... .....................................................`.........................................d...L.......\|............`......................................................0...8...........................................UPX0....................................UPX1.....0.........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1035728
Entropy (8bit):	6.630126944065657
Encrypted:	false
SSDEEP:	24576:EsKxVJ/pRRK0Y/9fCrl4NbpjONcncXEomxvSZX0yp49C:lKxDPHQCrlQBXxw
MD5:	849959A003FA63C5A42AE87929FCD18B
SHA1:	D1B80B3265E31A2B5D8D7DA6183146BBD5FB791B
SHA-256:	6238CBFE9F57C142B75E153C399C478D492252FDA8CB40EE539C2DCB0F2EB232
SHA-512:	64958DABDB94D21B59254C2F074DB5D51E914DDBC8437452115DFF369B0C134E50462C3FDBBC14B6FA809A6EE19AB2FB83D654061601CC175CDDCB7D74778E09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........of...5...5...5..5...5...5&..5...5...5...4...5...4...5...4...5...4...5...4..5...5...5...4...5Rich...5........PE..d.....$%.........." .....:..........0Z..............................................7^....`A................................................................. ...........!.............p........................... f..............................................text...09.......:.................. ..`.rdata..^....P.......>..............@..@.data....&..........................@....pdata....... ......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI12682\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	287408
Entropy (8bit):	7.985748275421679
Encrypted:	false
SSDEEP:	6144:GftoxCDFCv7FooOAr+MLDhGX2TUY2E/xFb30whI1o/yOp8wH2UN8u6ih6:CDDovNrRGGTvF5FZhI1o/yS88Ndh6
MD5:	F9486E61971743562E9CDFAC3B26B9B8
SHA1:	827CC385D614535A17C37A899017E95ABEE90384
SHA-256:	D35630AC31C32CEB5098EB2E63B029EBEE37167C6DA320F07574A244A8336554
SHA-512:	5BAC1699C2B11FBA9A25112672DC30F2DD7A1058161066939667F467470CDDACF6E8DDBB0AFAAB0395BCBFFE67743231640CD70ACB9DCAD2645743F5F0DBCFF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.T~~.:-~.:-~.:-w..-x.:-..;,\|.:-..?,r.:-..>,v.:-..9,}.:-..;,}.:-%.;,\|.:-~.;-4.:-..7,..:-..:,..:-...-..:-..8,..:-Rich~.:-........................PE..d...q.`.........." .....@................................................... ............`.............................................X.......................H...........D...........................................8...........................................UPX0....................................UPX1.....@.......4..................@....rsrc................8..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.768385706088112
Encrypted:	false
SSDEEP:	192:BhVG7AsfBUmejljLpciF5JEw/80/cwDIvkYj273QJXhEDE/wx8p:omjhZF5JEw005IvZa7gJXOE/wx
MD5:	75BE08C4B0982D2BEE8BFDC3571B90BC
SHA1:	F131B660569166243CECC1EAEE7EF2427D968D4E
SHA-256:	871079FF742DD22E944820510D723BF140E69397814BA9F1C1CEE13421CBEB09
SHA-512:	888CDA61F383C57F6781441B781F2EA4596D4BF24FF9E11DB8DC59D7A244ECAEE7E06BA86A67E32A13E2A5A78C597D013474AFCDA178D38E832E364830603E01
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tf...........m......`.....~......`......`......`.....s...........k`.....k`.....k`.....Rich....................PE..d......d.........." .....0..........0.....................................................`.............................................`...p...P.......p....`.............. .......................................0...8...........................................UPX0....................................UPX1.....0.......$..................@....rsrc................(..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	7.856075315952315
Encrypted:	false
SSDEEP:	1536:rCqUvYAXWuxLjyimF6As/Z3bGUuvsCVXCaue:rCqwtr/yimoxB3dukte
MD5:	A5164377C56078FA97E42C4CCD7E3C17
SHA1:	5D4E05710848E757D52DAA0C2A9DD806FA22D35A
SHA-256:	B00E9D8604CF0E3436E5F44AF51C352762089D5EED53F84FB109E1EDDF7F1A84
SHA-512:	63E3D98CA3E1DCE64D0D5F49695CD7B3740154D6D9F6E23A2E84687E54D414C41BCAB07626EA685A350E55A3414EF10FC429910CE06B9AF240B2796C536A6202
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.uV.z...z...z.......z..J....z..J....z..J....z.......z.......z..J....z.......z...z..O{.......z.......z.......z..Rich.z..........................PE..d......d.........." ................0.....................................................`.................................................X...........X.... ......................................................0...8.......................@...................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32net.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	7.6971745920156325
Encrypted:	false
SSDEEP:	768:Zzr7HjHd8/GHaJ31sd2rhSky7aY0jDN8CK/yPebpLNf:ZzPHbd8JFsd2rJXYcRKMeZNf
MD5:	DD20D1245098A40C8729A931B5402718
SHA1:	228E9EA731D3A2EE8C227C78523F9285314FC6E0
SHA-256:	9228F21326C91E1FBD620328D8C33B52DB7743943C8890F1EC65287206DEACD2
SHA-512:	2259793ED01162428FE68C0BB8A2A87577F4129478A179D1151D8332A7190E60B18ACBEF5C40B10CD901DEB01528D3D7E658B0E81D21BF6C4E67A2E214E68594
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:.U.T.U.T.U.T.\..Q.T...U.Q.T...Q.D.T...P.].T...W.V.T...U.W.T.A.U.W.T.A.U.R.T.U.U..T...].R.T...T.T.T...V.T.T.RichU.T.........PE..d......d.........." ......................................................... ............`.............................................P...X...........X...................X...........................................8...........................................UPX0....................................UPX1.............z..................@....rsrc................~..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32security.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	7.823054231458668
Encrypted:	false
SSDEEP:	1536:kvdj32qzofwYTVzIiX8ARibgxe8+ShUV:sdCcoRFXA6rvUV
MD5:	502D5987825F4F6D4627D6C80088743A
SHA1:	77FFEDE001A1207D549A3B55625478A866D7E5AC
SHA-256:	5B3C7EE3E22B1839C1C6C515C03FB31E6E792DB99E825135B281A64A5AB7C252
SHA-512:	1494D316C7B89ED0DFA620F6914F765CF4BFFCF5B508045D5B1D29719F655947424887A21172F164CA0D5CC018703DE3C5D20FB52AFF2F0B3D6089475F600BC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L)i^-G:^-G:^-G:WU.:V-G:.XF;Z-G:.XB;O-G:.XC;V-G:.XD;]-G:.XF;\-G:JKF;\-G:JFF;W-G:^-F:.-G:.XN;]-G:.XG;_-G:.XE;_-G:Rich^-G:........................PE..d......d.........." ..................... ................................................`.................................................h...........h....`..........................................................8...........................................UPX0....................................UPX1......... ......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	7.096312139520411
Encrypted:	false
SSDEEP:	384:9mIxvg14DDBoqz0VMUW6u7D5rm4Za7gJXH51BJN:HV+4poPV/W/n59p3bB7
MD5:	3B821D786242A4BA72F8EAD9FA6DB6DA
SHA1:	EE5BD3D7919564A1DBD6751DF833089105A5E3C1
SHA-256:	B890A6781AB64F4EF12F507DCCFD617445362645FCC20963679D627DB97298DD
SHA-512:	F936C88701EDAF14578F8AB1B5AD530FFD83FB0DD60320D19734EAC48E71C49459D93F66AFF59B78734545C3F2CB9370412D1E0165DC439E22B3B652D84A63D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U.bD..bD..bD......bD...E..bD...A..bD...@..bD...G..bD.?.E..bD...E..bD...E..bD..bE..bD.?.M..bD.?.D..bD.?.F..bD.Rich.bD.........PE..d......d.........." .....0................................................................`.............................................T...`...8.......`....p..........................................................8...........................................UPX0....................................UPX1.....0..........................@....rsrc................2..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\win32\win32wnet.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	7.406348326088368
Encrypted:	false
SSDEEP:	384:+CQ3drserOIUVmRhRgx61UJJ0kKszKHIwZa7gJXLB26tO:+hTU+gx6k4DpbB26tO
MD5:	014AF0E1EAA9A31EAE687F1EAE823810
SHA1:	22BCD2192469992935E00CEB2B0B9A8B90A28C9C
SHA-256:	CACEEE05760DAEFE177B1ABC915A1ABAB512A7F8B0689DDC600F57301A019C6B
SHA-512:	2A7D05D89A395D8A948AA31494D9620DB165CD67A5720519597C000615FB7F7215C62A8E2EFFA1BA6AECFF0E683633BFF33819797263DE007DA233AE725D7882
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........fTG..:...:...:.......:..r;...:..r?...:..r>...:..r9...:.Tr;...:..a;...:..l;...:...;...:.Tr3...:.Tr:...:.Tr8...:.Rich..:.........PE..d......d.........." .....@................................................... ............`.........................................H...H...X...........X...............................................................8...........................................UPX0....................................UPX1.....@.......@..................@....rsrc................D..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\_cffi.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	264192
Entropy (8bit):	7.9936286609130285
Encrypted:	true
SSDEEP:	6144:3PvqH4ND5vg9tYqXFDy+F1g9xcirKkClmRaGvw0:3PHNDEVGEWxbrKLgYGI0
MD5:	BB5E0471A4CE96408EA8D3B667AABFC9
SHA1:	072E7CDFC513580E6291B368546F42E9764F7C85
SHA-256:	828EE83BE8E6088D3452770301E9888DFA2D48C01BD5ED06922955481F0A1FC3
SHA-512:	810771F87692124100C2E5275F18505E28DE0A4AF546954F8C8DA1971AFBD2D9BB817B928257B7A3CFC3D30DFAAC20D002CCF8B2F4FE3362E44B74BC2B2DA954
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n............#.8. ...e..(...a..(...e..'...e.."...e.........)......b......(......+.....T.+......+...Rich*...........PE..d.....<d.........." ...".........@...B...P...................................`............`.........................................lS..X....P..\|....P..........$H...........S.......................................N..@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........P......................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI12682\zstandard\backend_c.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	233984
Entropy (8bit):	7.9891918400504665
Encrypted:	false
SSDEEP:	6144:k61SUiamsDELcQvCVd5RYFwDs2dfDgBTgyX75vOIW43whQDL:k4SUrIFvCnYqZfcTVNvLlH
MD5:	7EEBDF85AFD93370AA72A607049C7564
SHA1:	A60FA68592F9D3AA06C220C865782FF3E92C025B
SHA-256:	41A3712D497420B701A938F6FDABC93589D083079A53AFF7EC0F55C8C3A07D32
SHA-512:	6EEB5AD15DDE41D1A67A3DCA4DEE0DC06CE5D382DC2F2CBAF2B6D04D4CD72785786E4AEF6F345032802B70F13C49282683AD92A064FECF3C0592DABA04F90E74
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t............................................................E...............[.......[.......[.....[.......Rich............PE..d...x.<d.........." ..."............P+.......................................P............`......................................... C..`....@..0....@..........x<...........C......................................P7..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\tmp179_cpv3\gen_py\init.py

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\tmp179_cpv3\gen_py\dicts.dat

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Preview:	..K....}..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\xSO7sbN2j6.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	71
Entropy (8bit):	4.432106231961828
Encrypted:	false
SSDEEP:	3:poJABFReNmI47BAuF5QEyn:3MmI4q3
MD5:	8E8C632FF4048AA416057B3C5336B6CE
SHA1:	381EDCA9BBCA3F705E476D18094A61CE265A2998
SHA-256:	8EAE147B5D82300DA0DF4DFB35F8635CA2E38BDFB8A40A21944F9C890EBE90A8
SHA-512:	A6B2365B97A468BA5E6A0A9265A9319357446A11F6E083C4674ABFDFBCA54794E33E1E92119C9758AD86BBFC23AD48AD1AC37C0FEC8B3A429EC02D48082277EA
Malicious:	false
Preview:	[3424] Failed to execute script 'grabber' due to unhandled exception!..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.9956456855740825
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xSO7sbN2j6.exe
File size:	11'440'768 bytes
MD5:	5917c8e5a003b2c211150d1f92440f79
SHA1:	fc3dfd511d75828c56aec3be55931d42bfbdd96e
SHA256:	95256b28dfb85f1d5bafdec109950775733d4af82acc0512151639695c57e469
SHA512:	ba686693de8c474d819ca65e6d44ae0d32aae82f71faa40052c1ace81ca0452c590780fab13601930de04c3426430ee4b93b2a3870357738e13b1d60aadd81df
SSDEEP:	196608:TgfL0sKYu/PaQL2rg+9eqH2AbUEOgvDDJf6Wv/VrxiWmo3sNushugauo0LRmVj:GQLKg+4qH2AoEOgv3Jx/VMW1sAgau3RK
TLSH:	9DB63391670208F5D5BA63BE59519E794732BC231328FBD703FCD99B1F072A0293AB91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................1.............-.............................................H.......H.......Rich...................

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x14000a6a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C8ED34 [Sun Feb 11 15:52:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ba5546933531fafa869b1f86a4e2a959

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4874C5A05Ch
dec eax
add esp, 28h
jmp 00007F4874C59C5Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F4874C5A5A4h
test eax, eax
je 00007F4874C59E13h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F4874C59DF7h
dec eax
cmp ecx, eax
je 00007F4874C59E06h
xor eax, eax
dec eax
cmpxchg dword ptr [00041E8Ch], ecx
jne 00007F4874C59DE0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F4874C59DE9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00041E77h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00041E67h], al
call 00007F4874C5A3A3h
call 00007F4874C5B4D2h
test al, al
jne 00007F4874C59DF6h
xor al, al
jmp 00007F4874C59E06h
call 00007F4874C688B1h
test al, al
jne 00007F4874C59DFBh
xor ecx, ecx
call 00007F4874C5B4E2h
jmp 00007F4874C59DDCh
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00041E2Ch], 00000000h
mov ebx, ecx
jne 00007F4874C59E59h
cmp ecx, 01h
jnbe 00007F4874C59E5Ch
call 00007F4874C5A50Ah
test eax, eax
je 00007F4874C59E1Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bb94	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xef8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20e8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39350	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39210	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28890	0x28a00	7c71956ea75242f33df45f4d2c19a4d8	False	0.5562019230769231	zlib compressed data	6.489977853279916	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x1271a	0x12800	cf9cb7b4c9af47cd1857b49383ba72c6	False	0.5159549197635135	data	5.84623965078296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	9bd2cebaa3285e8e266c4c373a15119d	False	0.13337053571428573	DOS executable (block device driver \377\3)	1.808915577448681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20e8	0x2200	f2a57235499cb8c84daf2de6f18a85eb	False	0.4756433823529412	data	5.330974160786823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	32c20bb907888de565d4d8836d097016	False	0.392578125	data	2.795351059303424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xef8c	0xf000	dabc2b77a65cf1196a989f49ae2bdf8d	False	0.8010091145833333	data	7.350146321781753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x75c	0x800	b7279c82d58eeae8dc663879402c6f2e	False	0.54296875	data	5.238892234772638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x53ec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x5cf5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x5f504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x605ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x60a14	0x68	data	0.7019230769230769
RT_MANIFEST	0x60a7c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, WriteConsoleW, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, FreeLibrary, GetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, HeapReAlloc, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, SetEndOfFile

ADVAPI32.dll

ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 02:45:22.687341928 CEST	1.1.1.1	192.168.2.5	0x4702	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 19, 2024 02:45:22.687341928 CEST	1.1.1.1	192.168.2.5	0x4702	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	02:45:46
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\xSO7sbN2j6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xSO7sbN2j6.exe"
Imagebase:	0x7ff73d7a0000
File size:	11'440'768 bytes
MD5 hash:	5917C8E5A003B2C211150D1F92440F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:45:46
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:45:48
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\xSO7sbN2j6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xSO7sbN2j6.exe"
Imagebase:	0x7ff73d7a0000
File size:	11'440'768 bytes
MD5 hash:	5917C8E5A003B2C211150D1F92440F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:46:05
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI12682\exe/netconn_properties.exe
Imagebase:	0xa00000
File size:	61'440 bytes
MD5 hash:	3B8E84142573A5E30990BDE2E574C447
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:46:05
Start date:	19/04/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI12682\exe\registers.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI12682\exe/registers.exe
Imagebase:	0x260000
File size:	11'264 bytes
MD5 hash:	527010682A02EE5935BAC5B2D074C49D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00007FF73D7C4EA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7C4EE5

Part of subcall function 00007FF73D7C4838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C484C

Part of subcall function 00007FF73D7B9F78: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

Part of subcall function 00007FF73D7B9F30: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF73D7B9F0F,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7B9F39
Part of subcall function 00007FF73D7B9F30: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF73D7B9F0F,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7B9F5E

_get_daylight.LIBCMT ref: 00007FF73D7C4ED4

Part of subcall function 00007FF73D7C4898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C48AC

_get_daylight.LIBCMT ref: 00007FF73D7C514A
_get_daylight.LIBCMT ref: 00007FF73D7C515B
_get_daylight.LIBCMT ref: 00007FF73D7C516C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7C53AC), ref: 00007FF73D7C5193

Strings

W. Europe Summer Time, xrefs: 00007FF73D7C5251
W. Europe Standard Time, xrefs: 00007FF73D7C5239

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1458651798-690618308
Opcode ID: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction ID: 563544c33dd6ba9be267295d8291dd0775ece5b0d61c173268cefaf4e0df071b
Opcode Fuzzy Hash: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction Fuzzy Hash: 06D1A222A1C25A6AE720BFB5D8501B9A6A1FF4C7A4FC44035EA8D47685FF3DF441E360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A58E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF73D7A58AD), ref: 00007FF73D7A597A
GetCurrentProcessId.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A5980

Part of subcall function 00007FF73D7A5AF0: GetEnvironmentVariableW.KERNEL32(00007FF73D7A2817,?,?,?,?,?,?), ref: 00007FF73D7A5B2A
Part of subcall function 00007FF73D7A5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A5B47

Part of subcall function 00007FF73D7B6818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B6831

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF73D7A5A31

Strings

_MEI%d, xrefs: 00007FF73D7A5988
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF73D7A5958
TMP, xrefs: 00007FF73D7A5918, 00007FF73D7A59D9, 00007FF73D7A5A67
TMP, xrefs: 00007FF73D7A593E

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: ec9df767df1d7ad63378cf9061c4f1b0c2791a030b8388df183876306d084e69
Instruction ID: 78d302aa24c31cb0675fec92773ab3791572cfcb0d35809826cf7892d8883227
Opcode Fuzzy Hash: ec9df767df1d7ad63378cf9061c4f1b0c2791a030b8388df183876306d084e69
Instruction Fuzzy Hash: 8D516810B0D64A74EE54BBE2A9552BAD2A16F5DBD4FC44031ED0E4BB96FF2CF401A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C5DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5B61
Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5BDF
Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5C30

CreateFileW.KERNELBASE ref: 00007FF73D7C5EF2
CreateFileW.KERNEL32 ref: 00007FF73D7C5F42
GetLastError.KERNEL32 ref: 00007FF73D7C5F72
GetFileType.KERNELBASE ref: 00007FF73D7C5F87
GetLastError.KERNEL32 ref: 00007FF73D7C5F91
CloseHandle.KERNEL32 ref: 00007FF73D7C5FC4
CloseHandle.KERNEL32 ref: 00007FF73D7C6127
CreateFileW.KERNEL32 ref: 00007FF73D7C615C
GetLastError.KERNEL32 ref: 00007FF73D7C616B

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 05b991d51b8a46ce259d5d0b97b1bba063a714ceef46b3a785dfc098d738f835
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: 36C1F432B28A4A9AEB10DFA4C4805AC7761F74DBA8F800235DE5E5B795EF39E051D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C511C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7C514A

Part of subcall function 00007FF73D7C4898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C48AC

_get_daylight.LIBCMT ref: 00007FF73D7C515B

Part of subcall function 00007FF73D7C4838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C484C

_get_daylight.LIBCMT ref: 00007FF73D7C516C

Part of subcall function 00007FF73D7C4868: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C487C

Part of subcall function 00007FF73D7B9F78: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7C53AC), ref: 00007FF73D7C5193

Strings

W. Europe Summer Time, xrefs: 00007FF73D7C5251
W. Europe Standard Time, xrefs: 00007FF73D7C5239

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 2248164782-690618308
Opcode ID: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction ID: dd971b74f90df43dbb840c2febaf66e860e90053ef6bbc71420a5751370b17d9
Opcode Fuzzy Hash: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction Fuzzy Hash: E8517132A1C64AAAE720FFA5D8901A9F760FB4C794FC04135EA8D47695EF3CF4009760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A69E0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF73D7A6A11
FindClose.KERNELBASE ref: 00007FF73D7A6A20

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0b7e5a9930ef76a70c4e782aa580d8521c3892be20b9910ca6b4e20049941746
Instruction ID: a53b729fb6cdd79039dd00217b579c458f275e1b207e74658187815b07bdad6b
Opcode Fuzzy Hash: 0b7e5a9930ef76a70c4e782aa580d8521c3892be20b9910ca6b4e20049941746
Instruction Fuzzy Hash: E7F0A432A1CB8596E7B09FA0E45876AB350BB88764F804335D6AD027D4EF3CE4499B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF73D7A185C
_fread_nolock.LIBCMT ref: 00007FF73D7A190E

Part of subcall function 00007FF73D7AE6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE6E4

Strings

Failed to read cookie!, xrefs: 00007FF73D7A1867
fseek, xrefs: 00007FF73D7A1836
Error on file., xrefs: 00007FF73D7A193D
malloc, xrefs: 00007FF73D7A18EA
Could not allocate buffer for TOC!, xrefs: 00007FF73D7A18E3
MEI, xrefs: 00007FF73D7A17EF
fread, xrefs: 00007FF73D7A186E
Failed to seek to cookie position!, xrefs: 00007FF73D7A182F
Could not read full TOC!, xrefs: 00007FF73D7A1919
Cannot read Table of Contents., xrefs: 00007FF73D7A1995

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 835103007f02c9749ac647d58f048ab1686cef21957037b090b7deb9b795050b
Instruction ID: 253f66822e3f6f349930bf0b2bb80f4b459ad96d7b14b7d5bd94ffd4174cfa76
Opcode Fuzzy Hash: 835103007f02c9749ac647d58f048ab1686cef21957037b090b7deb9b795050b
Instruction Fuzzy Hash: D9517D72A0DA0AA6EB54EF64D450178B3A0FB4CB58B918136DA4D87395EF3CF444D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73D7A15E5
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF73D7A1559
fseek, xrefs: 00007FF73D7A1500
fwrite, xrefs: 00007FF73D7A15DC
malloc, xrefs: 00007FF73D7A1560
Failed to extract %s: failed to open target file!, xrefs: 00007FF73D7A148A
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF73D7A15D5
fopen, xrefs: 00007FF73D7A1491
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73D7A14F9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF73D7A14CA
fread, xrefs: 00007FF73D7A15EC

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 9960f63575f751e35a3844e99a4979cf69418d4c573dd41fa87a4345e49a5c97
Instruction ID: 481a343d180af8dca95f6785f88a6ef222e1ecc457756f566588caaab900ea68
Opcode Fuzzy Hash: 9960f63575f751e35a3844e99a4979cf69418d4c573dd41fa87a4345e49a5c97
Instruction Fuzzy Hash: 98519B21B0C64AA5FA10BBA1A4146B9E3A0BF49BE8FC54431DE5D47795FF3CF149A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6A60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF73D7A59BA,?,00007FF73D7A58AD), ref: 00007FF73D7A6AA0
OpenProcessToken.ADVAPI32(?,00007FF73D7A58AD), ref: 00007FF73D7A6AB1
GetTokenInformation.KERNELBASE(?,00007FF73D7A58AD(TokenIntegrityLevel)), ref: 00007FF73D7A6AD3
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF73D7A6ADD
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel), ref: 00007FF73D7A6B1A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73D7A6B2C
CloseHandle.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A6B44
LocalFree.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A6B76
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF73D7A6B9D
CreateDirectoryW.KERNELBASE(?,00007FF73D7A58AD), ref: 00007FF73D7A6BAE

