Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
python-3.11.4-amd64.exe

Overview

General Information

Sample name:python-3.11.4-amd64.exe
Analysis ID:1432014
MD5:e4413bb7448cd13b437dffffba294ca0
SHA1:59dcc42113cd01346f7498a07c1265a4428b8864
SHA256:47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50
Infos:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • python-3.11.4-amd64.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\python-3.11.4-amd64.exe" MD5: E4413BB7448CD13B437DFFFFBA294CA0)
    • python-3.11.4-amd64.exe (PID: 7028 cmdline: "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640 MD5: 73084CDC98F16F144AEAA7CE8966A76A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F5A096 DecryptFileW,0_2_00F5A096
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_00F7FE7F
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F59E7B DecryptFileW,DecryptFileW,0_2_00F59E7B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A2A096 DecryptFileW,1_2_00A2A096
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A29E7B DecryptFileW,DecryptFileW,1_2_00A29E7B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4FE7F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,1_2_00A4FE7F
Source: python-3.11.4-amd64.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: python-3.11.4-amd64.exeStatic PE information: certificate valid
Source: python-3.11.4-amd64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: D:\a\1\s\PCbuild\obj\311win32_Release\msi_pythonba\PythonBA.pdb source: python-3.11.4-amd64.exe, 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmp, PythonBA.dll.1.dr
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F8488B FindFirstFileW,FindClose,0_2_00F8488B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F59B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00F59B24
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F43D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00F43D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A5488B FindFirstFileW,FindClose,1_2_00A5488B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A29B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00A29B24
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A13D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00A13D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAA599C FindFirstFileW,FindClose,1_2_6CAA599C
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAB4046 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_6CAB4046
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAF5DCD FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_6CAF5DCD
Source: python-3.11.4-amd64.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: python-3.11.4-amd64.exe, 00000000.00000002.2911419257.00000000008FB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl3.digic
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: python-3.11.4-amd64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.drString found in binary or memory: http://docs.python.org/
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: python-3.11.4-amd64.exe, 00000001.00000003.1662079168.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Default.thm.1.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: Default.wxl.1.drString found in binary or memory: https://discuss.python.org/c/users/7
Source: Default.wxl.1.drString found in binary or memory: https://docs.python.org/
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1662096169.000000000382F000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2912509644.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.drString found in binary or memory: https://www.python.org/downloads/
Source: BootstrapperApplicationData.xml.1.drString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msia
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msik_
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msif
Source: python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msit
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msi
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msie
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_d.msiv
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msif
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msir
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msit
Source: python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msia
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiy
Source: python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiz
Source: python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi~
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAA8766: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,1_2_6CAA8766
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F640850_2_00F64085
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6C1320_2_00F6C132
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F702B60_2_00F702B6
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7F2A20_2_00F7F2A2
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F4635B0_2_00F4635B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F705710_2_00F70571
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F726D10_2_00F726D1
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7A6000_2_00F7A600
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6F9D30_2_00F6F9D3
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F729050_2_00F72905
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7AA980_2_00F7AA98
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7DC1E0_2_00F7DC1E
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6FD450_2_00F6FD45
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7DD420_2_00F7DD42
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6FFEF0_2_00F6FFEF
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A340851_2_00A34085
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3C1321_2_00A3C132
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4F2A21_2_00A4F2A2
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A402B61_2_00A402B6
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A1635B1_2_00A1635B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A405711_2_00A40571
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A426D11_2_00A426D1
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4A6001_2_00A4A600
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3F9D31_2_00A3F9D3
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A429051_2_00A42905
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4AA981_2_00A4AA98
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4DC1E1_2_00A4DC1E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4DD421_2_00A4DD42
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3FD451_2_00A3FD45
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3FFEF1_2_00A3FFEF
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CB0ECFE1_2_6CB0ECFE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADED3F1_2_6CADED3F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADE90A1_2_6CADE90A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADE4C21_2_6CADE4C2
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADE08D1_2_6CADE08D
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADF7331_2_6CADF733
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADF2301_2_6CADF230
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADCFC61_2_6CADCFC6
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CB00F501_2_6CB00F50
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CB009F01_2_6CB009F0
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADCBA11_2_6CADCBA1
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADC78F1_2_6CADC78F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAC01841_2_6CAC0184
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CB003601_2_6CB00360
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADDC571_2_6CADDC57
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CABDF6E1_2_6CABDF6E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADD80E1_2_6CADD80E
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CB0181A1_2_6CB0181A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CADD3D81_2_6CADD3D8
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 00A1204D appears 54 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 6CA91BEA appears 50 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 00A50657 appears 684 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 6CA93FE4 appears 166 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 6CA93981 appears 59 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 00A138F5 appears 502 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 00A53770 appears 79 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 00A50B3E appears 34 times
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: String function: 6CAF8F7E appears 41 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: String function: 00F438F5 appears 502 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: String function: 00F80657 appears 684 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: String function: 00F4204D appears 54 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: String function: 00F80B3E appears 34 times
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: String function: 00F83770 appears 79 times
Source: python-3.11.4-amd64.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engineClassification label: clean8.winEXE@3/7@0/0
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F420A3 FormatMessageW,GetLastError,LocalFree,0_2_00F420A3
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F44674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,0_2_00F44674
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A14674 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,1_2_00A14674
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F834D0 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_00F834D0
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAB5DA2 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,1_2_6CAB5DA2
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F66A02 ChangeServiceConfigW,GetLastError,0_2_00F66A02
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeFile created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: cabinet.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: msi.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: version.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: wininet.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: comres.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: clbcatq.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: msasn1.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: crypt32.dll0_2_00F41070
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCommand line argument: feclient.dll0_2_00F41070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: cabinet.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: msi.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: version.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: wininet.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: comres.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: clbcatq.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: msasn1.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: crypt32.dll1_2_00A11070
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCommand line argument: feclient.dll1_2_00A11070
Source: python-3.11.4-amd64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: python-3.11.4-amd64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: python-3.11.4-amd64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: python-3.11.4-amd64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeFile read: C:\Users\user\Desktop\python-3.11.4-amd64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\python-3.11.4-amd64.exe "C:\Users\user\Desktop\python-3.11.4-amd64.exe"
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeProcess created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeProcess created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640 Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeWindow detected: Number of UI elements: 43
Source: python-3.11.4-amd64.exeStatic PE information: certificate valid
Source: python-3.11.4-amd64.exeStatic file information: File size 25426160 > 1048576
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: python-3.11.4-amd64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: python-3.11.4-amd64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.dr
Source: Binary string: D:\a\1\s\PCbuild\obj\311win32_Release\msi_pythonba\PythonBA.pdb source: python-3.11.4-amd64.exe, 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmp, PythonBA.dll.1.dr
Source: python-3.11.4-amd64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: python-3.11.4-amd64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: python-3.11.4-amd64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: python-3.11.4-amd64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: python-3.11.4-amd64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA9C4E0 SetThreadLocale,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,1_2_6CA9C4E0
Source: python-3.11.4-amd64.exeStatic PE information: section name