Strings

S-1-3-4, xrefs: 00007FF73D7A6B4F
D:(A;;FA;;;%s), xrefs: 00007FF73D7A6B59

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 04a4952acd007a2d57849bf4a7f549880b035f2fca275a5dfd27a02a5c87a0f0
Instruction ID: 47a29afdb2c347df1fd09069e77d1222c6ec10a8bc20925fa0887846edc1a1fa
Opcode Fuzzy Hash: 04a4952acd007a2d57849bf4a7f549880b035f2fca275a5dfd27a02a5c87a0f0
Instruction Fuzzy Hash: 8C41863161CA8A95E750AF90E4446AAB361FB887A4FD00231E99E47BD4FF3CF449D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6130 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF73D7A2B60,?,?,?,?,?,?), ref: 00007FF73D7A617F
GetStartupInfoW.KERNEL32 ref: 00007FF73D7A619E

Part of subcall function 00007FF73D7B92E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B92F8

Part of subcall function 00007FF73D7B705C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B70C3

GetCommandLineW.KERNEL32 ref: 00007FF73D7A623E
CreateProcessW.KERNELBASE ref: 00007FF73D7A6280
WaitForSingleObject.KERNEL32 ref: 00007FF73D7A6294
GetExitCodeProcess.KERNELBASE ref: 00007FF73D7A62A4

Strings

Error creating child process!, xrefs: 00007FF73D7A62B0
CreateProcessW, xrefs: 00007FF73D7A62B7

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction ID: 6b402114e684e3abb3628e1f36c36bd00d3bae0638bbf482adeb6fe004d4acb9
Opcode Fuzzy Hash: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction Fuzzy Hash: BE411531A0CB8695DA20ABA0F4552AAF360FB98364F900335E6AD43BD5EF7CE0449B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73D7A2CD0: GetModuleFileNameW.KERNEL32(?,00007FF73D7A27C9,?,?,?,?,?,?), ref: 00007FF73D7A2D01

SetDllDirectoryW.KERNEL32 ref: 00007FF73D7A29D5

Part of subcall function 00007FF73D7A5AF0: GetEnvironmentVariableW.KERNEL32(00007FF73D7A2817,?,?,?,?,?,?), ref: 00007FF73D7A5B2A
Part of subcall function 00007FF73D7A5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A5B47

Strings

Failed to convert DLL search path!, xrefs: 00007FF73D7A29BD
_MEIPASS2, xrefs: 00007FF73D7A2803, 00007FF73D7A286C, 00007FF73D7A2B1B, 00007FF73D7A2B2B
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF73D7A28BE
_PYI_ONEDIR_MODE, xrefs: 00007FF73D7A282C, 00007FF73D7A2857
MEI, xrefs: 00007FF73D7A2917
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF73D7A295C

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: cda1d3e5af6f259c5f9a2f0a335d6599039ecfe805480d258e6d0267492e8153
Instruction ID: aae7a1149a70466cd18f49eaeb528e6c347d95ae5c10e41ff3e59072bca909f3
Opcode Fuzzy Hash: cda1d3e5af6f259c5f9a2f0a335d6599039ecfe805480d258e6d0267492e8153
Instruction Fuzzy Hash: B4C17222A1C68B75FA24BBA194512FDA391BF4C784FC05032EA4D47796FF2CF615A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.2.13, xrefs: 00007FF73D7A107E
malloc, xrefs: 00007FF73D7A10F8, 00007FF73D7A1126
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF73D7A111F
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF73D7A1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF73D7A10F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF73D7A10B4

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: af04965e2dbcd0d8e1621cd66b39530d0b4f4ad9fcd8e07e4d45104bc70e5302
Instruction ID: 5f2d5940081e6786cb7d0821df9bfca7ea7bf0fda4bddac639a9ad2d30221019
Opcode Fuzzy Hash: af04965e2dbcd0d8e1621cd66b39530d0b4f4ad9fcd8e07e4d45104bc70e5302
Instruction Fuzzy Hash: 64518022A0D68AA5FA60BB91E4403B9A291BB88794FC44135DE4D877C5FF3CF549E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BDF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF73D7BE2CA,?,?,-00000018,00007FF73D7BA383,?,?,?,00007FF73D7BA27A,?,?,?,00007FF73D7B54E2), ref: 00007FF73D7BE0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF73D7BE2CA,?,?,-00000018,00007FF73D7BA383,?,?,?,00007FF73D7BA27A,?,?,?,00007FF73D7B54E2), ref: 00007FF73D7BE0B8

Strings

api-ms-, xrefs: 00007FF73D7BDFF6
ext-ms-, xrefs: 00007FF73D7BE009

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: a5d48aec32c7ec175a213d8bb1b94824a3f665acc227341ffb1a2daacbed434a
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 58415622B2DA1AA5FA19EB969800675A391BF1CBE0FD84135DD5D87384FF3CF445A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BB4B9

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction ID: 4abb210d8458dfb35c3cc1d39a417f16e737bf044167b41653809584b7eae96f
Opcode Fuzzy Hash: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction Fuzzy Hash: 7BC1082290C64E61E722AB9594482BDB751FBA9B80FD50131EE8D07791EF7CF449E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BC590 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73D7BC57B), ref: 00007FF73D7BC6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73D7BC57B), ref: 00007FF73D7BC737

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: 14713b6ca5f96d38d89900a7ab2817049fe3ee9c0c1074ee1b6d9d1dcfad9830
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: D391C832E0C65AA5F750AFB5944027DA7A0FB68B88F948139EE4E57684EF38F441D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BE95C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7BEA4C
_get_daylight.LIBCMT ref: 00007FF73D7BEA5D
_get_daylight.LIBCMT ref: 00007FF73D7BEA6E
_isindst.LIBCMT ref: 00007FF73D7BEB39

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction ID: 023e201b58abf58582f42327d4877943cc7836e36954433d4f003d84484bc9ea
Opcode Fuzzy Hash: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction Fuzzy Hash: 0D516972F182195AFB18EFA4D851ABDA7A1AB28358F940135DD1F47BD0EF38B501DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B483C Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00007FF73D7B486F
GetFileInformationByHandle.KERNELBASE ref: 00007FF73D7B48D1
GetLastError.KERNEL32 ref: 00007FF73D7B4962
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7B4774), ref: 00007FF73D7B49AE

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction ID: c91557c8b89d67a92f2a11b696a4683178425248f3c64a72bb04d1c15936d844
Opcode Fuzzy Hash: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction Fuzzy Hash: 7A51BD22E0C646AAFB10EFB0D4503BDA3A1BB5CB5CF908035DE4D57689EF38E4859760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B46E8 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B4715
CreateFileW.KERNELBASE ref: 00007FF73D7B4754
CloseHandle.KERNEL32 ref: 00007FF73D7B4789

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction ID: b568f7dd7fe2386bbbe20592a6efc1d613a31154cc1a92507e02d4342b02cb30
Opcode Fuzzy Hash: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction Fuzzy Hash: 7041C222D1C78597E710ABA09510379B360FBA97A8F908334E79C03AD1EF7CB4E09720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AA51C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF73D7AA530

Part of subcall function 00007FF73D7AA6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF73D7AA71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF73D7AA545
__scrt_release_startup_lock.LIBCMT ref: 00007FF73D7AA5B3

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 6506bc38d70cf4cf3ba8cc93d4fa138e899af3dbc8c4ce6f4be12d8257933380
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: 14313821E0C28AA6EA54BBE0D4123BAA291BF4D784FC44435EA4D47393FF2CB445A770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B89E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF73D7B89E4), ref: 00007FF73D7B89F9
TerminateProcess.KERNEL32(?,?,?,00007FF73D7B89E4), ref: 00007FF73D7B8A04
ExitProcess.KERNEL32 ref: 00007FF73D7B8A13

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction ID: 59741308a5176c070f84cd34da3ad558a5030ab20cd00259ed85331e3fffd813
Opcode Fuzzy Hash: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction Fuzzy Hash: 03D09E10B0C64AAAEB543BF1585917992516F9C762F841438C88F17393FF3DB84D6270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE837

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction ID: bf5cefecd58a8824fbe5ff991beb8f0fcafe1351405de923383375ec2ea08358
Opcode Fuzzy Hash: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction Fuzzy Hash: F2510921F2D25A56F768BAA5940067AE181BF48BB4F884634DD7C077C5EF3CF401A721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BBA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF73D7BBAC1
GetFileType.KERNELBASE ref: 00007FF73D7BBAD7

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 9e6f93e8bea8158b100c1ce2930ce8726f03d36fd446219f97fea8e789d363b3
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: D931D622E1CB4AA1D7219B548584179AA50FB5DBB0FA81339EF6E073E4DF38F491E310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA188 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF73D7BA005,?,?,00000000,00007FF73D7BA0BA), ref: 00007FF73D7BA1F6
GetLastError.KERNEL32(?,?,?,00007FF73D7BA005,?,?,00000000,00007FF73D7BA0BA), ref: 00007FF73D7BA200

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: 720975984a31862dbd6b806d2a14fb68b46e1fa4ba664aa7d704bd5eb6163b4c
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: CD219511B1C64A61FE9077D194902BD96A1AFAC7A0FC45235DA6D473C5FFACB4446310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF73D7BB750,00000000,?,?,?,00007FF73D7A1023,00007FF73D7BB859), ref: 00007FF73D7BB7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF73D7BB750,00000000,?,?,?,00007FF73D7A1023,00007FF73D7BB859), ref: 00007FF73D7BB7BA

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: 9fe5712ef25d82b8c6fa35a5e7df89dc56d11b8ad7af2cc24ee1ba12a60ebebc
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: 0D11272270CB8691DA10AB66A408069E361FB58BF0FD44332EEBD0B7D8EF7CE0408700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B49E4 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B48F9), ref: 00007FF73D7B4A17
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B48F9), ref: 00007FF73D7B4A2D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction ID: a9c5d0952685bd83c920b09168faec54f74208da43ecec94c1811ad3dc48a682
Opcode Fuzzy Hash: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction Fuzzy Hash: 7D11A77260C65691EB54AB60A41113BF7A0FB98779F900235F6AE81AD4FF3CE054EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B6AE8 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B6965), ref: 00007FF73D7B6B0B
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B6965), ref: 00007FF73D7B6B21

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 4979fb33e8de5b56483d857dcf3248564858e1df126649fde4a887e8262e5eb8
Instruction ID: e25eed4ae9d4b248afcfbc8e9a74a80532b205dfb14c96d8b0aec7200fa61662
Opcode Fuzzy Hash: 4979fb33e8de5b56483d857dcf3248564858e1df126649fde4a887e8262e5eb8
Instruction Fuzzy Hash: 4A015E3251C65596EB60AB54E40123FF7B1FB89761FA00235E7AA459D4EF3DE050EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B9F78 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction ID: 008de9536a28f74c30840b936b64a730ce37cfb2e30a3de9292cee5a1a4b2691
Opcode Fuzzy Hash: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction Fuzzy Hash: 7CE08650F0D50B66FF147BF29848078D561AF9C751BC40034D95D47251FF3CB889A230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B70D4 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF73D7B70D8
GetLastError.KERNEL32 ref: 00007FF73D7B70E2

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction ID: 9c54500ff7b0e364ae666967de9fb437811a4f8da1a73b90e3616d47c381cf78
Opcode Fuzzy Hash: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction Fuzzy Hash: 0AD0C910E1D60BA5E61437F51C891B995906F6C771FD00635D46A852D0FF2CB0C92121

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B6850 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00007FF73D7B6854
GetLastError.KERNEL32(?,?,?,?,?), ref: 00007FF73D7B685E

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction ID: 015c2b283e4633932419ca941adcdb462ddb9c1e2029cc28acb28f6fed1532f1
Opcode Fuzzy Hash: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction Fuzzy Hash: D6D0C910E5D91BA5EA2437F11C4517C94A03F6C771FD00634C169862D0FF2CF4C92121

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A5DF0 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

_findclose.LIBCMT ref: 00007FF73D7A6049

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 628285328bb618edcfe9754a4ff814bb64e2feda71a532fcc2d8bd8f687e193b
Instruction ID: a622a174a3d161f705e5c840bebbd83b4d12702201342bf10184817a938f4e53
Opcode Fuzzy Hash: 628285328bb618edcfe9754a4ff814bb64e2feda71a532fcc2d8bd8f687e193b
Instruction Fuzzy Hash: 42717052E1CAC591EA11DB2CC5052FDA370F7A9B48F94E325DB9C12652FF28E2D5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BB504

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction ID: 517d932d23769ba1c459684f826121b752213ba741d90c28d5b1a8ffb3eb48fe
Opcode Fuzzy Hash: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction Fuzzy Hash: 0941F53290C64997EA35EB99A545179F3A0EF7AB44F940131DA8E836D0EF2CF402D761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73D7A640A

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: f285b20302beaefcf1bb3539b442360c68e2f6062702bb5b73d900193ad1ebd1
Instruction ID: ff08a9ade6575cdb7e99cc50919c6722b45082b43a1caf98e1b5ae9141df743e
Opcode Fuzzy Hash: f285b20302beaefcf1bb3539b442360c68e2f6062702bb5b73d900193ad1ebd1
Instruction Fuzzy Hash: A421A221B1CA9A66EA24BB9269043BEE651BF49BC4FC84430EE0C07786EF3CF1459610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BAF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BAFF2

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction ID: 775eefcb58c7010862e085f5705da31cf3a6f26b1618e4c8eb30da5033f83ba6
Opcode Fuzzy Hash: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction Fuzzy Hash: 0931C561A1C60AA5E7217BD684403BCAA50BB6DB50FC10135EA9D073D2EFBCF446A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B8919 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73D7B8947

Part of subcall function 00007FF73D7B8A40: GetModuleHandleExW.KERNEL32 ref: 00007FF73D7B8A65
Part of subcall function 00007FF73D7B8A40: GetProcAddress.KERNEL32 ref: 00007FF73D7B8A7B
Part of subcall function 00007FF73D7B8A40: FreeLibrary.KERNEL32 ref: 00007FF73D7B8AA2

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction ID: 775c63a974944b002aef68a48c7381feda699859f858bcbbc337567a8d685faf
Opcode Fuzzy Hash: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction Fuzzy Hash: 3C21A172E0870A9AEB24AFA4C4442FC77B0EB18718F881636D65D06AC5EF38E444D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B5538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B549D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: e174bde111b7000417c003b7b92e9001e6ad9bc835f14afad58af2176a201aec
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: A0118121A1C64991EA60BF91940127DE260FFA9BC0FC84431EB8C57A86EF7DF8016760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C57DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C57FF

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: f8ca7ac263bc340faa61b88183489ee1a67271bb09b8e842157e9f26a7616a4d
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: 2A21D732A1CA459BDB61AF58D440379B6A0FB88BA4FD44234E79D476D9EF3DE4009B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE9D0

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 3c7e5f1cece18e3a4ffeb2a89911fbfa3b7107d67d380c2fdf27fd84a1826db4
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: FD01E121B1C75951EA44BBA29800069E691AB9AFE0F884631DE6C17BD6EF3CF0019310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BDEB8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF73D7BAA16,?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E), ref: 00007FF73D7BDF0D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: 7da089473aa26f62989ef3f5f1587ebcdddf4086610b21ed715ad7d8ba768998
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 95F04940B0D20B65FE587BE298542B4A2945FACB40FCC4435CA1F862D2FF2CF4826230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BCC2C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF73D7AF1E4,?,?,?,00007FF73D7B06F6,?,?,?,?,?,00007FF73D7B275D), ref: 00007FF73D7BCC6A

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: 46d808f0efd6a0ce807184155e0fcfa0990347bdde9abd32edbc7a856490e093
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: ADF05E50B1D24E65FE2576F1594567591809FBD7A0FC88236E92E4A2D1FF2CB440B230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6490 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 084d7b594bcd28fb49fbeb931c26155fa6ca1cda91761dc2622677426efca5d5
Instruction ID: 3c4cc2dcf7dd0f2f2eb5a4e0e995daf7d0a30351eb2fdc83f3ee6199536cc9fc
Opcode Fuzzy Hash: 084d7b594bcd28fb49fbeb931c26155fa6ca1cda91761dc2622677426efca5d5
Instruction Fuzzy Hash: CB417856D1CBC991EA61AB64D5022BC6360FBA9744F849232DF8D42257FF28F6C8D720

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF73D7A2F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A3037
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A3087

Strings

Failed to get address for PyMem_RawFree, xrefs: 00007FF73D7A36E1
PyObject_CallFunctionObjArgs, xrefs: 00007FF73D7A3495
Failed to get address for PySys_SetPath, xrefs: 00007FF73D7A3619
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF73D7A2FD1
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF73D7A3781
PyUnicode_AsUTF8, xrefs: 00007FF73D7A3765
PyObject_GetAttrString, xrefs: 00007FF73D7A34E5
PyErr_Clear, xrefs: 00007FF73D7A3265
PyObject_SetAttrString, xrefs: 00007FF73D7A34BD
Py_SetProgramName, xrefs: 00007FF73D7A31ED
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF73D7A2F87
Failed to get address for PyEval_EvalCode, xrefs: 00007FF73D7A3641
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF73D7A35A1
Failed to get address for PyUnicode_Replace, xrefs: 00007FF73D7A37D1
Failed to get address for PyUnicode_Join, xrefs: 00007FF73D7A37A9
PyMarshal_ReadObjectFromString, xrefs: 00007FF73D7A364D
Py_FileSystemDefaultEncoding, xrefs: 00007FF73D7A2F6B
PyMem_RawFree, xrefs: 00007FF73D7A36C5
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF73D7A34B1
PySys_SetObject, xrefs: 00007FF73D7A35D5
GetProcAddress, xrefs: 00007FF73D7A2F4F
Failed to get address for Py_Initialize, xrefs: 00007FF73D7A3191
Py_OptimizeFlag, xrefs: 00007FF73D7A302D
Py_DecRef, xrefs: 00007FF73D7A30FD
Failed to get address for PyImport_AddModule, xrefs: 00007FF73D7A3371
Failed to get address for PySys_GetObject, xrefs: 00007FF73D7A35C9
Py_NoSiteFlag, xrefs: 00007FF73D7A2FDD
Py_SetPythonHome, xrefs: 00007FF73D7A3215
Failed to get address for PyErr_Clear, xrefs: 00007FF73D7A3281
Failed to get address for Py_DecRef, xrefs: 00007FF73D7A3119
PySys_AddWarnOption, xrefs: 00007FF73D7A355D
PyErr_Restore, xrefs: 00007FF73D7A3305
PyList_Append, xrefs: 00007FF73D7A33CD
Failed to get address for Py_SetPath, xrefs: 00007FF73D7A31B9
PyUnicode_Join, xrefs: 00007FF73D7A378D
Py_GetPath, xrefs: 00007FF73D7A31C5
Failed to get address for PyUnicode_Decode, xrefs: 00007FF73D7A3731
PyErr_Fetch, xrefs: 00007FF73D7A32DD
Failed to get address for Py_BuildValue, xrefs: 00007FF73D7A30F1
PyErr_Occurred, xrefs: 00007FF73D7A328D
Failed to get address for PyObject_Str, xrefs: 00007FF73D7A3529
Failed to get address for PyModule_GetDict, xrefs: 00007FF73D7A3461
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF73D7A3709
PyErr_NormalizeException, xrefs: 00007FF73D7A332D
PyErr_Print, xrefs: 00007FF73D7A32B5
Py_FrozenFlag, xrefs: 00007FF73D7A2F90
PyImport_AddModule, xrefs: 00007FF73D7A3355
Py_SetPath, xrefs: 00007FF73D7A319D
PyUnicode_FromFormat, xrefs: 00007FF73D7A36ED
PyUnicode_Decode, xrefs: 00007FF73D7A3715
PyUnicode_FromString, xrefs: 00007FF73D7A3675
Failed to get address for Py_Finalize, xrefs: 00007FF73D7A3141
Failed to get address for PyList_New, xrefs: 00007FF73D7A3411
Failed to get address for Py_DecodeLocale, xrefs: 00007FF73D7A36B9
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF73D7A2FF9
Py_Finalize, xrefs: 00007FF73D7A3125
Failed to get address for Py_VerboseFlag, xrefs: 00007FF73D7A3071
Py_NoUserSiteDirectory, xrefs: 00007FF73D7A3005
PyDict_GetItemString, xrefs: 00007FF73D7A323D
Py_DontWriteBytecodeFlag, xrefs: 00007FF73D7A2F2F
Failed to get address for PyErr_Print, xrefs: 00007FF73D7A32D1
PyList_New, xrefs: 00007FF73D7A33F5
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF73D7A3579
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF73D7A3049
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF73D7A2F48
Failed to get address for PyList_Append, xrefs: 00007FF73D7A33E9
Failed to get address for Py_IncRef, xrefs: 00007FF73D7A3169
Failed to get address for PyDict_GetItemString, xrefs: 00007FF73D7A3259
Failed to get address for PyErr_Restore, xrefs: 00007FF73D7A3321
Py_DecodeLocale, xrefs: 00007FF73D7A369D
PyObject_Str, xrefs: 00007FF73D7A350D
PyEval_EvalCode, xrefs: 00007FF73D7A3625
Failed to get address for Py_FrozenFlag, xrefs: 00007FF73D7A2FAC
PySys_SetPath, xrefs: 00007FF73D7A35FD
PyUnicode_Replace, xrefs: 00007FF73D7A37B5
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF73D7A3551
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF73D7A3669
Py_VerboseFlag, xrefs: 00007FF73D7A3055
Py_IncRef, xrefs: 00007FF73D7A314D
PyImport_ExecCodeModule, xrefs: 00007FF73D7A337D
Failed to get address for Py_SetPythonHome, xrefs: 00007FF73D7A3231
Py_UTF8Mode, xrefs: 00007FF73D7A30AD
Failed to get address for PyErr_Fetch, xrefs: 00007FF73D7A32F9
PyModule_GetDict, xrefs: 00007FF73D7A3445
PySys_GetObject, xrefs: 00007FF73D7A35AD
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF73D7A3349
Failed to get address for Py_GetPath, xrefs: 00007FF73D7A31E1
PySys_SetArgvEx, xrefs: 00007FF73D7A3585
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF73D7A3399
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF73D7A3021
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF73D7A34D9
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF73D7A3501
Failed to get address for PyImport_ImportModule, xrefs: 00007FF73D7A33C1
Py_BuildValue, xrefs: 00007FF73D7A30D5
PyImport_ImportModule, xrefs: 00007FF73D7A33A5
Failed to get address for PySys_SetObject, xrefs: 00007FF73D7A35F1
Failed to get address for Py_UTF8Mode, xrefs: 00007FF73D7A30C9
PyObject_CallFunction, xrefs: 00007FF73D7A346D
Failed to get address for PyLong_AsLong, xrefs: 00007FF73D7A3439
PyUnicode_DecodeFSDefault, xrefs: 00007FF73D7A373D
Py_IgnoreEnvironmentFlag, xrefs: 00007FF73D7A2FB5
Failed to get address for PyUnicode_FromString, xrefs: 00007FF73D7A3691
Py_Initialize, xrefs: 00007FF73D7A3175
Failed to get address for Py_SetProgramName, xrefs: 00007FF73D7A3209
Failed to get address for PyObject_CallFunction, xrefs: 00007FF73D7A3489
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF73D7A3099
PyRun_SimpleStringFlags, xrefs: 00007FF73D7A3535
Py_UnbufferedStdioFlag, xrefs: 00007FF73D7A307D
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF73D7A3759
Failed to get address for PyErr_Occurred, xrefs: 00007FF73D7A32A9
PyLong_AsLong, xrefs: 00007FF73D7A341D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction ID: 90c808ff90b4c3480468f1f815a2a847eb6a26a471bad97f6f0923529f9b8812
Opcode Fuzzy Hash: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction Fuzzy Hash: D5428465E4DB0BF5EA15BB84A858174A3A1BF0C7A1BD46035D88E06364FF7CF558B320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C324C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF73D7C329A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C3906
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C3A7C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C3D3A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C3F5A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C4197
memcpy_s.LIBCPMT ref: 00007FF73D7C4272
memcpy_s.LIBCPMT ref: 00007FF73D7C431D
memcpy_s.LIBCPMT ref: 00007FF73D7C43EC

Strings

1#QNAN, xrefs: 00007FF73D7C33B3
1#SNAN, xrefs: 00007FF73D7C33AA
1#INF, xrefs: 00007FF73D7C33C3
1#IND, xrefs: 00007FF73D7C3387

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 94a7ddbc9dfde8fb095d9bbce1265888f255539b2e0e0fd568165e141f3b5970
Instruction ID: 1ea8d1f248eb50fd06ef3705ff02a7a1a1f0bf3b97b08d55304ee7c3aa4c4246
Opcode Fuzzy Hash: 94a7ddbc9dfde8fb095d9bbce1265888f255539b2e0e0fd568165e141f3b5970
Instruction Fuzzy Hash: 0FB2F472E1C28A9FE7249FB4D4807FDB7A1FB58358F801135DA4E57A84EB38B9009B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6670 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF73D7A1CE4,?,?,00000000,00007FF73D7A6904), ref: 00007FF73D7A6697
FormatMessageW.KERNEL32 ref: 00007FF73D7A66C6
WideCharToMultiByte.KERNEL32 ref: 00007FF73D7A671C

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

No error messages generated., xrefs: 00007FF73D7A66D0
FormatMessageW, xrefs: 00007FF73D7A66D7
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF73D7A6739
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A6726
PyInstaller: FormatMessageW failed., xrefs: 00007FF73D7A66E3
WideCharToMultiByte, xrefs: 00007FF73D7A6670, 00007FF73D7A672D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction ID: 815852d30fee7c1ce0e64ec1f14ac4bb5f39a45abcdd9b419e6c79d16d07df21
Opcode Fuzzy Hash: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction Fuzzy Hash: 3C21AF31A1CA4AA5F760AB91E854269A365FB8C794FC40035E68D837A4FF3CF149A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AAA2C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF73D7AAA48
RtlCaptureContext.KERNEL32 ref: 00007FF73D7AAA75
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73D7AAA8F
RtlVirtualUnwind.KERNEL32 ref: 00007FF73D7AAAD0
IsDebuggerPresent.KERNEL32 ref: 00007FF73D7AAB24
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7AAB45
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7AAB50

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction ID: e7732b1cae41157c743cfbfa39694a303825a54aaf0bdadc6f7f52e7c75e2d1c
Opcode Fuzzy Hash: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction Fuzzy Hash: 28316572619B859AEB609FA0E8403EDB371FB48755F844039DA8D47794EF3CD548D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B9C44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73D7B9CBD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73D7B9CD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF73D7B9D10
IsDebuggerPresent.KERNEL32 ref: 00007FF73D7B9D49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7B9D53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7B9D5E

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction ID: 8d5fe2a6a2ffee7f65fa2768026c1b19fb232a7a0287faf5c1036e09091e0012
Opcode Fuzzy Hash: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction Fuzzy Hash: FA31713261CF859AEB60DF65E8402AEB3A0FB88754F900136EA9D43B54EF3CE155CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C0A34 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C0A80
FindFirstFileExW.KERNEL32 ref: 00007FF73D7C0B8A

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction ID: e422c403e1153449071b0164cf84c024ec30c100d2f5e9a2eddfc1ba84884ca9
Opcode Fuzzy Hash: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction Fuzzy Hash: 4EB1C762B1C69A59EA61EBA198001B9E350EB58BF4FC44132E99E07BC5FF3CF451D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C2DB0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF73D7C2E16
memcpy_s.LIBCPMT ref: 00007FF73D7C2E41

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 43cd5730d9a8954ba8238ec136207929c6e7a99a34cb1e75ce94cd4eab3750f9
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 74C11772B1C68A9BDB24DF99A08466AF791F788794F848134DB8E47744EB3DF901CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C8BE8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF73D7C8E37
RaiseException.KERNEL32 ref: 00007FF73D7C8E48

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: ce95b3d84f14f29cd4e01f3d624d654ffebb0793079cdf733c9da6505e2ad06c
Instruction ID: 46cd08b2e7ee44c7ff4738e987e0fb23a4896eadea6b3e87265d8dfe5a38135d
Opcode Fuzzy Hash: ce95b3d84f14f29cd4e01f3d624d654ffebb0793079cdf733c9da6505e2ad06c
Instruction Fuzzy Hash: 78B19073604B898FEB19CF29C84636C7BA0F748B58F588926DB9D837A4DB39E451C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B2A18 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF73D7B2B86
, xrefs: 00007FF73D7B2DC8

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 12f3629fc0db3b94ce06ee7fe38b00bcc3d57b8cb20d1c91e47922b02d0d68b8
Instruction ID: fd13e525db35af91fb0faeca940f922e50841849329600219ccbf2da797c58bc
Opcode Fuzzy Hash: 12f3629fc0db3b94ce06ee7fe38b00bcc3d57b8cb20d1c91e47922b02d0d68b8
Instruction Fuzzy Hash: A6E1D93290E64AA5EB68AE65805013DB360FF6DB44F944235DE0E07794FF39FA41E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BD1F8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF73D7BD382
e+000, xrefs: 00007FF73D7BD305

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 7f3e0c3824b7b5cf876389fd48d0d53d421d0873473af5a4edca9f3cc5d4c2f0
Instruction ID: e5c874fcc5136e2780c5be06b1e889f33ec4bae70f03715e3113170368b2e6c6
Opcode Fuzzy Hash: 7f3e0c3824b7b5cf876389fd48d0d53d421d0873473af5a4edca9f3cc5d4c2f0
Instruction Fuzzy Hash: 4A517962B1C6C996E7249E7598017A9FB91E758B94F888231CBA947BC2EF3DF4408710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BFA88 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 90772d11546bffc87ec7dfde7d1a2d7ae8b41f9ab35fc0f4eec901e51838d0bc
Instruction ID: d8a5d7eddbcb5fe60504af8cafe3e5245538a6831d315d5180d491ad847b657a
Opcode Fuzzy Hash: 90772d11546bffc87ec7dfde7d1a2d7ae8b41f9ab35fc0f4eec901e51838d0bc
Instruction Fuzzy Hash: BB02B021A0D64A64EA65BBE19450279E690AF2DFA0FC44635ED6D473D2FF3DF402A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BCD64 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF73D7BD0A6

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction ID: 714e84b6a452606a3b701c1a8b19f6254c171ea7a6a9744a00f024cc0b40c6e9
Opcode Fuzzy Hash: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction Fuzzy Hash: 1AA13963B0C7CA56EB21DB6590107A9BB91EB68784F848032EE8D47785EB3DE502D711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B70FC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF73D7B711B

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 549cbbde4d05edb679bd0e1e8d8321e2e2e00e2b49b4b0b32e90adc79d383972
Instruction ID: 5f34fbcb2c62fd6d87ed953a5462222620c65e3f903d02e2abfb4737eb06cc8c
Opcode Fuzzy Hash: 549cbbde4d05edb679bd0e1e8d8321e2e2e00e2b49b4b0b32e90adc79d383972
Instruction Fuzzy Hash: 14518111B0C34E61FA64BBA659112FAD291AFA9B94FC85434EE0E477D5FF3CF4126220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C2620 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF73D7C2624

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction ID: d899b643be6861f34c4c1ac216a64c091bb9b9b0b0629f5dc2e9508a4037ef48
Opcode Fuzzy Hash: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction Fuzzy Hash: 1DB09220E0BB0AD6EA083BA1AC8661462A87F4CB21FC80138C44C41320EF3C30AA6720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B21DC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7d821e27f440e8d5d3622ff09e7c05bc36f3fd6b9038f787498be69d76432a
Instruction ID: de8bffc2e34ef4bad312a23d377026aac85bcaf323ee1ad61d8fd3224f0aca10
Opcode Fuzzy Hash: 7d7d821e27f440e8d5d3622ff09e7c05bc36f3fd6b9038f787498be69d76432a
Instruction Fuzzy Hash: 4CE11A32A0D60AA5E764AAA8C45537CA791EF6D748F944231CE0D477D4EF3CFA41E3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B2614 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f3b43ccd68eb767627d2655b116bae7479589a7f74a5058ab0c91b2e39ac12
Instruction ID: 23725bda6bf221e139bccec3cb9083219aac272bc75f6d62afa7dff434aeb443
Opcode Fuzzy Hash: c2f3b43ccd68eb767627d2655b116bae7479589a7f74a5058ab0c91b2e39ac12
Instruction Fuzzy Hash: 97D11E3290D64A95EB68AE65801427DA3A0FF2DB48F940135CE0D477D4EF3DFA41E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A7420 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b723f182358e09e7314f6f73ac964ac7abcdc7414507ad18988289416ad7b41b
Instruction ID: 6255bb5e9902b99eb5a5fa982a0266a03a76a84dd552ef3f83097fc0ec398b51
Opcode Fuzzy Hash: b723f182358e09e7314f6f73ac964ac7abcdc7414507ad18988289416ad7b41b
Instruction Fuzzy Hash: 24C1A6722241F04BE689EB29F4598BA77D2F788309FD9403AEB8747785CA3DE414D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B132C Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5c392cbfffe41992f0743bc4a0c2c3fe46246456b6811ff0c5dafdd99ec142
Instruction ID: eebc66a7a58ad6806ff5908c5336ab0443813bdcdac888f90976cddf387395b8
Opcode Fuzzy Hash: 6c5c392cbfffe41992f0743bc4a0c2c3fe46246456b6811ff0c5dafdd99ec142
Instruction Fuzzy Hash: 4DB1D172A0C64999E7649F79C05023DBBA0EB29B48F580135CE4F43399EF39F844E761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B16C4 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85060b88648c64536cd03416e20448513b0a4375a109c0566769b76d71526d0c
Instruction ID: 521758934ad47704c5a47856ac1bdadc4c9993db2de10eeff9971e4ed9d6b767
Opcode Fuzzy Hash: 85060b88648c64536cd03416e20448513b0a4375a109c0566769b76d71526d0c
Instruction Fuzzy Hash: BEB1BD72A0CA9995E7649F79C05023CBBA4F729B48FA40135CE4F43394EF39E449E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BD878 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ad0bfc87d4107bda453f5e7c9a116e1e97c6e992cf3a610b4e267b4cffcaca
Instruction ID: 7da0af42b86e13b91ac1f7d943a3d036721ff7de027c255246e11ecf2f1da8a9
Opcode Fuzzy Hash: 59ad0bfc87d4107bda453f5e7c9a116e1e97c6e992cf3a610b4e267b4cffcaca
Instruction Fuzzy Hash: 8B811472A0C78596EB74DB59944037AFAA0FB59794F844235DA8E43B89EF3CF4009B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C58A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2033a98ce9b9ae1b6fcbd26cbe8033cb2e42881aa268c02d842b0e820a1bc4f5
Instruction ID: 67bc2a7f38c967f6289de2948b5196797a70629b45e194b0378688e574e6d47a
Opcode Fuzzy Hash: 2033a98ce9b9ae1b6fcbd26cbe8033cb2e42881aa268c02d842b0e820a1bc4f5
Instruction Fuzzy Hash: 81613E22E1C2865DF764A5AA848023DE990AF487B0FD40335DA9E476C5FF7EF800A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AFF44 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction ID: 74ab4e14a69192871eec1afbc14abf69a86ea19153857dba031226d0fa21506a
Opcode Fuzzy Hash: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction Fuzzy Hash: 4A51C332A1C65992E7249F68C04023CB3A0EB5EB68FA44131DE8C17794EB3AF853E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B0764 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction ID: 2e9d0111666f7d3993168fc52eb78791309a18a37cf2ddb3794125636feb957e
Opcode Fuzzy Hash: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction Fuzzy Hash: EC51B936A1CA5595E7249B69C04023CB7A0FB6EF68F644131CE4C07795EB3AF863D790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B0354 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction ID: 3d048f58744fbf2aa5668a0b8ff7e6e3d79621727627cc707dbd25e9c174f422
Opcode Fuzzy Hash: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction Fuzzy Hash: C551E632A1C65996E7349B68C04423CB3A0EB6EB68F644235CE4C17795EF3AF863D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AFD40 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction ID: 0fa81b17e446d2f5f805f0b186151e164659322a2ebac6dbda6fb2efd4170efc
Opcode Fuzzy Hash: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction Fuzzy Hash: 1751BD32A1C65996E7259B69C050328E3A0EF4DB58FA44135EA4C07795EB3AFC43E790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B0560 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction ID: a1bcb30f65267937021a765d511bf4429a4e28f34dfdbf07cfb678141cc83959
Opcode Fuzzy Hash: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction Fuzzy Hash: 1D511532A1C6599AE7249B28C04163CB3A0EBAEB58F644131CE4D17794EF3AFC63D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B0150 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction ID: 8f90ba71eaa20ecded08809eb69d9cb626c0c5b98aa43178bf6f9c68719ddc63
Opcode Fuzzy Hash: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction Fuzzy Hash: 9151E632A1C65996E7349B68C04033CA3A1EB6EB58F645031DE4D07798EF3AF863D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B4FC0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction ID: 247b5d2d16b2076b9d41f9e8d1c68dcdadb66c12f7c8d61b7b5c6de9a758dc59
Opcode Fuzzy Hash: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction Fuzzy Hash: 1341F552C4D64E14E99599A805106B8A680DF3ABE4FD872B0DDD9133CBFF2C7587E120

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B8D00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 71af8a295fdb51eaf04f4fd3d3cb7b5e4e2b88d375af3dc160b99af84fd8c420
Instruction ID: 58192acba40b3fec8aac858dfe65df9057cffe0258b675c2e43ccb2a72c827b5
Opcode Fuzzy Hash: 71af8a295fdb51eaf04f4fd3d3cb7b5e4e2b88d375af3dc160b99af84fd8c420
Instruction Fuzzy Hash: F8412862B18B5891EF08DF6AD924169B391BB5CFD0B899036DE0D87B54FF3CE1429310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B66C4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e61c3cf97b3866f04581c18cefd4280f5be6d0443f14e9e71bfe5dd080d96d4
Instruction ID: 7c34f52565fe6e814bdc0f3b21af2eeba122b763d3a4d9c15c143586f991f9ba
Opcode Fuzzy Hash: 5e61c3cf97b3866f04581c18cefd4280f5be6d0443f14e9e71bfe5dd080d96d4
Instruction Fuzzy Hash: 5E31E73270CB4652EB24AFA5A84013DE6D4EB98BA0F944238EB9D57BD5EF3CE0025714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C8A30 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7304cda62ef4e3fce1e8e531a8e9660a3231e70ec23179b9d25e44c0445acc
Instruction ID: 97182354610128ee90b284fe8495e5754a4a1d149dc3886e65ee9197172a53f8
Opcode Fuzzy Hash: 0a7304cda62ef4e3fce1e8e531a8e9660a3231e70ec23179b9d25e44c0445acc
Instruction Fuzzy Hash: FEF0687171C2569ADB989FA9A80266977D0F70C3C0F848039D68D83B04D73D90509F24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AABD4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f093bed3a5d0e4e42a94d80c7232e3ca8df1b9ab80f13d9c22a8443e6849f1
Instruction ID: e7837adeea9996662b4e60e02ee3fa40b9a74f3996537825e3cb90f803550618
Opcode Fuzzy Hash: 53f093bed3a5d0e4e42a94d80c7232e3ca8df1b9ab80f13d9c22a8443e6849f1
Instruction Fuzzy Hash: 2DA0012690C84BE9E684AB80A860024A231BB58311B840232D08D421A0FF2CF840A360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A4730 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6310: LoadLibraryExW.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A6333

GetProcAddress.KERNEL32 ref: 00007FF73D7A50C7
GetProcAddress.KERNEL32 ref: 00007FF73D7A5106
GetProcAddress.KERNEL32 ref: 00007FF73D7A512B
GetProcAddress.KERNEL32 ref: 00007FF73D7A5150
GetProcAddress.KERNEL32 ref: 00007FF73D7A5178
GetProcAddress.KERNEL32 ref: 00007FF73D7A51A0
GetProcAddress.KERNEL32 ref: 00007FF73D7A51C8
GetProcAddress.KERNEL32 ref: 00007FF73D7A51F0
GetProcAddress.KERNEL32 ref: 00007FF73D7A5218

Strings

Failed to get address for Tcl_ConditionWait, xrefs: 00007FF73D7A52F2
Failed to get address for Tcl_SetVar2, xrefs: 00007FF73D7A5392
Tcl_EvalObjv, xrefs: 00007FF73D7A54DE
Failed to get address for Tcl_MutexLock, xrefs: 00007FF73D7A5252
Tcl_SetVar2Ex, xrefs: 00007FF73D7A543E
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF73D7A527A
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF73D7A53BA
Tcl_MutexLock, xrefs: 00007FF73D7A5236
Tcl_MutexUnlock, xrefs: 00007FF73D7A525E
Tcl_Init, xrefs: 00007FF73D7A50C0
Tcl_NewByteArrayObj, xrefs: 00007FF73D7A5416
Tk_Init, xrefs: 00007FF73D7A5556
Tcl_ConditionNotify, xrefs: 00007FF73D7A52AE
Tcl_EvalFile, xrefs: 00007FF73D7A548E
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF73D7A52CA
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF73D7A522A
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF73D7A54FA
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF73D7A477A
Tcl_ConditionWait, xrefs: 00007FF73D7A52D6
Tcl_DeleteInterp, xrefs: 00007FF73D7A51BE
Tcl_CreateThread, xrefs: 00007FF73D7A51E6
Failed to get address for Tcl_EvalFile, xrefs: 00007FF73D7A54AA
Tcl_ThreadAlert, xrefs: 00007FF73D7A5326
Tcl_Finalize, xrefs: 00007FF73D7A516E
Tk_GetNumMainWindows, xrefs: 00007FF73D7A557E
Tcl_FindExecutable, xrefs: 00007FF73D7A5121
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF73D7A51DA
GetProcAddress, xrefs: 00007FF73D7A50E0
Tcl_GetCurrentThread, xrefs: 00007FF73D7A520E
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF73D7A5118
Tcl_GetVar2, xrefs: 00007FF73D7A534E
Tcl_GetString, xrefs: 00007FF73D7A53C6
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF73D7A531A
Failed to get address for Tcl_GetString, xrefs: 00007FF73D7A53E2
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF73D7A51B2
Tcl_CreateObjCommand, xrefs: 00007FF73D7A539E
Tcl_GetObjResult, xrefs: 00007FF73D7A5466
Tcl_FinalizeThread, xrefs: 00007FF73D7A5196
Tcl_EvalEx, xrefs: 00007FF73D7A54B6
Failed to get address for Tcl_Finalize, xrefs: 00007FF73D7A518A
Failed to get address for Tcl_Alloc, xrefs: 00007FF73D7A5522
Tcl_Alloc, xrefs: 00007FF73D7A5506
Tcl_SetVar2, xrefs: 00007FF73D7A5376
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF73D7A5342
Failed to get address for Tcl_CreateThread, xrefs: 00007FF73D7A5202
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF73D7A513D
Failed to get address for Tk_Init, xrefs: 00007FF73D7A5572
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF73D7A545A
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF73D7A52A2
Failed to get address for Tcl_Free, xrefs: 00007FF73D7A554A
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF73D7A559A
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF73D7A5432
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF73D7A5482
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF73D7A5162
Tcl_DoOneEvent, xrefs: 00007FF73D7A5146
Tcl_Free, xrefs: 00007FF73D7A552E
Tcl_NewStringObj, xrefs: 00007FF73D7A53EE
Failed to get address for Tcl_EvalEx, xrefs: 00007FF73D7A54D2
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF73D7A540A
Failed to get address for Tcl_GetVar2, xrefs: 00007FF73D7A536A
Tcl_ThreadQueueEvent, xrefs: 00007FF73D7A52FE
Tcl_ConditionFinalize, xrefs: 00007FF73D7A5286
Tcl_CreateInterp, xrefs: 00007FF73D7A50FC
Failed to get address for Tcl_Init, xrefs: 00007FF73D7A50D9

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction ID: 8f2293016b732da2165b862d60a6b8d4acf9c2fbfcbe97595a3fbeb737544673
Opcode Fuzzy Hash: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction Fuzzy Hash: 6EE1A364A0DB0BB4FA15BB94A854174A3A5BF0CBA1BD45035D88E06368FF7CF588B360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6BF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A6C2C

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

Failed to get ANSI buffer size., xrefs: 00007FF73D7A6CED
Failed to encode filename as ANSI., xrefs: 00007FF73D7A6D45
MultiByteToWideChar, xrefs: 00007FF73D7A6C40, 00007FF73D7A6CAD
Failed to get wchar_t buffer size., xrefs: 00007FF73D7A6C39
win32_wcs_to_mbs, xrefs: 00007FF73D7A6D0B
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A6CA6
win32_utils_from_utf8, xrefs: 00007FF73D7A6C69
WideCharToMultiByte, xrefs: 00007FF73D7A6D4C
Out of memory., xrefs: 00007FF73D7A6C70, 00007FF73D7A6D12

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: 3649c6f93bb09270b823ff22ec7b0eec6d42e79460650eefbf3c7b929506c9f8
Instruction ID: ce4bbda8309154f9ac2cfb1749fd0945ef60caa6e6a92a622fe2b4ec31b290bc
Opcode Fuzzy Hash: 3649c6f93bb09270b823ff22ec7b0eec6d42e79460650eefbf3c7b929506c9f8
Instruction Fuzzy Hash: 64417661A0CA4A65EA20FBA1A84007AE6A1AF5CBD4FD44135E94D47B95FF3CF145A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AF5C8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AF608
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AF9D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AFC6F

Strings

f, xrefs: 00007FF73D7AF855
p, xrefs: 00007FF73D7AF6AD
f, xrefs: 00007FF73D7AF70A
p, xrefs: 00007FF73D7AF712
f, xrefs: 00007FF73D7AF6A0

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 01c71594f1727119d9f81ba734688642d85b0da97f00d24c037ed876a9967557
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: 4E12A622E0C14BA5FB60BA95D0546BAF261FF88754FD44032F699467C4EF3CF482AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73D7A13E2
fseek, xrefs: 00007FF73D7A1319
malloc, xrefs: 00007FF73D7A1353
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF73D7A134C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73D7A1312
Failed to extract %s: failed to open archive file!, xrefs: 00007FF73D7A12E2
fread, xrefs: 00007FF73D7A13E9

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 27849c73a2b453c9c71bd8b325d1811199276ab163fc5dd860d9c84c8935c1af
Instruction ID: 9727606b3beef95fbd1a7b1725d76c9eeacb80fa0a0033cfc6dc678c7798cf55
Opcode Fuzzy Hash: 27849c73a2b453c9c71bd8b325d1811199276ab163fc5dd860d9c84c8935c1af
Instruction Fuzzy Hash: 9A417F22B0CA4BA5FA14EB95A4002A9E3A0FB587D4FC54432DE4D47B45FF3CF545A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7ACF90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF73D7ACFED

Part of subcall function 00007FF73D7ADF00: __GetUnwindTryBlock.LIBCMT ref: 00007FF73D7ADF43
Part of subcall function 00007FF73D7ADF00: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF73D7ADF68

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF73D7AD0C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF73D7AD31A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF73D7AD426

Strings

csm, xrefs: 00007FF73D7AD06E
csm, xrefs: 00007FF73D7AD0E8
csm, xrefs: 00007FF73D7AD007

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction ID: e2d5e961043de3c1a812f6620843a655433bc26196b0d968643a396a0d47f3aa
Opcode Fuzzy Hash: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction Fuzzy Hash: 6BE18272A0C749A6EB20ABA5D4403ADB7A0FB48798F904135EE8D57B95FF38F481D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A67C0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A685F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A68AF

Strings

win32_utils_to_utf8, xrefs: 00007FF73D7A68E8
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A68D8
Failed to get UTF-8 buffer size., xrefs: 00007FF73D7A68F1
WideCharToMultiByte, xrefs: 00007FF73D7A68F8
Out of memory., xrefs: 00007FF73D7A68E1

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 8d77172852237fffccb974c6d54fb7d37946d1ed41806d5f964de7f541550d5e
Instruction ID: 4339a73eb9ec222c11867c4f7d6b40c6e65aab0f9a0fc61970465268fcf742ed
Opcode Fuzzy Hash: 8d77172852237fffccb974c6d54fb7d37946d1ed41806d5f964de7f541550d5e
Instruction Fuzzy Hash: C541C532A0CF8695E620EF91B840169F7A4FB98B94F944135DA8D47B94FF3CE055D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6EC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF73D7A2D35,?,?,?,?,?,?), ref: 00007FF73D7A6F01

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF73D7A2D35,?,?,?,?,?,?), ref: 00007FF73D7A6F75

Strings

win32_utils_to_utf8, xrefs: 00007FF73D7A6F42
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A6F7F
Failed to get UTF-8 buffer size., xrefs: 00007FF73D7A6F0E
WideCharToMultiByte, xrefs: 00007FF73D7A6F15, 00007FF73D7A6F86
Out of memory., xrefs: 00007FF73D7A6F3B

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction ID: a9b3a82bb95362137b407c2e31af28b0b28ddb2d6347e2ea6eec56dc38ca71eb
Opcode Fuzzy Hash: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction Fuzzy Hash: 7E215E61A0CB4AA9E720EB96A840069F761BB88B90B944135EA4D437A4FF3CF555A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B93C4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B9407
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B97F4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B9A90

Strings

p, xrefs: 00007FF73D7B94B9
f, xrefs: 00007FF73D7B9529
p, xrefs: 00007FF73D7B9531

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: da0d617228a30c9d7032741e0ac2749ba30ec24b02b45cb7c6d6aeb406e88bc1
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 2212D4A2E0C14BA6FB607A95D0542BAF691FBA8750FD44035D6A9476C4FF3CF580EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A7045
MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A7087

Strings

MultiByteToWideChar, xrefs: 00007FF73D7A70CD
Failed to get wchar_t buffer size., xrefs: 00007FF73D7A70C6
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A70AD
win32_utils_from_utf8, xrefs: 00007FF73D7A70BD
Out of memory., xrefs: 00007FF73D7A70B6

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 9e091cbaac830d0070f3842cc1d5ec76c8d2d2f90cb19691d00490de1532936c
Instruction ID: f1047944836d24e909ff2e6c70373b4811ace27e629284149685260dcc4371d1
Opcode Fuzzy Hash: 9e091cbaac830d0070f3842cc1d5ec76c8d2d2f90cb19691d00490de1532936c
Instruction Fuzzy Hash: B841D332A0CB5AA5E610EF55A84017AB6A5FB88B94FD40135EE8D47BA4FF3CF052D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A55E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF73D7A592F,?,00000000,?,TokenIntegrityLevel), ref: 00007FF73D7A563F

Strings

LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF73D7A569A
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF73D7A5653
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF73D7A5616

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: aa564683267f47d688a8517bb88a9b0a9054f6e1f4b3a9048b672f302df95511
Instruction ID: 86a1dfbd161f058e244d01c0e900eeeead38b42a3519b2b64ba5da4a0335936d
Opcode Fuzzy Hash: aa564683267f47d688a8517bb88a9b0a9054f6e1f4b3a9048b672f302df95511
Instruction Fuzzy Hash: 7431A551B1C78AB0FA64B7A1D9152BAE2A1AF9C7D0FC44431DA4E43786FF2CF1049720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AC248 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC2CD
GetLastError.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC2DB
LoadLibraryExW.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC305
FreeLibrary.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC34B
GetProcAddress.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC357

Strings

api-ms-, xrefs: 00007FF73D7AC2ED

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction ID: 694132b2ef6b5575094d74aa604baf6f8deadee6b696ef2ffab5625fe4e60659
Opcode Fuzzy Hash: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction Fuzzy Hash: D231B225A0E64AB5EE51AB8AA800579A394FF0DBA0FD90535EE1D47384FF3CF0449721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6DB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6E70

Strings

MultiByteToWideChar, xrefs: 00007FF73D7A6DFE, 00007FF73D7A6E81
Failed to get wchar_t buffer size., xrefs: 00007FF73D7A6DF7
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A6E7A
win32_utils_from_utf8, xrefs: 00007FF73D7A6E39
Out of memory., xrefs: 00007FF73D7A6E32

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction ID: ee1cb64ad129ad52a4548dd5ef0f8c2aaf98b9f327f118b63453657b6b6e1ab7
Opcode Fuzzy Hash: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction Fuzzy Hash: 66218521B0CA4661EB10EB69F800169E761FB8DBD4F984135DB4C83B69FF2CF5919710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA780 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA78F
FlsGetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7A4
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7C5
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7F2
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA803
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA814
SetLastError.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA82F

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 3971363800b8a81fa04bc153c76856abca93ecf9b7e0d768850358a078ef79bd
Instruction ID: e65f284636d0e9b19f52ab4430d53f97887b3b3550bdb82e708ecf4ffafae41c
Opcode Fuzzy Hash: 3971363800b8a81fa04bc153c76856abca93ecf9b7e0d768850358a078ef79bd
Instruction Fuzzy Hash: 8C21FD20F0CA0A62FA6973E05955179EA52AF6C7B0FC40734E83E47BC6FF6CB4416220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C70EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF73D7C711D
GetLastError.KERNEL32 ref: 00007FF73D7C7129
CloseHandle.KERNEL32 ref: 00007FF73D7C7141
CreateFileW.KERNEL32 ref: 00007FF73D7C716C
WriteConsoleW.KERNEL32 ref: 00007FF73D7C718B

Strings

CONOUT$, xrefs: 00007FF73D7C714D

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction ID: 657aa8749b6e139b72acfed6228271fdb15503b1051557c232251e8b84308eda
Opcode Fuzzy Hash: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction Fuzzy Hash: B8119322B1CB459AE350AB92E854329A2A0FB8CBF5F840234DA9D87794EF7CE4449750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA8F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA907
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA93D
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA96A
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA97B
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA98C
SetLastError.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA9A7

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9c16369c9cedf713b6ac3dac2cb17ec2f8e610dc045da35baaf6277b530098a9
Instruction ID: 576ff46cf3acc65a09dc9227a87b1c183b6a49bed6d44eda76a4e226ce5dc60e
Opcode Fuzzy Hash: 9c16369c9cedf713b6ac3dac2cb17ec2f8e610dc045da35baaf6277b530098a9
Instruction Fuzzy Hash: 5E11DE20B0C60A62FA5873E19995179E692AFAD7B0FC54734E87E437D6FF6CB4407220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7ABC08 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73D7ABC33
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73D7ABCC8
RtlUnwindEx.KERNEL32 ref: 00007FF73D7ABD17

Strings

f, xrefs: 00007FF73D7ABC46
csm, xrefs: 00007FF73D7ABCAE

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction ID: 02df527b9b837b6ca96c77ce98d63b28de1ec998c874bf49164b388b2ba260a3
Opcode Fuzzy Hash: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction Fuzzy Hash: 4E51C732A2D60AAAD715EF55E408A39B795FB48B88FD18134EA4E47748FF38F841D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B8A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF73D7B8A65
GetProcAddress.KERNEL32 ref: 00007FF73D7B8A7B
FreeLibrary.KERNEL32 ref: 00007FF73D7B8AA2

Strings

CorExitProcess, xrefs: 00007FF73D7B8A74
mscoree.dll, xrefs: 00007FF73D7B8A5C

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction ID: 3f764ba9dbf79d3a14a3b9682b419b2fc83fc32fcfa706dcc57adfeff000a78d
Opcode Fuzzy Hash: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction Fuzzy Hash: C5F04461A0D70A51EA10AB94E8543399360BF4D7B1FD40635CAAD461E4FF2CE088E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C8824 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF73D7C884C
_set_statfp.LIBCMT ref: 00007FF73D7C8867
_set_statfp.LIBCMT ref: 00007FF73D7C8883
_set_statfp.LIBCMT ref: 00007FF73D7C88BF

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 8a387cb5287f0b2c8d14b08fd502ee7c0803bbeec9480428bbb9fea52dd92f38
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: DE118622D2CA2B29F6743194D45537591816F5D374F890634E9EE4BADBEF2CB8406120

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA9C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BA9DF
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BA9FE
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA26
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA37
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA48

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ccee12417dd8fadd804cf4bca67e11b29a445d0494c9c7ede3eb61f72115d30b
Instruction ID: 356adb156fbb5f7645a66488813e76133487a23e6b7052feb4a9ae86f8f117c6
Opcode Fuzzy Hash: ccee12417dd8fadd804cf4bca67e11b29a445d0494c9c7ede3eb61f72115d30b
Instruction Fuzzy Hash: 13116D21A0C60A61FA5873E55A91179E9426F6C7B0F844334E83E477C6FF6CF441A620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA854 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA865
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA884
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8AC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8BD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8CE

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 353fa8bf1983d63c804749c76f5f6573fef8243f584448c2a0a10dd8cdf132d1
Instruction ID: 8de3d1b6fed6f7159be658053c7715b00672cb8969b6e31aa2b758845f7f88fe
Opcode Fuzzy Hash: 353fa8bf1983d63c804749c76f5f6573fef8243f584448c2a0a10dd8cdf132d1
Instruction Fuzzy Hash: 70114810E0CA0F61F9AA72E148521B995426F6D370FC80B34E83E4ABC2FF6DB4427231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BF218 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BF4F7

Part of subcall function 00007FF73D7C54F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5511

Strings

UTF-16LEUNICODE, xrefs: 00007FF73D7BF495
UTF-8, xrefs: 00007FF73D7BF476
ccs, xrefs: 00007FF73D7BF432

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction ID: 81ef92fa8475317c67566f1b768b365ca134620ff95cb475da37eaa53685e9d3
Opcode Fuzzy Hash: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction Fuzzy Hash: F1819136D0C20AA5F7646FE9C150279F6A0AF29F44FD58071DA0997295EB2EF903B321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AD468 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF73D7AD4B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF73D7AD503

Strings

RCC, xrefs: 00007FF73D7AD4D1
MOC, xrefs: 00007FF73D7AD4C8

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction ID: e32ea7e34947616c448e8fe8d4fcffbe01d11c99797d9df8b0b78445e995f7f4
Opcode Fuzzy Hash: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction Fuzzy Hash: 6D616A76A08B499AE710EFA5D4803ADB7A0FB48B8CF444225EF4D17B98EF78E055D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AD7C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73D7AD7EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF73D7AD8D4

Strings

csm, xrefs: 00007FF73D7AD80E
csm, xrefs: 00007FF73D7AD926

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction ID: 6442dccb38bb96ea3a04bbed2afc9502356daac3ec9170fa1eb8f9997e9952ff
Opcode Fuzzy Hash: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction Fuzzy Hash: 6551E33290C24AA6EB60AF959444378B7A0FB49B94F884132EA9C47BD5FF3CF450D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A2CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF73D7A27C9,?,?,?,?,?,?), ref: 00007FF73D7A2D01

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF73D7A2D3A
Failed to get executable path., xrefs: 00007FF73D7A2D0B
GetModuleFileNameW, xrefs: 00007FF73D7A2D12

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction ID: 22e7f05a44c0b878c080dcbc08135b3a5094b3faa20fb1b8d8d6afb9ac802d61
Opcode Fuzzy Hash: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction Fuzzy Hash: EC017C61B1D64AB5FA61B7A0E8153B59291BF5C3C1FC01032D88E8B396FF1CF254A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BBBD0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF73D7BBC4F
WriteFile.KERNEL32 ref: 00007FF73D7BBF17
WriteFile.KERNEL32 ref: 00007FF73D7BBF5D
GetLastError.KERNEL32 ref: 00007FF73D7BC013

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction ID: ae25286e6347ef5d88ca17dee857a11b0038008cae33ad8052fbb896aa10f2b5
Opcode Fuzzy Hash: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction Fuzzy Hash: 87D10372B0CA8999E711DFB5C4402ACB771FB58B98B804136DE4E97B99EF38E006D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C4DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7C0920: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C0953

_get_daylight.LIBCMT ref: 00007FF73D7C4ED4
_get_daylight.LIBCMT ref: 00007FF73D7C4EE5

Strings

?, xrefs: 00007FF73D7C4E65

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction ID: 0f513155ee7fa2740f6b051a68b69dd75d8d2a38752f1daea3a4750a8767295f
Opcode Fuzzy Hash: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction Fuzzy Hash: 4C414C12A0C68A69FB20ABB5D401379D660EB98BB8F944235EE9D07AD5FF3CF441D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B7FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B8002

Part of subcall function 00007FF73D7B9F78: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF73D7AA485), ref: 00007FF73D7B8020

Strings

C:\Users\user\Desktop\xSO7sbN2j6.exe, xrefs: 00007FF73D7B800E

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\xSO7sbN2j6.exe
API String ID: 2553983749-2892895399
Opcode ID: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction ID: d77b968abe8ace9e80dce9286fd5fb6461789b5b305ccf334dc3065e768a0ef6
Opcode Fuzzy Hash: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction Fuzzy Hash: 24417F36A0CB1AA6E714AF61D8410B8A7A4EF5C7D4BD45035FA4E43B95EF3CF4819360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BC268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73D7BC37F
GetLastError.KERNEL32 ref: 00007FF73D7BC3A1

Strings

U, xrefs: 00007FF73D7BC32B

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction ID: 9edfc7421728f929e1d956788be6f19ecaa2f95af8da7f4f0660ca1b86ca2057
Opcode Fuzzy Hash: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction Fuzzy Hash: D741B422A1CA89A5DB609FA5E8443A9B760FB98794FC44031EE4D87758EF3CE441D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BE588 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF73D7BE5C8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF73D7BE61A

Strings

:, xrefs: 00007FF73D7BE5DE

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: f9a3a88e5e7675db83ee30e7457ef94258ee056855d46160e54cb350838ff185
Instruction ID: 1755fc556a1da28170fabbc13df5f88811531fbffdda114b307d6996ab2c44c4
Opcode Fuzzy Hash: f9a3a88e5e7675db83ee30e7457ef94258ee056855d46160e54cb350838ff185
Instruction Fuzzy Hash: 8721F222B1C28995EB28AB55D04426DB3B1FB9CB88FC54035D68D43384EF7CF945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF73D7AE354
RaiseException.KERNEL32 ref: 00007FF73D7AE39A

Strings

csm, xrefs: 00007FF73D7AE387

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction ID: 896f1a36c061e744c92c871ba5f30433224728dfba85e74b9cc71077110cc293
Opcode Fuzzy Hash: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction Fuzzy Hash: E6111C32A1CB4992EB219F55F440269B7A5FB88B94F584231EECD07768EF3CE5519B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BF08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BF0BC
GetDriveTypeW.KERNEL32 ref: 00007FF73D7BF0FC

Strings

:, xrefs: 00007FF73D7BF0E5

Memory Dump Source

Source File: 00000001.00000002.2450600305.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000001.00000002.2450359287.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450659707.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450722238.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2450846455.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction ID: 01075045691a855fd7fa22316cf7812ff9c93fe3af67931ac36722cdd7d10247
Opcode Fuzzy Hash: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction Fuzzy Hash: 67017161A1C60A96E720BFE0946127EE3A0EF5DB04FC40036D58D86691FF2DF545A634

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: xSO7sbN2j6.exePID: 3424, Parent PID: 1268COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1%
Total number of Nodes:	820
Total number of Limit Nodes:	24

Executed Functions

Function 00007FF73D7C4EA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7C4EE5

Part of subcall function 00007FF73D7C4838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C484C

Part of subcall function 00007FF73D7B9F78: HeapFree.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

Part of subcall function 00007FF73D7B9F30: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF73D7B9F0F,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7B9F39
Part of subcall function 00007FF73D7B9F30: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF73D7B9F0F,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7B9F5E

_get_daylight.LIBCMT ref: 00007FF73D7C4ED4

Part of subcall function 00007FF73D7C4898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C48AC

_get_daylight.LIBCMT ref: 00007FF73D7C514A
_get_daylight.LIBCMT ref: 00007FF73D7C515B
_get_daylight.LIBCMT ref: 00007FF73D7C516C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7C53AC), ref: 00007FF73D7C5193

Strings

W. Europe Summer Time, xrefs: 00007FF73D7C5251
W. Europe Standard Time, xrefs: 00007FF73D7C5239

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 4070488512-690618308
Opcode ID: efd6bd86b0a9241ba49c40c51702d4a4216664c1cf6d90fa3e70e8402c69cba8
Instruction ID: 563544c33dd6ba9be267295d8291dd0775ece5b0d61c173268cefaf4e0df071b
Opcode Fuzzy Hash: efd6bd86b0a9241ba49c40c51702d4a4216664c1cf6d90fa3e70e8402c69cba8
Instruction Fuzzy Hash: 06D1A222A1C25A6AE720BFB5D8501B9A6A1FF4C7A4FC44035EA8D47685FF3DF441E360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C5DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5B61
Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5BDF
Part of subcall function 00007FF73D7C5B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5C30

CreateFileW.KERNEL32 ref: 00007FF73D7C5EF2
CreateFileW.KERNEL32 ref: 00007FF73D7C5F42
GetLastError.KERNEL32 ref: 00007FF73D7C5F72
GetFileType.KERNEL32 ref: 00007FF73D7C5F87
GetLastError.KERNEL32 ref: 00007FF73D7C5F91
CloseHandle.KERNEL32 ref: 00007FF73D7C5FC4
CloseHandle.KERNEL32 ref: 00007FF73D7C6127
CreateFileW.KERNEL32 ref: 00007FF73D7C615C
GetLastError.KERNEL32 ref: 00007FF73D7C616B

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 05b991d51b8a46ce259d5d0b97b1bba063a714ceef46b3a785dfc098d738f835
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: 36C1F432B28A4A9AEB10DFA4C4805AC7761F74DBA8F800235DE5E5B795EF39E051D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C511C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7C514A

Part of subcall function 00007FF73D7C4898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C48AC

_get_daylight.LIBCMT ref: 00007FF73D7C515B

Part of subcall function 00007FF73D7C4838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C484C

_get_daylight.LIBCMT ref: 00007FF73D7C516C

Part of subcall function 00007FF73D7C4868: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C487C

Part of subcall function 00007FF73D7B9F78: HeapFree.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7C53AC), ref: 00007FF73D7C5193

Strings

W. Europe Summer Time, xrefs: 00007FF73D7C5251
W. Europe Standard Time, xrefs: 00007FF73D7C5239

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 3458911817-690618308
Opcode ID: 7e198542f45e47f797bfdedd3dcdeb77a56801e9e6762daf8462a5b391b5a0a3
Instruction ID: dd971b74f90df43dbb840c2febaf66e860e90053ef6bbc71420a5751370b17d9
Opcode Fuzzy Hash: 7e198542f45e47f797bfdedd3dcdeb77a56801e9e6762daf8462a5b391b5a0a3
Instruction Fuzzy Hash: E8517132A1C64AAAE720FFA5D8901A9F760FB4C794FC04135EA8D47695EF3CF4009760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A84FCDE0 Relevance: 6.8, APIs: 4, Instructions: 850librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF8A84FD8A0
GetProcAddress.KERNEL32 ref: 00007FF8A84FD8CA
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00007FF8A84FD954
VirtualProtect.KERNEL32 ref: 00007FF8A84FD972

Memory Dump Source

Source File: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: ae51d27ccbcf667624dac520b849d23daf3ade62aa54f1a4b469b13c076747e5
Instruction ID: 64c6d2a7081258a878acb481a1cfef014de116b02505721c8dd8fa47b6128d54
Opcode Fuzzy Hash: ae51d27ccbcf667624dac520b849d23daf3ade62aa54f1a4b469b13c076747e5
Instruction Fuzzy Hash: 3A62482262A99296E7158F38D40037D7BA0F748BC5F045536EAAEC37C4EBBCEA45C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF73D7A185C
_fread_nolock.LIBCMT ref: 00007FF73D7A190E

Part of subcall function 00007FF73D7AE6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE6E4

Strings

Failed to read cookie!, xrefs: 00007FF73D7A1867
Failed to seek to cookie position!, xrefs: 00007FF73D7A182F
fseek, xrefs: 00007FF73D7A1836
malloc, xrefs: 00007FF73D7A18EA
Could not allocate buffer for TOC!, xrefs: 00007FF73D7A18E3
Could not read full TOC!, xrefs: 00007FF73D7A1919
Cannot read Table of Contents., xrefs: 00007FF73D7A1995
fread, xrefs: 00007FF73D7A186E
MEI, xrefs: 00007FF73D7A17EF
Error on file., xrefs: 00007FF73D7A193D

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 99a95b783892b476e2a0d0c7f447c08d7c6dfec425a196ca4ac10a11762d1027
Instruction ID: 253f66822e3f6f349930bf0b2bb80f4b459ad96d7b14b7d5bd94ffd4174cfa76
Opcode Fuzzy Hash: 99a95b783892b476e2a0d0c7f447c08d7c6dfec425a196ca4ac10a11762d1027
Instruction Fuzzy Hash: D9517D72A0DA0AA6EB54EF64D450178B3A0FB4CB58B918136DA4D87395EF3CF444D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73D7A1312
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73D7A13E2
fseek, xrefs: 00007FF73D7A1319
malloc, xrefs: 00007FF73D7A1353
Failed to extract %s: failed to open archive file!, xrefs: 00007FF73D7A12E2
fread, xrefs: 00007FF73D7A13E9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF73D7A134C

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 1847f53e28831bf7bdad0349d54e91e27c7db2b272923d91413948859c691faf
Instruction ID: 9727606b3beef95fbd1a7b1725d76c9eeacb80fa0a0033cfc6dc678c7798cf55
Opcode Fuzzy Hash: 1847f53e28831bf7bdad0349d54e91e27c7db2b272923d91413948859c691faf
Instruction Fuzzy Hash: 9A417F22B0CA4BA5FA14EB95A4002A9E3A0FB587D4FC54432DE4D47B45FF3CF545A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73D7A2CD0: GetModuleFileNameW.KERNEL32(?,00007FF73D7A27C9,?,?,?,?,?,?), ref: 00007FF73D7A2D01

SetDllDirectoryW.KERNEL32 ref: 00007FF73D7A29D5

Part of subcall function 00007FF73D7A5AF0: GetEnvironmentVariableW.KERNEL32(00007FF73D7A2817,?,?,?,?,?,?), ref: 00007FF73D7A5B2A
Part of subcall function 00007FF73D7A5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A5B47

Strings

_PYI_ONEDIR_MODE, xrefs: 00007FF73D7A282C, 00007FF73D7A2857
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF73D7A295C
Failed to convert DLL search path!, xrefs: 00007FF73D7A29BD
_MEIPASS2, xrefs: 00007FF73D7A2803, 00007FF73D7A286C, 00007FF73D7A2B1B, 00007FF73D7A2B2B
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF73D7A28BE
MEI, xrefs: 00007FF73D7A2917

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 6ffaa7b6753284d36b7d0e83ed7552fa0ea6ef6719caab17f4e9f655f6ece649
Instruction ID: aae7a1149a70466cd18f49eaeb528e6c347d95ae5c10e41ff3e59072bca909f3
Opcode Fuzzy Hash: 6ffaa7b6753284d36b7d0e83ed7552fa0ea6ef6719caab17f4e9f655f6ece649
Instruction Fuzzy Hash: B4C17222A1C68B75FA24BBA194512FDA391BF4C784FC05032EA4D47796FF2CF615A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF73D7A10B4
1.2.13, xrefs: 00007FF73D7A107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF73D7A111F
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF73D7A10F1
malloc, xrefs: 00007FF73D7A10F8, 00007FF73D7A1126
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF73D7A1249

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: ad1d5c708e0e1f1d3b9565d7782decd6f7c4dfa5a4b923ce9d46d716d778b2b5
Instruction ID: 5f2d5940081e6786cb7d0821df9bfca7ea7bf0fda4bddac639a9ad2d30221019
Opcode Fuzzy Hash: ad1d5c708e0e1f1d3b9565d7782decd6f7c4dfa5a4b923ce9d46d716d778b2b5
Instruction Fuzzy Hash: 64518022A0D68AA5FA60BB91E4403B9A291BB88794FC44135DE4D877C5FF3CF549E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BB4B9

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction ID: 4abb210d8458dfb35c3cc1d39a417f16e737bf044167b41653809584b7eae96f
Opcode Fuzzy Hash: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction Fuzzy Hash: 7BC1082290C64E61E722AB9594482BDB751FBA9B80FD50131EE8D07791EF7CF449E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BC590 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73D7BC57B), ref: 00007FF73D7BC6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF73D7BC57B), ref: 00007FF73D7BC737

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: 14713b6ca5f96d38d89900a7ab2817049fe3ee9c0c1074ee1b6d9d1dcfad9830
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: D391C832E0C65AA5F750AFB5944027DA7A0FB68B88F948139EE4E57684EF38F441D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BE95C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF73D7BEA4C
_get_daylight.LIBCMT ref: 00007FF73D7BEA5D
_get_daylight.LIBCMT ref: 00007FF73D7BEA6E
_isindst.LIBCMT ref: 00007FF73D7BEB39

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction ID: 023e201b58abf58582f42327d4877943cc7836e36954433d4f003d84484bc9ea
Opcode Fuzzy Hash: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction Fuzzy Hash: 0D516972F182195AFB18EFA4D851ABDA7A1AB28358F940135DD1F47BD0EF38B501DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B483C Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00007FF73D7B486F
GetFileInformationByHandle.KERNEL32 ref: 00007FF73D7B48D1
GetLastError.KERNEL32 ref: 00007FF73D7B4962
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF73D7B4774), ref: 00007FF73D7B49AE

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction ID: c91557c8b89d67a92f2a11b696a4683178425248f3c64a72bb04d1c15936d844
Opcode Fuzzy Hash: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction Fuzzy Hash: 7A51BD22E0C646AAFB10EFB0D4503BDA3A1BB5CB5CF908035DE4D57689EF38E4859760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B46E8 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B4715
CreateFileW.KERNEL32 ref: 00007FF73D7B4754
CloseHandle.KERNEL32 ref: 00007FF73D7B4789

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction ID: b568f7dd7fe2386bbbe20592a6efc1d613a31154cc1a92507e02d4342b02cb30
Opcode Fuzzy Hash: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction Fuzzy Hash: 7041C222D1C78597E710ABA09510379B360FBA97A8F908334E79C03AD1EF7CB4E09720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AA51C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF73D7AA530

Part of subcall function 00007FF73D7AA6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF73D7AA71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF73D7AA545
__scrt_release_startup_lock.LIBCMT ref: 00007FF73D7AA5B3

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 6506bc38d70cf4cf3ba8cc93d4fa138e899af3dbc8c4ce6f4be12d8257933380
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: 14313821E0C28AA6EA54BBE0D4123BAA291BF4D784FC44435EA4D47393FF2CB445A770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B89E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF73D7B89E4), ref: 00007FF73D7B89F9
TerminateProcess.KERNEL32(?,?,?,00007FF73D7B89E4), ref: 00007FF73D7B8A04
ExitProcess.KERNEL32 ref: 00007FF73D7B8A13

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction ID: 59741308a5176c070f84cd34da3ad558a5030ab20cd00259ed85331e3fffd813
Opcode Fuzzy Hash: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction Fuzzy Hash: 03D09E10B0C64AAAEB543BF1585917992516F9C762F841438C88F17393FF3DB84D6270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE837

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: bf5cefecd58a8824fbe5ff991beb8f0fcafe1351405de923383375ec2ea08358
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: F2510921F2D25A56F768BAA5940067AE181BF48BB4F884634DD7C077C5EF3CF401A721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BC048 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73D7BC0FB
GetLastError.KERNEL32 ref: 00007FF73D7BC117

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 48497a76b3055afe52661005fd715ce1d46b06a16acad2e21dfde3d81f02aed8
Instruction ID: 9bafce91676fc5c94e093fe903c661060f26a86cce37ab452474dceaacc26843
Opcode Fuzzy Hash: 48497a76b3055afe52661005fd715ce1d46b06a16acad2e21dfde3d81f02aed8
Instruction Fuzzy Hash: 2831B47261CA89AADB50AF65E8402A9B760FB5C780FC48032EB8D83755FF3CE555D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BBA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF73D7BBAC1
GetFileType.KERNEL32 ref: 00007FF73D7BBAD7

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 9e6f93e8bea8158b100c1ce2930ce8726f03d36fd446219f97fea8e789d363b3
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: D931D622E1CB4AA1D7219B548584179AA50FB5DBB0FA81339EF6E073E4DF38F491E310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA188 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00007FF73D7BA005,?,?,00000000,00007FF73D7BA0BA), ref: 00007FF73D7BA1F6
GetLastError.KERNEL32(?,?,?,00007FF73D7BA005,?,?,00000000,00007FF73D7BA0BA), ref: 00007FF73D7BA200

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: 720975984a31862dbd6b806d2a14fb68b46e1fa4ba664aa7d704bd5eb6163b4c
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: CD219511B1C64A61FE9077D194902BD96A1AFAC7A0FC45235DA6D473C5FFACB4446310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF73D7BB750,00000000,?,?,?,00007FF73D7A1023,00007FF73D7BB859), ref: 00007FF73D7BB7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF73D7BB750,00000000,?,?,?,00007FF73D7A1023,00007FF73D7BB859), ref: 00007FF73D7BB7BA

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: 9fe5712ef25d82b8c6fa35a5e7df89dc56d11b8ad7af2cc24ee1ba12a60ebebc
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: 0D11272270CB8691DA10AB66A408069E361FB58BF0FD44332EEBD0B7D8EF7CE0408700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B49E4 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B48F9), ref: 00007FF73D7B4A17
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7B48F9), ref: 00007FF73D7B4A2D

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction ID: a9c5d0952685bd83c920b09168faec54f74208da43ecec94c1811ad3dc48a682
Opcode Fuzzy Hash: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction Fuzzy Hash: 7D11A77260C65691EB54AB60A41113BF7A0FB98779F900235F6AE81AD4FF3CE054EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BB4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BB504

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction ID: 517d932d23769ba1c459684f826121b752213ba741d90c28d5b1a8ffb3eb48fe
Opcode Fuzzy Hash: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction Fuzzy Hash: 0941F53290C64997EA35EB99A545179F3A0EF7AB44F940131DA8E836D0EF2CF402D761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF73D7A640A

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 1ebe73e79a88a8d1e8c37e7947aa95229b0cab0f74217ed01c060248211f59ac
Instruction ID: ff08a9ade6575cdb7e99cc50919c6722b45082b43a1caf98e1b5ae9141df743e
Opcode Fuzzy Hash: 1ebe73e79a88a8d1e8c37e7947aa95229b0cab0f74217ed01c060248211f59ac
Instruction Fuzzy Hash: A421A221B1CA9A66EA24BB9269043BEE651BF49BC4FC84430EE0C07786EF3CF1459610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BAF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BAFF2

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 215bf1b77ccde561eed8eea60c34a1d65fc1379a1c4c4c23abd8e86c97fd8e23
Instruction ID: 775eefcb58c7010862e085f5705da31cf3a6f26b1618e4c8eb30da5033f83ba6
Opcode Fuzzy Hash: 215bf1b77ccde561eed8eea60c34a1d65fc1379a1c4c4c23abd8e86c97fd8e23
Instruction Fuzzy Hash: 0931C561A1C60AA5E7217BD684403BCAA50BB6DB50FC10135EA9D073D2EFBCF446A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B8919 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73D7B8947

Part of subcall function 00007FF73D7B8A40: GetModuleHandleExW.KERNEL32 ref: 00007FF73D7B8A65
Part of subcall function 00007FF73D7B8A40: GetProcAddress.KERNEL32 ref: 00007FF73D7B8A7B
Part of subcall function 00007FF73D7B8A40: FreeLibrary.KERNEL32 ref: 00007FF73D7B8AA2

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction ID: 775c63a974944b002aef68a48c7381feda699859f858bcbbc337567a8d685faf
Opcode Fuzzy Hash: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction Fuzzy Hash: 3C21A172E0870A9AEB24AFA4C4442FC77B0EB18718F881636D65D06AC5EF38E444D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B5538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B549D

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: e174bde111b7000417c003b7b92e9001e6ad9bc835f14afad58af2176a201aec
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: A0118121A1C64991EA60BF91940127DE260FFA9BC0FC84431EB8C57A86EF7DF8016760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C57DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C57FF

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: f8ca7ac263bc340faa61b88183489ee1a67271bb09b8e842157e9f26a7616a4d
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: 2A21D732A1CA459BDB61AF58D440379B6A0FB88BA4FD44234E79D476D9EF3DE4009B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AE9D0

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 3c7e5f1cece18e3a4ffeb2a89911fbfa3b7107d67d380c2fdf27fd84a1826db4
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: FD01E121B1C75951EA44BBA29800069E691AB9AFE0F884631DE6C17BD6EF3CF0019310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BDEB8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF73D7BAA16,?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E), ref: 00007FF73D7BDF0D

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: 7da089473aa26f62989ef3f5f1587ebcdddf4086610b21ed715ad7d8ba768998
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 95F04940B0D20B65FE587BE298542B4A2945FACB40FCC4435CA1F862D2FF2CF4826230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BCC2C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF73D7AF1E4,?,?,?,00007FF73D7B06F6,?,?,?,?,?,00007FF73D7B275D), ref: 00007FF73D7BCC6A

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: 46d808f0efd6a0ce807184155e0fcfa0990347bdde9abd32edbc7a856490e093
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: ADF05E50B1D24E65FE2576F1594567591809FBD7A0FC88236E92E4A2D1FF2CB440B230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6310 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

LoadLibraryW.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A6333

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction ID: 77913052a8c609af7fd3d22c50dd9b4758f2060ae73ae07da983ac087d472311
Opcode Fuzzy Hash: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction Fuzzy Hash: C4E08611B1854962DE18A7A7A90546AE251EF4CBC0BC89035DE0D47755EE2CE4914B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF73D7A58E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF73D7A58AD), ref: 00007FF73D7A597A
GetCurrentProcessId.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A5980

Part of subcall function 00007FF73D7A5AF0: GetEnvironmentVariableW.KERNEL32(00007FF73D7A2817,?,?,?,?,?,?), ref: 00007FF73D7A5B2A
Part of subcall function 00007FF73D7A5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A5B47

Part of subcall function 00007FF73D7B6818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B6831

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF73D7A5A31

Strings

TMP, xrefs: 00007FF73D7A5918, 00007FF73D7A59D9, 00007FF73D7A5A67
_MEI%d, xrefs: 00007FF73D7A5988
TMP, xrefs: 00007FF73D7A593E
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF73D7A5958

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: a44a740facdf1d92c96cc1d57dfc7a24484df9c802c516da767de91bd523a684
Instruction ID: 78d302aa24c31cb0675fec92773ab3791572cfcb0d35809826cf7892d8883227
Opcode Fuzzy Hash: a44a740facdf1d92c96cc1d57dfc7a24484df9c802c516da767de91bd523a684
Instruction Fuzzy Hash: 8D516810B0D64A74EE54BBE2A9552BAD2A16F5DBD4FC44031ED0E4BB96FF2CF401A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A8093354 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A8093370
00007FF8BFAC19A0.VCRUNTIME140 ref: 00007FF8A8093394
RtlCaptureContext.KERNEL32 ref: 00007FF8A809339D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A80933B7
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A80933F8
00007FF8BFAC19A0.VCRUNTIME140 ref: 00007FF8A809342B
IsDebuggerPresent.KERNEL32 ref: 00007FF8A809344C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A809346D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A8093478

Memory Dump Source

Source File: 00000003.00000002.2441062409.00007FF8A8091000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000003.00000002.2441033358.00007FF8A8090000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A80EC000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8137000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A813B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819E000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441362670.00007FF8A819F000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441390190.00007FF8A81A1000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a8090000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3558122275-0
Opcode ID: f3bfa0d7e3a45517c18d5de04843167fa21b807f60634c4a76319ccc9bdfb4aa
Instruction ID: 584e279579235ebd57d79795e62c91fb492d50b6ecf6dd4fec74479dc2046366
Opcode Fuzzy Hash: f3bfa0d7e3a45517c18d5de04843167fa21b807f60634c4a76319ccc9bdfb4aa
Instruction Fuzzy Hash: 03312D7260AF8196EB609F61E8803EE7360FB84784F444439DA5E47BD4DF38D558CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B4480 Relevance: 12.2, APIs: 8, Instructions: 246fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF8A8351199
GetLastError.KERNEL32 ref: 00007FF8A83511AA
MultiByteToWideChar.KERNEL32 ref: 00007FF8A83511CD
MultiByteToWideChar.KERNEL32 ref: 00007FF8A8351355
00007FF8C610F020.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A8351366
FindFirstFileW.KERNEL32 ref: 00007FF8A83513B1
FindNextFileW.KERNEL32 ref: 00007FF8A83513E8
WideCharToMultiByte.KERNEL32 ref: 00007FF8A8351442

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide$FileFind$00007C610ErrorF020FirstLastNext
String ID:
API String ID: 448414246-0
Opcode ID: bf4024f68e3e1b44317f9b66725c75e59e0182f0fb6d1c05b215eb9eb008ad04
Instruction ID: 643c0cdb00611f06819775b597944f7af5906108326d8b3330faecbec2dc0140
Opcode Fuzzy Hash: bf4024f68e3e1b44317f9b66725c75e59e0182f0fb6d1c05b215eb9eb008ad04
Instruction Fuzzy Hash: F7B1F222A1AE829AEB148F25D85427D67A0FF45BE4F485335DB9E537D4EF3CE0418328

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AAA2C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF73D7AAA48
RtlCaptureContext.KERNEL32 ref: 00007FF73D7AAA75
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73D7AAA8F
RtlVirtualUnwind.KERNEL32 ref: 00007FF73D7AAAD0
IsDebuggerPresent.KERNEL32 ref: 00007FF73D7AAB24
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7AAB45
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7AAB50

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction ID: e7732b1cae41157c743cfbfa39694a303825a54aaf0bdadc6f7f52e7c75e2d1c
Opcode Fuzzy Hash: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction Fuzzy Hash: 28316572619B859AEB609FA0E8403EDB371FB48755F844039DA8D47794EF3CD548D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B9C44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73D7B9CBD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73D7B9CD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF73D7B9D10
IsDebuggerPresent.KERNEL32 ref: 00007FF73D7B9D49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7B9D53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF73D7B9D5E

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction ID: 8d5fe2a6a2ffee7f65fa2768026c1b19fb232a7a0287faf5c1036e09091e0012
Opcode Fuzzy Hash: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction Fuzzy Hash: FA31713261CF859AEB60DF65E8402AEB3A0FB88754F900136EA9D43B54EF3CE155CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B3EBD Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A81B11B8: GetLastError.KERNEL32 ref: 00007FF8A83A4DE6
Part of subcall function 00007FF8A81B11B8: TlsGetValue.KERNEL32 ref: 00007FF8A83A4DF0
Part of subcall function 00007FF8A81B11B8: SetLastError.KERNEL32 ref: 00007FF8A83A4DFB

SwitchToFiber.KERNEL32 ref: 00007FF8A8272F41
CreateFiber.KERNEL32 ref: 00007FF8A8273027
SwitchToFiber.KERNEL32 ref: 00007FF8A82730A9

Strings

..\s\crypto\async\async.c, xrefs: 00007FF8A8272E61, 00007FF8A8272E78, 00007FF8A8272EC0, 00007FF8A8272F8B, 00007FF8A8273055, 00007FF8A82730C1, 00007FF8A8273141, 00007FF8A8273183, 00007FF8A82731AB, 00007FF8A82731D7, 00007FF8A82731FF, 00007FF8A8273243
*, xrefs: 00007FF8A8272E7F

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: Fiber$ErrorLastSwitch$CreateValue
String ID: *$..\s\crypto\async\async.c
API String ID: 3645934416-1471988776
Opcode ID: bd6c83728c9125bd7923cc3e504ec05b494e92e94b7f9ceb88ffe033b218295b
Instruction ID: ee7be20f5ef66fdcbc422b16d8c130ae27ad2ec6f6051ebe548a1b4b3a72207c
Opcode Fuzzy Hash: bd6c83728c9125bd7923cc3e504ec05b494e92e94b7f9ceb88ffe033b218295b
Instruction Fuzzy Hash: 82C1AF32A0A702A6EB21DF22E4056BA73A5FF44BC0F844435CA4D47B95EF3DE555C328

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C0A34 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C0A80
FindFirstFileExW.KERNEL32 ref: 00007FF73D7C0B8A

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 9f9ca1d73139302c1f8dadc28b774b2f708e59aaaf6a5032caa9291e182b955e
Instruction ID: e422c403e1153449071b0164cf84c024ec30c100d2f5e9a2eddfc1ba84884ca9
Opcode Fuzzy Hash: 9f9ca1d73139302c1f8dadc28b774b2f708e59aaaf6a5032caa9291e182b955e
Instruction Fuzzy Hash: 4EB1C762B1C69A59EA61EBA198001B9E350EB58BF4FC44132E99E07BC5FF3CF451D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A80912C0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 362COMMON

Download Yara Rule

APIs

00007FF8A8A696D8.PYTHON38 ref: 00007FF8A8091498

Strings

0, xrefs: 00007FF8A8091316

Memory Dump Source

Source File: 00000003.00000002.2441062409.00007FF8A8091000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000003.00000002.2441033358.00007FF8A8090000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A80EC000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8137000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A813B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819E000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441362670.00007FF8A819F000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441390190.00007FF8A81A1000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a8090000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007A696
String ID: 0
API String ID: 815660849-4108050209
Opcode ID: 9c617f3b2e959f12495cdfb33a5913068961d149ce39f7153d8c80afd332587c
Instruction ID: 974c8a1ac72373644885bcb3f8fc61b3dd140bea65b80d2baee0ad67a3734834
Opcode Fuzzy Hash: 9c617f3b2e959f12495cdfb33a5913068961d149ce39f7153d8c80afd332587c
Instruction Fuzzy Hash: C9F1D032B0ED52A5EF748B25D45867932A5FB657C0F055131EA8E827D0EF3CE861CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A2F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A2FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A3037
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A3087

Strings

PyDict_GetItemString, xrefs: 00007FF73D7A323D
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF73D7A3049
Py_IncRef, xrefs: 00007FF73D7A314D
PyErr_NormalizeException, xrefs: 00007FF73D7A332D
Failed to get address for PySys_SetPath, xrefs: 00007FF73D7A3619
Failed to get address for PyErr_Print, xrefs: 00007FF73D7A32D1
PyUnicode_DecodeFSDefault, xrefs: 00007FF73D7A373D
Failed to get address for PyList_Append, xrefs: 00007FF73D7A33E9
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF73D7A34B1
Failed to get address for PyUnicode_Join, xrefs: 00007FF73D7A37A9
Py_DecRef, xrefs: 00007FF73D7A30FD
Py_SetProgramName, xrefs: 00007FF73D7A31ED
PyImport_AddModule, xrefs: 00007FF73D7A3355
PyObject_GetAttrString, xrefs: 00007FF73D7A34E5
PyUnicode_Decode, xrefs: 00007FF73D7A3715
Py_SetPythonHome, xrefs: 00007FF73D7A3215
Failed to get address for PyUnicode_FromString, xrefs: 00007FF73D7A3691
Failed to get address for Py_SetPythonHome, xrefs: 00007FF73D7A3231
Failed to get address for PyObject_CallFunction, xrefs: 00007FF73D7A3489
Py_GetPath, xrefs: 00007FF73D7A31C5
PyList_Append, xrefs: 00007FF73D7A33CD
Failed to get address for Py_DecodeLocale, xrefs: 00007FF73D7A36B9
PyLong_AsLong, xrefs: 00007FF73D7A341D
PyUnicode_Replace, xrefs: 00007FF73D7A37B5
PyUnicode_AsUTF8, xrefs: 00007FF73D7A3765
Failed to get address for Py_Finalize, xrefs: 00007FF73D7A3141
Py_FrozenFlag, xrefs: 00007FF73D7A2F90
Failed to get address for Py_UTF8Mode, xrefs: 00007FF73D7A30C9
Failed to get address for PySys_GetObject, xrefs: 00007FF73D7A35C9
Failed to get address for PyUnicode_Decode, xrefs: 00007FF73D7A3731
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF73D7A3669
PySys_SetObject, xrefs: 00007FF73D7A35D5
Failed to get address for PyDict_GetItemString, xrefs: 00007FF73D7A3259
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF73D7A3349
Failed to get address for PyObject_Str, xrefs: 00007FF73D7A3529
Failed to get address for PyErr_Occurred, xrefs: 00007FF73D7A32A9
Py_SetPath, xrefs: 00007FF73D7A319D
Py_DecodeLocale, xrefs: 00007FF73D7A369D
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF73D7A3781
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF73D7A3551
Failed to get address for PyErr_Clear, xrefs: 00007FF73D7A3281
PyErr_Fetch, xrefs: 00007FF73D7A32DD
PyEval_EvalCode, xrefs: 00007FF73D7A3625
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF73D7A3021
GetProcAddress, xrefs: 00007FF73D7A2F4F
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF73D7A3709
Py_FileSystemDefaultEncoding, xrefs: 00007FF73D7A2F6B
Failed to get address for PyImport_AddModule, xrefs: 00007FF73D7A3371
PyMarshal_ReadObjectFromString, xrefs: 00007FF73D7A364D
PyObject_CallFunction, xrefs: 00007FF73D7A346D
PyMem_RawFree, xrefs: 00007FF73D7A36C5
PySys_AddWarnOption, xrefs: 00007FF73D7A355D
Failed to get address for Py_DecRef, xrefs: 00007FF73D7A3119
Failed to get address for Py_FrozenFlag, xrefs: 00007FF73D7A2FAC
Py_VerboseFlag, xrefs: 00007FF73D7A3055
Py_Finalize, xrefs: 00007FF73D7A3125
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF73D7A3399
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF73D7A3099
Failed to get address for PyList_New, xrefs: 00007FF73D7A3411
Py_OptimizeFlag, xrefs: 00007FF73D7A302D
PyRun_SimpleStringFlags, xrefs: 00007FF73D7A3535
PyObject_SetAttrString, xrefs: 00007FF73D7A34BD
PyModule_GetDict, xrefs: 00007FF73D7A3445
PySys_GetObject, xrefs: 00007FF73D7A35AD
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF73D7A2FD1
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF73D7A34D9
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF73D7A35A1
PyErr_Occurred, xrefs: 00007FF73D7A328D
Failed to get address for Py_Initialize, xrefs: 00007FF73D7A3191
PyObject_Str, xrefs: 00007FF73D7A350D
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF73D7A2FF9
PyUnicode_FromString, xrefs: 00007FF73D7A3675
Failed to get address for PyUnicode_Replace, xrefs: 00007FF73D7A37D1
Failed to get address for Py_SetProgramName, xrefs: 00007FF73D7A3209
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF73D7A3759
PyObject_CallFunctionObjArgs, xrefs: 00007FF73D7A3495
PySys_SetArgvEx, xrefs: 00007FF73D7A3585
PyImport_ExecCodeModule, xrefs: 00007FF73D7A337D
Py_IgnoreEnvironmentFlag, xrefs: 00007FF73D7A2FB5
PyErr_Restore, xrefs: 00007FF73D7A3305
Failed to get address for Py_GetPath, xrefs: 00007FF73D7A31E1
Failed to get address for Py_SetPath, xrefs: 00007FF73D7A31B9
PySys_SetPath, xrefs: 00007FF73D7A35FD
PyErr_Clear, xrefs: 00007FF73D7A3265
Py_BuildValue, xrefs: 00007FF73D7A30D5
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF73D7A2F48
Py_NoSiteFlag, xrefs: 00007FF73D7A2FDD
Failed to get address for Py_BuildValue, xrefs: 00007FF73D7A30F1
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF73D7A3501
Failed to get address for PyLong_AsLong, xrefs: 00007FF73D7A3439
Py_UTF8Mode, xrefs: 00007FF73D7A30AD
PyList_New, xrefs: 00007FF73D7A33F5
Failed to get address for Py_VerboseFlag, xrefs: 00007FF73D7A3071
PyUnicode_FromFormat, xrefs: 00007FF73D7A36ED
Py_Initialize, xrefs: 00007FF73D7A3175
Failed to get address for PyMem_RawFree, xrefs: 00007FF73D7A36E1
PyImport_ImportModule, xrefs: 00007FF73D7A33A5
Py_DontWriteBytecodeFlag, xrefs: 00007FF73D7A2F2F
Py_UnbufferedStdioFlag, xrefs: 00007FF73D7A307D
Failed to get address for PyErr_Restore, xrefs: 00007FF73D7A3321
Failed to get address for Py_IncRef, xrefs: 00007FF73D7A3169
PyUnicode_Join, xrefs: 00007FF73D7A378D
Failed to get address for PyModule_GetDict, xrefs: 00007FF73D7A3461
Failed to get address for PyImport_ImportModule, xrefs: 00007FF73D7A33C1
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF73D7A3579
Failed to get address for PyErr_Fetch, xrefs: 00007FF73D7A32F9
Failed to get address for PySys_SetObject, xrefs: 00007FF73D7A35F1
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF73D7A2F87
Py_NoUserSiteDirectory, xrefs: 00007FF73D7A3005
Failed to get address for PyEval_EvalCode, xrefs: 00007FF73D7A3641
PyErr_Print, xrefs: 00007FF73D7A32B5

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction ID: 90c808ff90b4c3480468f1f815a2a847eb6a26a471bad97f6f0923529f9b8812
Opcode Fuzzy Hash: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction Fuzzy Hash: D5428465E4DB0BF5EA15BB84A858174A3A1BF0C7A1BD46035D88E06364FF7CF558B320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A4730 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6310: LoadLibraryW.KERNEL32(?,?,00000000,00007FF73D7A22DE,?,?,?,?), ref: 00007FF73D7A6333

GetProcAddress.KERNEL32 ref: 00007FF73D7A50C7
GetProcAddress.KERNEL32 ref: 00007FF73D7A5106
GetProcAddress.KERNEL32 ref: 00007FF73D7A512B
GetProcAddress.KERNEL32 ref: 00007FF73D7A5150
GetProcAddress.KERNEL32 ref: 00007FF73D7A5178
GetProcAddress.KERNEL32 ref: 00007FF73D7A51A0
GetProcAddress.KERNEL32 ref: 00007FF73D7A51C8
GetProcAddress.KERNEL32 ref: 00007FF73D7A51F0
GetProcAddress.KERNEL32 ref: 00007FF73D7A5218

Strings

Failed to get address for Tcl_GetObjResult, xrefs: 00007FF73D7A5482
Failed to get address for Tcl_Finalize, xrefs: 00007FF73D7A518A
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF73D7A513D
Failed to get address for Tcl_GetString, xrefs: 00007FF73D7A53E2
Tcl_MutexLock, xrefs: 00007FF73D7A5236
Failed to get address for Tcl_CreateThread, xrefs: 00007FF73D7A5202
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF73D7A5118
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF73D7A522A
Failed to get address for Tcl_Alloc, xrefs: 00007FF73D7A5522
Tk_Init, xrefs: 00007FF73D7A5556
Failed to get address for Tcl_EvalEx, xrefs: 00007FF73D7A54D2
Tcl_CreateInterp, xrefs: 00007FF73D7A50FC
Failed to get address for Tcl_EvalFile, xrefs: 00007FF73D7A54AA
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF73D7A51DA
Failed to get address for Tk_Init, xrefs: 00007FF73D7A5572
Tcl_GetCurrentThread, xrefs: 00007FF73D7A520E
Tcl_ThreadAlert, xrefs: 00007FF73D7A5326
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF73D7A53BA
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF73D7A527A
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF73D7A52CA
Tcl_Init, xrefs: 00007FF73D7A50C0
Failed to get address for Tcl_Free, xrefs: 00007FF73D7A554A
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF73D7A5432
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF73D7A5162
Failed to get address for Tcl_SetVar2, xrefs: 00007FF73D7A5392
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF73D7A559A
Tcl_MutexUnlock, xrefs: 00007FF73D7A525E
Tcl_GetObjResult, xrefs: 00007FF73D7A5466
Tcl_ThreadQueueEvent, xrefs: 00007FF73D7A52FE
Failed to get address for Tcl_Init, xrefs: 00007FF73D7A50D9
Tcl_Alloc, xrefs: 00007FF73D7A5506
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF73D7A531A
Tcl_SetVar2, xrefs: 00007FF73D7A5376
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF73D7A52F2
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF73D7A545A
Tcl_GetString, xrefs: 00007FF73D7A53C6
Tcl_CreateThread, xrefs: 00007FF73D7A51E6
Tcl_ConditionNotify, xrefs: 00007FF73D7A52AE
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF73D7A477A
Tcl_FindExecutable, xrefs: 00007FF73D7A5121
Tcl_FinalizeThread, xrefs: 00007FF73D7A5196
Failed to get address for Tcl_GetVar2, xrefs: 00007FF73D7A536A
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF73D7A540A
Tcl_Finalize, xrefs: 00007FF73D7A516E
Tcl_GetVar2, xrefs: 00007FF73D7A534E
Tcl_EvalFile, xrefs: 00007FF73D7A548E
GetProcAddress, xrefs: 00007FF73D7A50E0
Tcl_DeleteInterp, xrefs: 00007FF73D7A51BE
Tk_GetNumMainWindows, xrefs: 00007FF73D7A557E
Tcl_NewByteArrayObj, xrefs: 00007FF73D7A5416
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF73D7A51B2
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF73D7A54FA
Tcl_ConditionFinalize, xrefs: 00007FF73D7A5286
Tcl_EvalEx, xrefs: 00007FF73D7A54B6
Failed to get address for Tcl_MutexLock, xrefs: 00007FF73D7A5252
Tcl_EvalObjv, xrefs: 00007FF73D7A54DE
Tcl_SetVar2Ex, xrefs: 00007FF73D7A543E
Tcl_DoOneEvent, xrefs: 00007FF73D7A5146
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF73D7A5342
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF73D7A52A2
Tcl_NewStringObj, xrefs: 00007FF73D7A53EE
Tcl_ConditionWait, xrefs: 00007FF73D7A52D6
Tcl_Free, xrefs: 00007FF73D7A552E
Tcl_CreateObjCommand, xrefs: 00007FF73D7A539E

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: e0502fcf1b420640f725b5f986344d9b1d5f93aef03ede1fdd1d364c869fabcf
Instruction ID: 8f2293016b732da2165b862d60a6b8d4acf9c2fbfcbe97595a3fbeb737544673
Opcode Fuzzy Hash: e0502fcf1b420640f725b5f986344d9b1d5f93aef03ede1fdd1d364c869fabcf
Instruction Fuzzy Hash: 6EE1A364A0DB0BB4FA15BB94A854174A3A5BF0CBA1BD45035D88E06368FF7CF588B360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A8360A80 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 220COMMON

Download Yara Rule

APIs

00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360AD1
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360AE8
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360AFF
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360B33
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360B9F
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360BD6
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C37
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C4A
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C61
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C74
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C8B
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360C9E
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360CB5
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360CC8
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360CDF
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360CF2
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360D09
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360D42
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FF8A83616E9,?,?,?,?,?,?,?,?,00007FF8A835F6EB), ref: 00007FF8A8360D72

Strings

X509 CERTIFICATE, xrefs: 00007FF8A8360C57, 00007FF8A8360CD5
CERTIFICATE, xrefs: 00007FF8A8360C6A, 00007FF8A8360CAB, 00007FF8A8360CFF, 00007FF8A8360D68
PARAMETERS, xrefs: 00007FF8A8360B95, 00007FF8A8360BC8
NEW CERTIFICATE REQUEST, xrefs: 00007FF8A8360C81
DH PARAMETERS, xrefs: 00007FF8A8360C40
X9.42 DH PARAMETERS, xrefs: 00007FF8A8360C2D
ANY PRIVATE KEY, xrefs: 00007FF8A8360AC7
ENCRYPTED PRIVATE KEY, xrefs: 00007FF8A8360ADE
PKCS7, xrefs: 00007FF8A8360D10
CERTIFICATE REQUEST, xrefs: 00007FF8A8360C94
PRIVATE KEY, xrefs: 00007FF8A8360AF5, 00007FF8A8360B25
PKCS #7 SIGNED DATA, xrefs: 00007FF8A8360D38
TRUSTED CERTIFICATE, xrefs: 00007FF8A8360CBE, 00007FF8A8360CE8
CMS, xrefs: 00007FF8A8360D77

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007C6125630
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 1529501491-1119032718
Opcode ID: af3d817a0d09ecacb928f5750cd0fa4b550fcc35063cd53c557b409c5034f3df
Instruction ID: a82b1981b1945d4d6834280b4ebfad6bc00f225ad01628858ff088080c9a0b84
Opcode Fuzzy Hash: af3d817a0d09ecacb928f5750cd0fa4b550fcc35063cd53c557b409c5034f3df
Instruction Fuzzy Hash: 7F91E311E0FE47B1FE945B2995A12BAA690DF01BD4F8C42B1C94EA22D5FF9CF4018739

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6BF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A6C2C

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF73D7A6C39
win32_utils_from_utf8, xrefs: 00007FF73D7A6C69
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A6CA6
Failed to encode filename as ANSI., xrefs: 00007FF73D7A6D45
MultiByteToWideChar, xrefs: 00007FF73D7A6C40, 00007FF73D7A6CAD
Out of memory., xrefs: 00007FF73D7A6C70, 00007FF73D7A6D12
Failed to get ANSI buffer size., xrefs: 00007FF73D7A6CED
WideCharToMultiByte, xrefs: 00007FF73D7A6D4C
win32_wcs_to_mbs, xrefs: 00007FF73D7A6D0B

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: 4738581143a7505b28abcd57c7c993806daa07168fe16da415c29e9b13c2df9d
Instruction ID: ce4bbda8309154f9ac2cfb1749fd0945ef60caa6e6a92a622fe2b4ec31b290bc
Opcode Fuzzy Hash: 4738581143a7505b28abcd57c7c993806daa07168fe16da415c29e9b13c2df9d
Instruction Fuzzy Hash: 64417661A0CA4A65EA20FBA1A84007AE6A1AF5CBD4FD44135E94D47B95FF3CF145A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF73D7A1559
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF73D7A14F9
fwrite, xrefs: 00007FF73D7A15DC
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF73D7A15D5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF73D7A15E5
fopen, xrefs: 00007FF73D7A1491
fseek, xrefs: 00007FF73D7A1500
malloc, xrefs: 00007FF73D7A1560
Failed to extract %s: failed to open archive file!, xrefs: 00007FF73D7A14CA
Failed to extract %s: failed to open target file!, xrefs: 00007FF73D7A148A
fread, xrefs: 00007FF73D7A15EC

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 7dbbe491418536e41ef5334edc3cc0a1006c93e87b10a1556a8050f18f187757
Instruction ID: 481a343d180af8dca95f6785f88a6ef222e1ecc457756f566588caaab900ea68
Opcode Fuzzy Hash: 7dbbe491418536e41ef5334edc3cc0a1006c93e87b10a1556a8050f18f187757
Instruction Fuzzy Hash: 98519B21B0C64AA5FA10BBA1A4146B9E3A0BF49BE8FC54431DE5D47795FF3CF149A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B33A0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

00007FF8C6111370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF8A83A66FC
00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A83A6711
00007FF8C6111370.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF8A83A6723

Strings

secs, xrefs: 00007FF8A83A66CD
p, xrefs: 00007FF8A83A67B4
accuracy, xrefs: 00007FF8A83A6633, 00007FF8A83A6683, 00007FF8A83A67D4
..\s\crypto\ts\ts_conf.c, xrefs: 00007FF8A83A6670, 00007FF8A83A67BC
^;#, xrefs: 00007FF8A83A678F
microsecs, xrefs: 00007FF8A83A672E
millisecs, xrefs: 00007FF8A83A6707

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007$C6111370$C6125630
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs$^;#
API String ID: 4071599892-2905893130
Opcode ID: 50a372e4d8d9be1f7db291ab6937b65d881ce4e2a7fc06064df732d34306b3e9
Instruction ID: e9302708e7c6151efa53aff533f45a4da055e5438f9ca2b312c5e7e435f950da
Opcode Fuzzy Hash: 50a372e4d8d9be1f7db291ab6937b65d881ce4e2a7fc06064df732d34306b3e9
Instruction Fuzzy Hash: 2651C061A1BA07A6EB06AB22EC145B9B394FF44BC4F484435DE0E037A5EF3DE545C328

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6A60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF73D7A59BA,?,00007FF73D7A58AD), ref: 00007FF73D7A6AA0
OpenProcessToken.ADVAPI32(?,00007FF73D7A58AD), ref: 00007FF73D7A6AB1
GetTokenInformation.ADVAPI32(?,00007FF73D7A58AD(TokenIntegrityLevel)), ref: 00007FF73D7A6AD3
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF73D7A6ADD
GetTokenInformation.ADVAPI32(?,TokenIntegrityLevel), ref: 00007FF73D7A6B1A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF73D7A6B2C
CloseHandle.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A6B44
LocalFree.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A6B76
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF73D7A6B9D
CreateDirectoryW.KERNEL32(?,00007FF73D7A58AD), ref: 00007FF73D7A6BAE

Strings

S-1-3-4, xrefs: 00007FF73D7A6B4F
D:(A;;FA;;;%s), xrefs: 00007FF73D7A6B59

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: e3ae2089cc123d46b594be8ff950cb64da25cc15db14cd9a57b660644dd56c7b
Instruction ID: 47a29afdb2c347df1fd09069e77d1222c6ec10a8bc20925fa0887846edc1a1fa
Opcode Fuzzy Hash: e3ae2089cc123d46b594be8ff950cb64da25cc15db14cd9a57b660644dd56c7b
Instruction Fuzzy Hash: 8C41863161CA8A95E750AF90E4446AAB361FB887A4FD00231E99E47BD4FF3CF449D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A8092654 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A809267C
__scrt_initialize_crt.LIBCMT ref: 00007FF8A80926C1
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A80926CE
_RTC_Initialize.LIBCMT ref: 00007FF8A80926FC
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A8092722
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A809274D

Memory Dump Source

Source File: 00000003.00000002.2441062409.00007FF8A8091000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000003.00000002.2441033358.00007FF8A8090000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A80EC000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8137000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A813B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819E000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441362670.00007FF8A819F000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441390190.00007FF8A81A1000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a8090000_xSO7sbN2j6.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 24b64e2f523494cfc43b7842a0679e99e8ee080510d7dd6f5954d2b0f176455c
Instruction ID: fe8ac39b854e6f8d2582fa2226d20d6f41546f54fa2009a8b078f525f2f43bf8
Opcode Fuzzy Hash: 24b64e2f523494cfc43b7842a0679e99e8ee080510d7dd6f5954d2b0f176455c
Instruction Fuzzy Hash: B181C121F0FE43AAFE50AB6694412797291EF857C0F058035EA6C537E6DF3CE8658728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6670 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF73D7A1CE4,?,?,00000000,00007FF73D7A6904), ref: 00007FF73D7A6697
FormatMessageW.KERNEL32 ref: 00007FF73D7A66C6
WideCharToMultiByte.KERNEL32 ref: 00007FF73D7A671C

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

FormatMessageW, xrefs: 00007FF73D7A66D7
No error messages generated., xrefs: 00007FF73D7A66D0
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF73D7A6739
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A6726
WideCharToMultiByte, xrefs: 00007FF73D7A6670, 00007FF73D7A672D
PyInstaller: FormatMessageW failed., xrefs: 00007FF73D7A66E3

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction ID: 815852d30fee7c1ce0e64ec1f14ac4bb5f39a45abcdd9b419e6c79d16d07df21
Opcode Fuzzy Hash: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction Fuzzy Hash: 3C21AF31A1CA4AA5F760AB91E854269A365FB8C794FC40035E68D837A4FF3CF149A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AF5C8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AF608
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AF9D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7AFC6F

Strings

p, xrefs: 00007FF73D7AF712
f, xrefs: 00007FF73D7AF855
f, xrefs: 00007FF73D7AF70A
p, xrefs: 00007FF73D7AF6AD
f, xrefs: 00007FF73D7AF6A0

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 01c71594f1727119d9f81ba734688642d85b0da97f00d24c037ed876a9967557
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: 4E12A622E0C14BA5FB60BA95D0546BAF261FF88754FD44032F699467C4EF3CF482AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B1073 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF8A82BCFA8
GetProcAddress.KERNEL32 ref: 00007FF8A82BCFBD
GetProcessWindowStation.USER32 ref: 00007FF8A82BCFE7
GetUserObjectInformationW.USER32 ref: 00007FF8A82BD00F
GetLastError.KERNEL32 ref: 00007FF8A82BD01D
GetUserObjectInformationW.USER32 ref: 00007FF8A82BD088

Strings

_OPENSSL_isservice, xrefs: 00007FF8A82BCFB3
Service-0x, xrefs: 00007FF8A82BD0A9

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
String ID: Service-0x$_OPENSSL_isservice
API String ID: 1944374717-1672312481
Opcode ID: 27800432323ea3a30382ce8154a855d4d03fb00c45efe0a7b9c8eb2db422071d
Instruction ID: d2834df0602cfc1793f9dbe6b2bab4888a6c026c71600d749e6f3911a948b1d2
Opcode Fuzzy Hash: 27800432323ea3a30382ce8154a855d4d03fb00c45efe0a7b9c8eb2db422071d
Instruction Fuzzy Hash: 4541812160BB82AAEB509F24D8442B82790FF447F4F484735EA7D4B7D9EF2CE1458328

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6130 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF73D7A2B60,?,?,?,?,?,?), ref: 00007FF73D7A617F
GetStartupInfoW.KERNEL32 ref: 00007FF73D7A619E

Part of subcall function 00007FF73D7B92E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B92F8

Part of subcall function 00007FF73D7B705C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B70C3

GetCommandLineW.KERNEL32 ref: 00007FF73D7A623E
CreateProcessW.KERNEL32 ref: 00007FF73D7A6280
WaitForSingleObject.KERNEL32 ref: 00007FF73D7A6294
GetExitCodeProcess.KERNEL32 ref: 00007FF73D7A62A4

Strings

Error creating child process!, xrefs: 00007FF73D7A62B0
CreateProcessW, xrefs: 00007FF73D7A62B7

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction ID: 6b402114e684e3abb3628e1f36c36bd00d3bae0638bbf482adeb6fe004d4acb9
Opcode Fuzzy Hash: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction Fuzzy Hash: BE411531A0CB8695DA20ABA0F4552AAF360FB98364F900335E6AD43BD5EF7CE0449B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7ACF90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF73D7ACFED

Part of subcall function 00007FF73D7ADF00: __GetUnwindTryBlock.LIBCMT ref: 00007FF73D7ADF43
Part of subcall function 00007FF73D7ADF00: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF73D7ADF68

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF73D7AD0C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF73D7AD31A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF73D7AD426

Strings

csm, xrefs: 00007FF73D7AD06E
csm, xrefs: 00007FF73D7AD007
csm, xrefs: 00007FF73D7AD0E8

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction ID: e2d5e961043de3c1a812f6620843a655433bc26196b0d968643a396a0d47f3aa
Opcode Fuzzy Hash: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction Fuzzy Hash: 6BE18272A0C749A6EB20ABA5D4403ADB7A0FB48798F904135EE8D57B95FF38F481D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BDF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF73D7BE2CA,?,?,-00000018,00007FF73D7BA383,?,?,?,00007FF73D7BA27A,?,?,?,00007FF73D7B54E2), ref: 00007FF73D7BE0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF73D7BE2CA,?,?,-00000018,00007FF73D7BA383,?,?,?,00007FF73D7BA27A,?,?,?,00007FF73D7B54E2), ref: 00007FF73D7BE0B8

Strings

api-ms-, xrefs: 00007FF73D7BDFF6
ext-ms-, xrefs: 00007FF73D7BE009

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: a5d48aec32c7ec175a213d8bb1b94824a3f665acc227341ffb1a2daacbed434a
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 58415622B2DA1AA5FA19EB969800675A391BF1CBE0FD84135DD5D87384FF3CF445A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A67C0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A685F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A68AF

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF73D7A68F1
win32_utils_to_utf8, xrefs: 00007FF73D7A68E8
Out of memory., xrefs: 00007FF73D7A68E1
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A68D8
WideCharToMultiByte, xrefs: 00007FF73D7A68F8

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 6005c3c3b021663ea81aa36166b0848140842be883a1b4f62739566592ce7020
Instruction ID: 4339a73eb9ec222c11867c4f7d6b40c6e65aab0f9a0fc61970465268fcf742ed
Opcode Fuzzy Hash: 6005c3c3b021663ea81aa36166b0848140842be883a1b4f62739566592ce7020
Instruction Fuzzy Hash: C541C532A0CF8695E620EF91B840169F7A4FB98B94F944135DA8D47B94FF3CE055D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6EC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF73D7A2D35,?,?,?,?,?,?), ref: 00007FF73D7A6F01

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF73D7A2D35,?,?,?,?,?,?), ref: 00007FF73D7A6F75

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF73D7A6F0E
win32_utils_to_utf8, xrefs: 00007FF73D7A6F42
Out of memory., xrefs: 00007FF73D7A6F3B
Failed to encode wchar_t as UTF-8., xrefs: 00007FF73D7A6F7F
WideCharToMultiByte, xrefs: 00007FF73D7A6F15, 00007FF73D7A6F86

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction ID: a9b3a82bb95362137b407c2e31af28b0b28ddb2d6347e2ea6eec56dc38ca71eb
Opcode Fuzzy Hash: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction Fuzzy Hash: 7E215E61A0CB4AA9E720EB96A840069F761BB88B90B944135EA4D437A4FF3CF555A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B93C4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B9407
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B97F4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B9A90

Strings

f, xrefs: 00007FF73D7B9529
p, xrefs: 00007FF73D7B9531
p, xrefs: 00007FF73D7B94B9

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: da0d617228a30c9d7032741e0ac2749ba30ec24b02b45cb7c6d6aeb406e88bc1
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 2212D4A2E0C14BA6FB607A95D0542BAF691FBA8750FD44035D6A9476C4FF3CF580EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A7045
MultiByteToWideChar.KERNEL32 ref: 00007FF73D7A7087

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF73D7A70C6
win32_utils_from_utf8, xrefs: 00007FF73D7A70BD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A70AD
MultiByteToWideChar, xrefs: 00007FF73D7A70CD
Out of memory., xrefs: 00007FF73D7A70B6

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 15182e71835fbe62ed04ed96ffee69818c29c72be0e860e28e8d56ff05f5ea04
Instruction ID: f1047944836d24e909ff2e6c70373b4811ace27e629284149685260dcc4371d1
Opcode Fuzzy Hash: 15182e71835fbe62ed04ed96ffee69818c29c72be0e860e28e8d56ff05f5ea04
Instruction Fuzzy Hash: B841D332A0CB5AA5E610EF55A84017AB6A5FB88B94FD40135EE8D47BA4FF3CF052D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A55E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7A6DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF73D7A592F,?,00000000,?,TokenIntegrityLevel), ref: 00007FF73D7A563F

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF73D7A5653
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF73D7A5616
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF73D7A569A

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 1f426a93b6cac929cbf670ac030889d357a0e2c62746adcecc4bd95078451b9f
Instruction ID: 86a1dfbd161f058e244d01c0e900eeeead38b42a3519b2b64ba5da4a0335936d
Opcode Fuzzy Hash: 1f426a93b6cac929cbf670ac030889d357a0e2c62746adcecc4bd95078451b9f
Instruction Fuzzy Hash: 7431A551B1C78AB0FA64B7A1D9152BAE2A1AF9C7D0FC44431DA4E43786FF2CF1049720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AC248 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC2CD
GetLastError.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC2DB
LoadLibraryExW.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC305
FreeLibrary.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC34B
GetProcAddress.KERNEL32(?,?,?,00007FF73D7AC4FA,?,?,?,00007FF73D7AC1EC,?,?,00000001,00007FF73D7ABE09), ref: 00007FF73D7AC357

Strings

api-ms-, xrefs: 00007FF73D7AC2ED

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction ID: 694132b2ef6b5575094d74aa604baf6f8deadee6b696ef2ffab5625fe4e60659
Opcode Fuzzy Hash: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction Fuzzy Hash: D231B225A0E64AB5EE51AB8AA800579A394FF0DBA0FD90535EE1D47384FF3CF0449721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A6DB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6DEA

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF73D7A6E70

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF73D7A6DF7
win32_utils_from_utf8, xrefs: 00007FF73D7A6E39
Failed to decode wchar_t from UTF-8, xrefs: 00007FF73D7A6E7A
MultiByteToWideChar, xrefs: 00007FF73D7A6DFE, 00007FF73D7A6E81
Out of memory., xrefs: 00007FF73D7A6E32

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction ID: ee1cb64ad129ad52a4548dd5ef0f8c2aaf98b9f327f118b63453657b6b6e1ab7
Opcode Fuzzy Hash: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction Fuzzy Hash: 66218521B0CA4661EB10EB69F800169E761FB8DBD4F984135DB4C83B69FF2CF5919710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA780 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA78F
FlsGetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7A4
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7C5
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA7F2
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA803
FlsSetValue.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA814
SetLastError.KERNEL32(?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F,?,?,?,00007FF73D7B9473), ref: 00007FF73D7BA82F

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 78cf2455f8789f49a255dc6ffb64301edc27073bb37ec47cc96fd54928eaf598
Instruction ID: e65f284636d0e9b19f52ab4430d53f97887b3b3550bdb82e708ecf4ffafae41c
Opcode Fuzzy Hash: 78cf2455f8789f49a255dc6ffb64301edc27073bb37ec47cc96fd54928eaf598
Instruction Fuzzy Hash: 8C21FD20F0CA0A62FA6973E05955179EA52AF6C7B0FC40734E83E47BC6FF6CB4416220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C70EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF73D7C711D
GetLastError.KERNEL32 ref: 00007FF73D7C7129
CloseHandle.KERNEL32 ref: 00007FF73D7C7141
CreateFileW.KERNEL32 ref: 00007FF73D7C716C
WriteConsoleW.KERNEL32 ref: 00007FF73D7C718B

Strings

CONOUT$, xrefs: 00007FF73D7C714D

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction ID: 657aa8749b6e139b72acfed6228271fdb15503b1051557c232251e8b84308eda
Opcode Fuzzy Hash: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction Fuzzy Hash: B8119322B1CB459AE350AB92E854329A2A0FB8CBF5F840234DA9D87794EF7CE4449750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA8F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA907
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA93D
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA96A
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA97B
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA98C
SetLastError.KERNEL32(?,?,?,00007FF73D7B6091,?,?,?,?,00007FF73D7BDF1F,?,?,00000000,00007FF73D7BAA16,?,?,?), ref: 00007FF73D7BA9A7

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 62dca5d10fd8524d44a9ca6b61b614a098d57abd4030ec328ef3c17f7e173edc
Instruction ID: 576ff46cf3acc65a09dc9227a87b1c183b6a49bed6d44eda76a4e226ce5dc60e
Opcode Fuzzy Hash: 62dca5d10fd8524d44a9ca6b61b614a098d57abd4030ec328ef3c17f7e173edc
Instruction Fuzzy Hash: 5E11DE20B0C60A62FA5873E19995179E692AFAD7B0FC54734E87E437D6FF6CB4407220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7ABC08 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73D7ABC33
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73D7ABCC8
RtlUnwindEx.KERNEL32 ref: 00007FF73D7ABD17

Strings

csm, xrefs: 00007FF73D7ABCAE
f, xrefs: 00007FF73D7ABC46

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction ID: 02df527b9b837b6ca96c77ce98d63b28de1ec998c874bf49164b388b2ba260a3
Opcode Fuzzy Hash: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction Fuzzy Hash: 4E51C732A2D60AAAD715EF55E408A39B795FB48B88FD18134EA4E47748FF38F841D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B8A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF73D7B8A65
GetProcAddress.KERNEL32 ref: 00007FF73D7B8A7B
FreeLibrary.KERNEL32 ref: 00007FF73D7B8AA2

Strings

CorExitProcess, xrefs: 00007FF73D7B8A74
mscoree.dll, xrefs: 00007FF73D7B8A5C

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction ID: 3f764ba9dbf79d3a14a3b9682b419b2fc83fc32fcfa706dcc57adfeff000a78d
Opcode Fuzzy Hash: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction Fuzzy Hash: C5F04461A0D70A51EA10AB94E8543399360BF4D7B1FD40635CAAD461E4FF2CE088E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C8824 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF73D7C884C
_set_statfp.LIBCMT ref: 00007FF73D7C8867
_set_statfp.LIBCMT ref: 00007FF73D7C8883
_set_statfp.LIBCMT ref: 00007FF73D7C88BF

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 8a387cb5287f0b2c8d14b08fd502ee7c0803bbeec9480428bbb9fea52dd92f38
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: DE118622D2CA2B29F6743194D45537591816F5D374F890634E9EE4BADBEF2CB8406120

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA9C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BA9DF
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BA9FE
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA26
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA37
FlsSetValue.KERNEL32(?,?,?,00007FF73D7B9BD3,?,?,00000000,00007FF73D7B9E6E,?,?,?,?,?,00007FF73D7B1A40), ref: 00007FF73D7BAA48

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 358dba81be253043741c53dc9c404725d40e2bf31f5f8457cfbf7a8f66644627
Instruction ID: 356adb156fbb5f7645a66488813e76133487a23e6b7052feb4a9ae86f8f117c6
Opcode Fuzzy Hash: 358dba81be253043741c53dc9c404725d40e2bf31f5f8457cfbf7a8f66644627
Instruction Fuzzy Hash: 13116D21A0C60A61FA5873E55A91179E9426F6C7B0F844334E83E477C6FF6CF441A620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BA854 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA865
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA884
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8AC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8BD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF73D7C24B3,?,?,?,00007FF73D7BCCEC,?,?,00000000,00007FF73D7B386F), ref: 00007FF73D7BA8CE

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 22c838abe64280046e65700e1fb081e145edbc5aabc1c6ea6e91899ef1423157
Instruction ID: 8de3d1b6fed6f7159be658053c7715b00672cb8969b6e31aa2b758845f7f88fe
Opcode Fuzzy Hash: 22c838abe64280046e65700e1fb081e145edbc5aabc1c6ea6e91899ef1423157
Instruction Fuzzy Hash: 70114810E0CA0F61F9AA72E148521B995426F6D370FC80B34E83E4ABC2FF6DB4427231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BF218 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BF4F7

Part of subcall function 00007FF73D7C54F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C5511

Strings

UTF-8, xrefs: 00007FF73D7BF476
UTF-16LEUNICODE, xrefs: 00007FF73D7BF495
ccs, xrefs: 00007FF73D7BF432

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction ID: 81ef92fa8475317c67566f1b768b365ca134620ff95cb475da37eaa53685e9d3
Opcode Fuzzy Hash: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction Fuzzy Hash: F1819136D0C20AA5F7646FE9C150279F6A0AF29F44FD58071DA0997295EB2EF903B321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A8092000 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8092042
00007FF8C6126570.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8092060

Strings

HANGUL SYLLABLE , xrefs: 00007FF8A809202F
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8A8092056

Memory Dump Source

Source File: 00000003.00000002.2441062409.00007FF8A8091000.00000040.00000001.01000000.0000001E.sdmp, Offset: 00007FF8A8090000, based on PE: true

Associated: 00000003.00000002.2441033358.00007FF8A8090000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A80EC000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8137000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A813B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8140000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A8195000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819B000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441062409.00007FF8A819E000.00000040.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441362670.00007FF8A819F000.00000080.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000003.00000002.2441390190.00007FF8A81A1000.00000004.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a8090000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007C6126570
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 800424832-87138338
Opcode ID: f3d1a0fd07fe994ba10152decafdc21747fdf3a586550f70934b7ddbcfd20b04
Instruction ID: d4e61d28e58706d951daa44bc4344f95b52086c0a72060919b1748470170b763
Opcode Fuzzy Hash: f3d1a0fd07fe994ba10152decafdc21747fdf3a586550f70934b7ddbcfd20b04
Instruction Fuzzy Hash: E5713772B0AE426EEF64CB25A8406BA73A1FF907C4F444231EA6D436D5EF3CD8258754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AD468 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF73D7AD4B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF73D7AD503

Strings

RCC, xrefs: 00007FF73D7AD4D1
MOC, xrefs: 00007FF73D7AD4C8

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction ID: e32ea7e34947616c448e8fe8d4fcffbe01d11c99797d9df8b0b78445e995f7f4
Opcode Fuzzy Hash: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction Fuzzy Hash: 6D616A76A08B499AE710EFA5D4803ADB7A0FB48B8CF444225EF4D17B98EF78E055D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AD7C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF73D7AD7EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF73D7AD8D4

Strings

csm, xrefs: 00007FF73D7AD926
csm, xrefs: 00007FF73D7AD80E

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction ID: 6442dccb38bb96ea3a04bbed2afc9502356daac3ec9170fa1eb8f9997e9952ff
Opcode Fuzzy Hash: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction Fuzzy Hash: 6551E33290C24AA6EB60AF959444378B7A0FB49B94F884132EA9C47BD5FF3CF450D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B22D9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

00007FF8C6125630.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8362C9A

Strings

..\s\crypto\pem\pem_pkey.c, xrefs: 00007FF8A8362CC4, 00007FF8A8362CE9, 00007FF8A8362D00
DH PARAMETERS, xrefs: 00007FF8A8362C4B
X9.42 DH PARAMETERS, xrefs: 00007FF8A8362C89

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007C6125630
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 1529501491-3633731555
Opcode ID: 238061471d871427c2d5dadc8bac63395304ecb0de6910e9e78e9431ca4b222d
Instruction ID: d414d5574a52b3fd890a8389a66b151db8c3ce53e76cd0485dd5cbce2c713ab2
Opcode Fuzzy Hash: 238061471d871427c2d5dadc8bac63395304ecb0de6910e9e78e9431ca4b222d
Instruction Fuzzy Hash: B121D321A0AA86A2EB11DB55E4001AAF3A4FF947D0F484031EA8C47B55EF7CE544CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7A2CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF73D7A27C9,?,?,?,?,?,?), ref: 00007FF73D7A2D01

Part of subcall function 00007FF73D7A1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF73D7A6904,?,?,?,?,?,?,?,?,?,?,?,00007FF73D7A1023), ref: 00007FF73D7A1CD7

Strings

Failed to get executable path., xrefs: 00007FF73D7A2D0B
GetModuleFileNameW, xrefs: 00007FF73D7A2D12
Failed to convert executable path to UTF-8., xrefs: 00007FF73D7A2D3A

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: fa74f7d49a5bba7cfca93e60cd70646f34d32484488c9266ff3ae070a385e0ea
Instruction ID: 22e7f05a44c0b878c080dcbc08135b3a5094b3faa20fb1b8d8d6afb9ac802d61
Opcode Fuzzy Hash: fa74f7d49a5bba7cfca93e60cd70646f34d32484488c9266ff3ae070a385e0ea
Instruction Fuzzy Hash: EC017C61B1D64AB5FA61B7A0E8153B59291BF5C3C1FC01032D88E8B396FF1CF254A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BBBD0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF73D7BBC4F
WriteFile.KERNEL32 ref: 00007FF73D7BBF17
WriteFile.KERNEL32 ref: 00007FF73D7BBF5D
GetLastError.KERNEL32 ref: 00007FF73D7BC013

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction ID: ae25286e6347ef5d88ca17dee857a11b0038008cae33ad8052fbb896aa10f2b5
Opcode Fuzzy Hash: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction Fuzzy Hash: 87D10372B0CA8999E711DFB5C4402ACB771FB58B98B804136DE4E97B99EF38E006D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7C4DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D7C0920: _invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7C0953

_get_daylight.LIBCMT ref: 00007FF73D7C4ED4
_get_daylight.LIBCMT ref: 00007FF73D7C4EE5

Strings

?, xrefs: 00007FF73D7C4E65

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 7a76fc5472fa01dafaf21516cddcde8ab34b2c46cd3e7f8dd598f321934e5d52
Instruction ID: 0f513155ee7fa2740f6b051a68b69dd75d8d2a38752f1daea3a4750a8767295f
Opcode Fuzzy Hash: 7a76fc5472fa01dafaf21516cddcde8ab34b2c46cd3e7f8dd598f321934e5d52
Instruction Fuzzy Hash: 4C414C12A0C68A69FB20ABB5D401379D660EB98BB8F944235EE9D07AD5FF3CF441D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B1DDE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF8A8276449
getaddrinfo.WS2_32 ref: 00007FF8A8276484

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FF8A82764B1, 00007FF8A82764F8, 00007FF8A8276524

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: d8f2f42e3c8b58b55d71bc5e225149b8ac0019e957516eef7570a051d71f3517
Instruction ID: 841e91b09a60a83e1af47b7c9f0d1cbc3fe0b8d9a321f770d0a7c25e4d572140
Opcode Fuzzy Hash: d8f2f42e3c8b58b55d71bc5e225149b8ac0019e957516eef7570a051d71f3517
Instruction Fuzzy Hash: E441E272E1928297E7208F13A445ABE73A1FB847C4F400039FA8A83B49DF3CD845CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7B7FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7B8002

Part of subcall function 00007FF73D7B9F78: HeapFree.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F8E
Part of subcall function 00007FF73D7B9F78: GetLastError.KERNEL32(?,?,?,00007FF73D7C1EC2,?,?,?,00007FF73D7C1EFF,?,?,00000000,00007FF73D7C23C5,?,?,00000000,00007FF73D7C22F7), ref: 00007FF73D7B9F98

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF73D7AA485), ref: 00007FF73D7B8020

Strings

C:\Users\user\Desktop\xSO7sbN2j6.exe, xrefs: 00007FF73D7B800E

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\xSO7sbN2j6.exe
API String ID: 3580290477-2892895399
Opcode ID: 83176ff4db4dd0536c3ddf35c800fe3e17928d2d4ec44ff73abd72510ae6e28f
Instruction ID: d77b968abe8ace9e80dce9286fd5fb6461789b5b305ccf334dc3065e768a0ef6
Opcode Fuzzy Hash: 83176ff4db4dd0536c3ddf35c800fe3e17928d2d4ec44ff73abd72510ae6e28f
Instruction Fuzzy Hash: 24417F36A0CB1AA6E714AF61D8410B8A7A4EF5C7D4BD45035FA4E43B95EF3CF4819360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BC268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF73D7BC37F
GetLastError.KERNEL32 ref: 00007FF73D7BC3A1

Strings

U, xrefs: 00007FF73D7BC32B

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction ID: 9edfc7421728f929e1d956788be6f19ecaa2f95af8da7f4f0660ca1b86ca2057
Opcode Fuzzy Hash: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction Fuzzy Hash: D741B422A1CA89A5DB609FA5E8443A9B760FB98794FC44031EE4D87758EF3CE441D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B3E54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

00007FF8C619EFC0.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF8A837A4CD

Strings

Filename=, xrefs: 00007FF8A837A442, 00007FF8A837A4B1
..\s\crypto\rand\randfile.c, xrefs: 00007FF8A837A42C, 00007FF8A837A490

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007C619
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 3270680611-2201148535
Opcode ID: 7aa9f0ae97a5a607961eb6102bd7d32f256fdfccc8fd4d891701d180c1966ebd
Instruction ID: 82025755fcea1dcb222b632cb46abbba1c9f57fef2393f6cc188e6f2518f6488
Opcode Fuzzy Hash: 7aa9f0ae97a5a607961eb6102bd7d32f256fdfccc8fd4d891701d180c1966ebd
Instruction Fuzzy Hash: F531AE71A0BA46A6EB21DB11E4053F963A5FF84BC8F844036EA4D07795EF3CE549C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BE588 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF73D7BE5C8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF73D7BE61A

Strings

:, xrefs: 00007FF73D7BE5DE

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 69729114f07132f4e5c02582f69e799d97905c52b16ff4e3b4ac21f165a3e13d
Instruction ID: 1755fc556a1da28170fabbc13df5f88811531fbffdda114b307d6996ab2c44c4
Opcode Fuzzy Hash: 69729114f07132f4e5c02582f69e799d97905c52b16ff4e3b4ac21f165a3e13d
Instruction Fuzzy Hash: 8721F222B1C28995EB28AB55D04426DB3B1FB9CB88FC54035D68D43384EF7CF945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7AE310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF73D7AE354
RaiseException.KERNEL32 ref: 00007FF73D7AE39A

Strings

csm, xrefs: 00007FF73D7AE387

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction ID: 896f1a36c061e744c92c871ba5f30433224728dfba85e74b9cc71077110cc293
Opcode Fuzzy Hash: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction Fuzzy Hash: E6111C32A1CB4992EB219F55F440269B7A5FB88B94F584231EECD07768EF3CE5519B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D7BF08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF73D7BF0BC
GetDriveTypeW.KERNEL32 ref: 00007FF73D7BF0FC

Strings

:, xrefs: 00007FF73D7BF0E5

Memory Dump Source

Source File: 00000003.00000002.2440853785.00007FF73D7A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73D7A0000, based on PE: true

Associated: 00000003.00000002.2440821736.00007FF73D7A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440889498.00007FF73D7CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2440921899.00007FF73D7EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2441000945.00007FF73D7EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff73d7a0000_xSO7sbN2j6.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction ID: 01075045691a855fd7fa22316cf7812ff9c93fe3af67931ac36722cdd7d10247
Opcode Fuzzy Hash: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction Fuzzy Hash: 67017161A1C60A96E720BFE0946127EE3A0EF5DB04FC40036D58D86691FF2DF545A634

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8A81B344F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

00007FF8C61208A0.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A82BFDB4

Strings

!, xrefs: 00007FF8A82BFD91
..\s\crypto\ct\ct_policy.c, xrefs: 00007FF8A82BFD73, 00007FF8A82BFD8A

Memory Dump Source

Source File: 00000003.00000002.2441450814.00007FF8A81B1000.00000040.00000001.01000000.00000017.sdmp, Offset: 00007FF8A81B0000, based on PE: true

Associated: 00000003.00000002.2441421471.00007FF8A81B0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A81BD000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8215000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8229000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A823A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8240000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A824D000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F6000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A83F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8423000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A8454000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A847A000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84C7000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84CF000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84EB000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2441450814.00007FF8A84F8000.00000040.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442136726.00007FF8A84FC000.00000080.00000001.01000000.00000017.sdmpDownload File
Associated: 00000003.00000002.2442165063.00007FF8A84FE000.00000004.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8a81b0000_xSO7sbN2j6.jbxd

Similarity

API ID: 00007C61208
String ID: !$..\s\crypto\ct\ct_policy.c
API String ID: 3535234312-3401457818
Opcode ID: 7dd7914ea23ad579c57b6056f7cce2880690e26ce5683a11da2da96350132182
Instruction ID: af3d6229d2a5fd7bca348e43c8beeabbec387ca24ff4822c7465df6e0341e933
Opcode Fuzzy Hash: 7dd7914ea23ad579c57b6056f7cce2880690e26ce5683a11da2da96350132182
Instruction Fuzzy Hash: 8DF04971A17606AAEB169B24E40A7ED6394FF44788F440534DA0D423D1EF3CA656C728

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: netconn_properties.exePID: 1352, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1521
Total number of Limit Nodes:	32

Executed Functions

Function 00A01260 Relevance: 25.9, APIs: 1, Strings: 15, Instructions: 1921COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A012AD

Strings

"guidId": ", xrefs: 00A01487
{, xrefs: 00A013AB
"MediaType": ", xrefs: 00A020B8
"clsidUiObject": ", xrefs: 00A029A6
%, xrefs: 00A02BA3
Error getting connection properties: 0x%x"}, xrefs: 00A01399
{"error": "Error enumerating network connections: 0x%x"}, xrefs: 00A01326
"Status": ", xrefs: 00A01D78
"dwCharacter": ", xrefs: 00A023C8
{"error": "Error creating INetConnectionManager object: 0x%x"}, xrefs: 00A012EF
"clsidThisObject": ", xrefs: 00A026B7
{"error": "Error initializing COM: 0x%x"}, xrefs: 00A012B8
"pszwDeviceName": ", xrefs: 00A01A3B
"pszwName": ", xrefs: 00A01761
",, xrefs: 00A014C8, 00A017A2, 00A01A7C, 00A01DB9, 00A020F9, 00A02409, 00A026F8

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: Initialize
String ID: "MediaType": "$"Status": "$"clsidThisObject": "$"clsidUiObject": "$"dwCharacter": "$"guidId": "$"pszwDeviceName": "$"pszwName": "${$",$%$Error getting connection properties: 0x%x"}${"error": "Error creating INetConnectionManager object: 0x%x"}${"error": "Error enumerating network connections: 0x%x"}${"error": "Error initializing COM: 0x%x"}
API String ID: 2538663250-3156161455
Opcode ID: 711d0258e6963f1ef638e975516a28e0e2dfa988d51b8ca663cc07d97a881ade
Instruction ID: cfa90c3f1d48741f55d9c0efe8e7c7bc6a90ce62b737e3cddf45d8ecd73dc616
Opcode Fuzzy Hash: 711d0258e6963f1ef638e975516a28e0e2dfa988d51b8ca663cc07d97a881ade
Instruction Fuzzy Hash: 4203D231A002588FEB29CB28DD99BDDBBB1AF55304F1482D8E449AB2D2DB745FC4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A09AC9 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00A09BD3,?,00A09AC3,00000000,?,?,00A09BD3,2EC2FEAC,?,00A09BD3), ref: 00A09ADA
TerminateProcess.KERNEL32(00000000,?,00A09AC3,00000000,?,?,00A09BD3,2EC2FEAC,?,00A09BD3), ref: 00A09AE1
ExitProcess.KERNEL32 ref: 00A09AF3

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 237bc8902f2d4725bfd5275b473cdb6fba1f3da65f3c0877ac936613bb694fb0
Instruction ID: a8fee80e1efe354cdd0d28a410168beda9fc11cc095689da41329f1780efaaa1
Opcode Fuzzy Hash: 237bc8902f2d4725bfd5275b473cdb6fba1f3da65f3c0877ac936613bb694fb0
Instruction Fuzzy Hash: AED09231104208AFCF21AFA0ED0D9DE3F3AAF49391B409410B90D4A0B2DB71DA93AA90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AE80 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A0AECC
GetFileType.KERNELBASE(00000000), ref: 00A0AEDE

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 07c5b6a559165a8d2c2baea380ccfd2c889428d512b1585868cec51dd5c39925
Instruction ID: 71556e044f6fb69e6633832eae7b3f81695371a61b8137a060b8137ab2e70f33
Opcode Fuzzy Hash: 07c5b6a559165a8d2c2baea380ccfd2c889428d512b1585868cec51dd5c39925
Instruction Fuzzy Hash: 3D1184B160476A4AC7308B3DEC886627AA5A776331B38071AE1B7C75F1C334DD87D646

Uniqueness

Uniqueness Score: -1.00%

Function 00A038B5 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A03ECE: GetModuleHandleW.KERNEL32(00000000,00A09A64,2EC2FEAC,?,00A09BD3), ref: 00A03ED0

___security_init_cookie.LIBCMT ref: 00A038FC

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: HandleModule___security_init_cookie
String ID:
API String ID: 1525027140-0
Opcode ID: 6c86eecccad0cfbad3680f42d8b85d45ddf276b85981c2f06b6bf03fd3ea4200
Instruction ID: 0e8f45295c3cf2152a6b804cce296b126d15231ff8164f5d1eed7d6a74bdbbf5
Opcode Fuzzy Hash: 6c86eecccad0cfbad3680f42d8b85d45ddf276b85981c2f06b6bf03fd3ea4200
Instruction Fuzzy Hash: EAE04F73A0434D8FDF10EBA4F6023EDB776FF85324F104556E411622D2D7355A158650

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A105F0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c99720e4052abba5412a8387a14668e892786368012778eac4097f0a5c2c15
Instruction ID: 471f885cd0b58905d1ad6fe9bb7fa099e7655dc683c610dee76ce84c59e1c720
Opcode Fuzzy Hash: 63c99720e4052abba5412a8387a14668e892786368012778eac4097f0a5c2c15
Instruction Fuzzy Hash: 43021C71E012199FDF14CFA9C990AEEBBB1FF48314F248269E519E7381D771A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A03DAE Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A03DBA
IsDebuggerPresent.KERNEL32 ref: 00A03E86
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A03EA6
UnhandledExceptionFilter.KERNEL32(?), ref: 00A03EB0

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9d9b3baf93a7a1029f075312cf7da090788b5f2e978ae40e30eaba4fda07e0a9
Instruction ID: 31664d29f2f0d2ada93799cc912692a980de08c1cb056ff9dd96bc0d10f99c04
Opcode Fuzzy Hash: 9d9b3baf93a7a1029f075312cf7da090788b5f2e978ae40e30eaba4fda07e0a9
Instruction Fuzzy Hash: 02312775D4531D9BDF20DFA4E9897CDBBB8BF08300F1041AAE409AB290EB719B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00A04F4B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A0506A
___TypeMatch.LIBVCRUNTIME ref: 00A05178
_UnwindNestedFrames.LIBCMT ref: 00A052CA
CallUnexpected.LIBVCRUNTIME ref: 00A052E5

Strings

csm, xrefs: 00A04F88
csm, xrefs: 00A04FF5
csm, xrefs: 00A050A1

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: db42e852309423f1400f7a42c266963aa1784bde8070b286f332c6bed1e8b2f9
Instruction ID: 5990ad8bceef39fe051b2842832529192fcbb569a85cd36e391507ab0a57c9cc
Opcode Fuzzy Hash: db42e852309423f1400f7a42c266963aa1784bde8070b286f332c6bed1e8b2f9
Instruction Fuzzy Hash: 13B168B1D0060DEFCF18DFA4E9819AFBBB5BF18310B14455AE8116B292D731DA61CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A14230 Relevance: 12.2, APIs: 8, Instructions: 248
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(00BB21B8,00BB21B8,?,7FFFFFFF,?,00A14500,00BB21B8,00BB21B8,?,00BB21B8,?,?,?,?,00BB21B8,?), ref: 00A142D6
__alloca_probe_16.LIBCMT ref: 00A14391
__alloca_probe_16.LIBCMT ref: 00A14420
__freea.LIBCMT ref: 00A1446B
__freea.LIBCMT ref: 00A14471
__freea.LIBCMT ref: 00A144A7
__freea.LIBCMT ref: 00A144AD
__freea.LIBCMT ref: 00A144BD

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 450ac4a50a87a5be52b3cf531268eeb1a266f1d24e41757b60762c29caab65b7
Instruction ID: 6c46e9d0c65623377190374956435f5a42f07a7beb590c67bdb470de3b61e239
Opcode Fuzzy Hash: 450ac4a50a87a5be52b3cf531268eeb1a266f1d24e41757b60762c29caab65b7
Instruction Fuzzy Hash: B571F772904209ABDF219FAC8D81BEF7BB99F4D710F290159F954AB281E735DC818760

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B49D Relevance: 10.8, APIs: 7, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strrchr.LIBCMT ref: 00A0B523

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7c616c77292262d527fe6da345d05dc2c9c836dbc2505f574d420a347d760d19
Instruction ID: b6bc7dbd029444030e580c2f4c1b99b62e413d5bfd554428c6e4ba7b5faf7307
Opcode Fuzzy Hash: 7c616c77292262d527fe6da345d05dc2c9c836dbc2505f574d420a347d760d19
Instruction Fuzzy Hash: D1B166329212599FDB11CF28DE81BEE7BB5EF95310F1441A5E901AB2C2D375E940CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A048C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00A048F7
___except_validate_context_record.LIBVCRUNTIME ref: 00A048FF
_ValidateLocalCookies.LIBCMT ref: 00A04988
__IsNonwritableInCurrentImage.LIBCMT ref: 00A049B3
_ValidateLocalCookies.LIBCMT ref: 00A04A08

Strings

csm, xrefs: 00A0499D

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0a45103e4ef4f7ac9db9670a21f678e4280fcd8cd6b4345ae078f1bf6fbd07a6
Instruction ID: 5e5826152a7bdd39b6a7bbc2576e504fd77ce0037a83031f3eeaf3501278ed96
Opcode Fuzzy Hash: 0a45103e4ef4f7ac9db9670a21f678e4280fcd8cd6b4345ae078f1bf6fbd07a6
Instruction Fuzzy Hash: 6D41A274E0020DABCF10DF68E884A9FBBB5BF49354F148165E9185B3D2D731AE55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A601 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,2EC2FEAC,?,00A0A710,00A073C6,?,00000000,?), ref: 00A0A6C2

Strings

ext-ms-, xrefs: 00A0A66C
api-ms-, xrefs: 00A0A658

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 64c9ca6bf4fb91131a4b206db3aa7800d7e996d6de06e1aa596f88d3d207b0b5
Instruction ID: c0b11d21f6ece1dddd7770d568e31ee1edd8367e574fe73a5e09e768371908ea
Opcode Fuzzy Hash: 64c9ca6bf4fb91131a4b206db3aa7800d7e996d6de06e1aa596f88d3d207b0b5
Instruction Fuzzy Hash: 2F210D35A41318ABCB21DB61FC40E9E37799B61760F294220F905A72D0E771ED01CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 00A04C14 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00A04C0B,00A047F9,00A03F60), ref: 00A04C22
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A04C30
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A04C49
SetLastError.KERNEL32(00000000,00A04C0B,00A047F9,00A03F60), ref: 00A04C9B

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: aeba70aeb5adfa87fc77ec8ac2f53d02511537277aa82d591cabf50c88371586
Instruction ID: 6d1bb6ad1dbbd1a7347145d81c5508e0ad29b6e6373cff355cedfde935fbb5b7
Opcode Fuzzy Hash: aeba70aeb5adfa87fc77ec8ac2f53d02511537277aa82d591cabf50c88371586
Instruction Fuzzy Hash: F901477290A7296EF714A7F4BD896AB27ADFB0D331330023AF214450F2FF114C029550

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D297 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe, xrefs: 00A0D2B3

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\_MEI12682\exe\netconn_properties.exe
API String ID: 0-394872426
Opcode ID: 8d6007c5517106247ee7d68d884ecc8c6258e172b1ca1a3272c4880cb3e44920
Instruction ID: 02401d33c03388785ca844a8330c51eed07062f9b0f428058805be07e721fff4
Opcode Fuzzy Hash: 8d6007c5517106247ee7d68d884ecc8c6258e172b1ca1a3272c4880cb3e44920
Instruction Fuzzy Hash: 2F219A33A0020DAFDB20AFE1ED4996B77A9AF443647148914F915DB1C0EB71EC00CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00A09B13 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2EC2FEAC,?,?,00000000,00A168D1,000000FF,?,00A09AEF,00A09BD3,?,00A09AC3,00000000), ref: 00A09B48
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A09B5A
FreeLibrary.KERNEL32(00000000,?,?,00000000,00A168D1,000000FF,?,00A09AEF,00A09BD3,?,00A09AC3,00000000), ref: 00A09B7C

Strings

CorExitProcess, xrefs: 00A09B52
mscoree.dll, xrefs: 00A09B41

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3df772f7ebcf63b2efe33b587108318521cbc868041487d80c64e68e6d4f8e7f
Instruction ID: f0e05f78b596a2cb87a15b101971d35badb891e2743fc7183b33b5fdeaaaadea
Opcode Fuzzy Hash: 3df772f7ebcf63b2efe33b587108318521cbc868041487d80c64e68e6d4f8e7f
Instruction Fuzzy Hash: 6A014431944619FBDB119F94EC05FEFBBB8FB08721F004625B815A22D0DB749D41CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00A12C04 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00A12C89
__alloca_probe_16.LIBCMT ref: 00A12D52
__freea.LIBCMT ref: 00A12DB9

Part of subcall function 00A0AFBC: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00A0AFEE

__freea.LIBCMT ref: 00A12DCC
__freea.LIBCMT ref: 00A12DD9

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 9c960fafc6e93f993d96c1218d550043421cf3d88ebb99eec18b1ff79fb1d78f
Instruction ID: 7e9879789b582fcc16c3b963d6d8f236615a02b2e28664802f1e86bc84103fca
Opcode Fuzzy Hash: 9c960fafc6e93f993d96c1218d550043421cf3d88ebb99eec18b1ff79fb1d78f
Instruction Fuzzy Hash: 4A51B37260060AAFEF219FA1ED81FFB76A9EF94750B150528FD04D6190FB74CCA097A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A05D32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00A05CE3,00000000,?,00A1FD10,?,?,?,00A05E86,00000004,InitializeCriticalSectionEx,00A17CC4,InitializeCriticalSectionEx), ref: 00A05D3F
GetLastError.KERNEL32(?,00A05CE3,00000000,?,00A1FD10,?,?,?,00A05E86,00000004,InitializeCriticalSectionEx,00A17CC4,InitializeCriticalSectionEx,00000000,?,00A05C3D), ref: 00A05D49
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00A05D71

Strings

api-ms-, xrefs: 00A05D56

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 2a91e06a81aa38dd768b307211bfe8e10ff849b1245285bcece65cbd4719e8ac
Instruction ID: beb28ceeef08d32606df27a2590db1934661f27e857ea59ef836e2a46597660d
Opcode Fuzzy Hash: 2a91e06a81aa38dd768b307211bfe8e10ff849b1245285bcece65cbd4719e8ac
Instruction Fuzzy Hash: 7FE04F35AC470CB7EF109BB0FC8AB9E3A64AB10B40F209021F90CE84E0E7A2D85189D4

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F973 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(2EC2FEAC,00000000,00000000,?), ref: 00A0F9D6

Part of subcall function 00A0DE4C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A12DAF,?,00000000,-00000008), ref: 00A0DEAD

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A0FC28
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00A0FC6E
GetLastError.KERNEL32 ref: 00A0FD11

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 09557208a7b14eac8d509c1406db1fea48eddd93a59d4e21e664e2fd4f6aaee7
Instruction ID: 9534c9c1fdb88a834f8eb375464e88b49e698a291040c501fc57c132a0c7855e
Opcode Fuzzy Hash: 09557208a7b14eac8d509c1406db1fea48eddd93a59d4e21e664e2fd4f6aaee7
Instruction Fuzzy Hash: FCD17A75D0025CAFDF25CFE8E8909EDBBB5FF09314F28412AE855EB691D630A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A04CF4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00A04DBB
___AdjustPointer.LIBCMT ref: 00A04DDE
___AdjustPointer.LIBCMT ref: 00A04E7A

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: dc658bb07ad9ecc0bd261a897c7534b605cf41760c37fc3b4f16c55b3220fe0d
Instruction ID: c5b28c1fbf910d5b9daf88b7b10a5107b2c8144e9ed2f82f1ce1d3c4f3b8c6e0
Opcode Fuzzy Hash: dc658bb07ad9ecc0bd261a897c7534b605cf41760c37fc3b4f16c55b3220fe0d
Instruction Fuzzy Hash: 4C51AFF2A0160AAFEB258F64F981BAA77B4FF08711F244529EA05871D1D731AC91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0CAB1 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00A0DE4C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A12DAF,?,00000000,-00000008), ref: 00A0DEAD

GetLastError.KERNEL32 ref: 00A0CB15
__dosmaperr.LIBCMT ref: 00A0CB1C
GetLastError.KERNEL32(?,?,?,?), ref: 00A0CB56
__dosmaperr.LIBCMT ref: 00A0CB5D

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: ba5a31c339b26d440cef77b4e820f892b5193ca462175906e4ea6b86a9cd45f7
Instruction ID: 65a67ec193bd4861f1b75d9f489c091d34a54d92adb8e160cfb8405b93e81a77
Opcode Fuzzy Hash: ba5a31c339b26d440cef77b4e820f892b5193ca462175906e4ea6b86a9cd45f7
Instruction Fuzzy Hash: 0121D03160031DAFCB20EFA1E98196BB7A9EF023707108718F91A971D0EB71EC0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0DEEF Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A0DEF7

Part of subcall function 00A0DE4C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00A12DAF,?,00000000,-00000008), ref: 00A0DEAD

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A0DF2F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A0DF4F

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 8ae7bb95d4246ebc86b04b30b1ed1d3c6e670ce24f6060918ad4f5af5542185e
Instruction ID: 5f94c04fd854e82214da5470ea10fe146821676cc959e9b70e09434ac6337b42
Opcode Fuzzy Hash: 8ae7bb95d4246ebc86b04b30b1ed1d3c6e670ce24f6060918ad4f5af5542185e
Instruction Fuzzy Hash: 881104B390971EBEE71167F5BD89CAF696CDE983943104124F406A2181FE70DD0145B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1456A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00A13613,00000000,00000001,?,?,?,00A0FD65,?,00000000,00000000), ref: 00A14581
GetLastError.KERNEL32(?,00A13613,00000000,00000001,?,?,?,00A0FD65,?,00000000,00000000,?,?,?,00A10308,?), ref: 00A1458D

Part of subcall function 00A14553: CloseHandle.KERNEL32(FFFFFFFE,00A1459D,?,00A13613,00000000,00000001,?,?,?,00A0FD65,?,00000000,00000000,?,?), ref: 00A14563

___initconout.LIBCMT ref: 00A1459D

Part of subcall function 00A14515: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00A14544,00A13600,?,?,00A0FD65,?,00000000,00000000,?), ref: 00A14528

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00A13613,00000000,00000001,?,?,?,00A0FD65,?,00000000,00000000,?), ref: 00A145B2

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: cfc357ddf1bc9ac77572bb97da958d960a6ca17e0854e12dd83c8c8f5d2381f9
Instruction ID: 478b717cb72d86e0ad882c212cf9083b47a74d06c833f375786357223a99ebec
Opcode Fuzzy Hash: cfc357ddf1bc9ac77572bb97da958d960a6ca17e0854e12dd83c8c8f5d2381f9
Instruction Fuzzy Hash: EFF0AC36540269BBCF226FE9DC089EE3F67FB4C7B1B048010FA1D95121D6328D619B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A052F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00A05315

Strings

RCC, xrefs: 00A0532F
MOC, xrefs: 00A05327

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7bf01e5b2ff28c37768e309c852700ee2d72555fdb67c88911defb90c05292ab
Instruction ID: 04bba430789038dfd35f559c628660f122757f047f9eef5673b4483bd7947016
Opcode Fuzzy Hash: 7bf01e5b2ff28c37768e309c852700ee2d72555fdb67c88911defb90c05292ab
Instruction Fuzzy Hash: B2417771D0060DAFCF15CFA4E981AEEBBB6BF08301F188198FA056A291D33599A1DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A011D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00A011D5

Part of subcall function 00A03626: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00A03632

Strings

string too long, xrefs: 00A011D0
%04x, xrefs: 00A0122B

Memory Dump Source

Source File: 00000007.00000002.2414728783.0000000000A01000.00000040.00000001.01000000.00000021.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000007.00000002.2414712056.0000000000A00000.00000002.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A1F000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414728783.0000000000A24000.00000040.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414797468.0000000000A25000.00000080.00000001.01000000.00000021.sdmpDownload File
Associated: 00000007.00000002.2414816674.0000000000A27000.00000004.00000001.01000000.00000021.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a00000_netconn_properties.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: %04x$string too long
API String ID: 1997705970-2098177902
Opcode ID: 048f4f8e7fc7376133e81cc5b006235c4afe11d397b7b92a239620ee1fae7008
Instruction ID: 6e711423699f4d00a878e7f8ce1bf4f42706d0748ffb83e3d209be593f94cf31
Opcode Fuzzy Hash: 048f4f8e7fc7376133e81cc5b006235c4afe11d397b7b92a239620ee1fae7008
Instruction Fuzzy Hash: 77019672E0021DABCB14DF98ED42AEFB7B9FB48350F150169E90597381EA75AA40C7A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: registers.exePID: 5784, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	90
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002694B0 Relevance: 3.9, APIs: 2, Instructions: 881memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(-00001000,00001000,00000004,?,00000000), ref: 0026A04F
VirtualProtect.KERNELBASE(-00001000,00001000), ref: 0026A064

Memory Dump Source

Source File: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b474d2028b8914171b7bd712012b4bfc14c520154d885e64ada5daf5155cabef
Instruction ID: b323047565b97943e9c2ff572bce646d59693f78bfe22307855bff91ec5c9049
Opcode Fuzzy Hash: b474d2028b8914171b7bd712012b4bfc14c520154d885e64ada5daf5155cabef
Instruction Fuzzy Hash: 1072DF315283558FD324CF28C88026ABBE5FF8A344F154A2DE9E5CB351EB71D995CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00261B88 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00262097: GetModuleHandleW.KERNEL32(00000000,00261B51), ref: 00262099

___security_init_cookie.LIBCMT ref: 00261BCF

Memory Dump Source

Source File: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: HandleModule___security_init_cookie
String ID:
API String ID: 1525027140-0
Opcode ID: 081fd81bea330b2ae3a87e6564303e74405b5fb521175a5e9dbe2dc4b9816b93
Instruction ID: eb32889e03913b09d6002cb05922cc943c93db3534a06dde4a7228520251d750
Opcode Fuzzy Hash: 081fd81bea330b2ae3a87e6564303e74405b5fb521175a5e9dbe2dc4b9816b93
Instruction Fuzzy Hash: A3E0DF7292468ACFDF20AFD4D4023ECBBB1AF40364F140556E861322A1DB3568B5CA50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00261F77 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00261F83
IsDebuggerPresent.KERNEL32 ref: 0026204F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0026206F
UnhandledExceptionFilter.KERNEL32(?), ref: 00262079

Memory Dump Source

Source File: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8ab473aa370706576e6d56ce6722b164ad449390e7461cbb4bbb5488fbcb62db
Instruction ID: 4c6eaa8817ef27e1881b1d8673f38af5affcb8339aa170ad535dd25d9f72104e
Opcode Fuzzy Hash: 8ab473aa370706576e6d56ce6722b164ad449390e7461cbb4bbb5488fbcb62db
Instruction Fuzzy Hash: 04311A75D15219DBDF10DFA4D9897CDBBB8AF08300F1041AAE40DA7250EB719B898F04

Uniqueness

Uniqueness Score: -1.00%

Function 00261520 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{"sidt": %d, "sgdt": %d, "rdtsc": [%I64d, %I64d, %I64d, %I64d], "rdtsc_vmexit": [%I64d, %I64d, %I64d, %I64d], "cpu_vendor_id":[%d,%d,%d,%d], "cpu_branding":"%s", "cpuid_0":[%d,%d,%d,%d], "cpuid_1":[%d,%d,%d,%d]}, xrefs: 002616F2
%s, xrefs: 0026170B

Memory Dump Source

Source File: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: F8233
String ID: %s${"sidt": %d, "sgdt": %d, "rdtsc": [%I64d, %I64d, %I64d, %I64d], "rdtsc_vmexit": [%I64d, %I64d, %I64d, %I64d], "cpu_vendor_id":[%d,%d,%d,%d], "cpu_branding":"%s", "cpuid_0":[%d,%d,%d,%d], "cpuid_1":[%d,%d,%d,%d]}
API String ID: 1213906786-1597640580
Opcode ID: 5b70a9938895faa576643a2728b536ce07049651e1aa5dc1dc63025e56741f8f
Instruction ID: fe6b1c789fa41cde2f0359b70a3591dfed64ddcbb048dbdee5d130ff5b07cae8
Opcode Fuzzy Hash: 5b70a9938895faa576643a2728b536ce07049651e1aa5dc1dc63025e56741f8f
Instruction Fuzzy Hash: 8C511672508380AFDB258F64D880B9BFBE6FF89310F10892EF69986211D3729464DF53

Uniqueness

Uniqueness Score: -1.00%

Function 002611B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

6E39D590.MSVCP140(string too long,00261519,2ED112C8), ref: 002611B5
74F84C80.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00261215
6F8233D0.VCRUNTIME140(?,?,?), ref: 00261272

Strings

string too long, xrefs: 002611B0

Memory Dump Source

Source File: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: D590F8233
String ID: string too long
API String ID: 530822383-2556327735
Opcode ID: 38c374aa804fc99589b1cf23bcc7e1d52b66ae6ef39d157b4c5dec47b83c60a9
Instruction ID: 458c22b68722674a2cbe81a0696110df088abfab3466ae6721c9c9da5a3d894d
Opcode Fuzzy Hash: 38c374aa804fc99589b1cf23bcc7e1d52b66ae6ef39d157b4c5dec47b83c60a9
Instruction Fuzzy Hash: 5421B071A102259FCB08DF68D8D85AEFBB4FF49300B0545ADDD15EB305E7B0AA64CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00261988 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

74F95420.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 00261996
__RTC_Initialize.LIBCMT ref: 002619BA

Part of subcall function 00261F09: RtlInitializeSListHead.NTDLL(002653D0), ref: 00261F0E

75012870.API-MS-WIN-CRT-MATH-L1-1-0(Function_00001EFC), ref: 002619ED
74F94B50.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00261A08

Memory Dump Source

Source File: 0000000A.00000002.2415695027.0000000000261000.00000040.00000001.01000000.00000022.sdmp, Offset: 00260000, based on PE: true

Associated: 0000000A.00000002.2415661276.0000000000260000.00000002.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000265000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415695027.0000000000268000.00000040.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415778864.0000000000269000.00000080.00000001.01000000.00000022.sdmpDownload File
Associated: 0000000A.00000002.2415796907.000000000026B000.00000004.00000001.01000000.00000022.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_registers.jbxd

Similarity

API ID: Initialize$75012870F95420HeadList
String ID:
API String ID: 4048121495-0
Opcode ID: a7ace0f63d0612e2965310b5d52efbb6a8082b4ce91dd8765ac20e4cc2518613
Instruction ID: 98e21131c33c9b044483eb222f69da8101c37cfd508227608c128a7fdcf3b351
Opcode Fuzzy Hash: a7ace0f63d0612e2965310b5d52efbb6a8082b4ce91dd8765ac20e4cc2518613
Instruction Fuzzy Hash: 9F016225A31B0398DA243BF56907A4E12481F51755F2C8950FC48968C3EF1AF8F88C73

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xSO7sbN2j6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0muh7zmj

C:\Users\user\AppData\Local\Temp\_MEI12682\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\mfc140u.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\Pythonwin\win32ui.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_elementtree.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-heap-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI12682\api-ms-win-core-interlocked-l1-1-0.dll

Windows Analysis Report
xSO7sbN2j6.exe

C:\Users\user\AppData\Local\Temp\tmp179_cpv3\gen_py\init.py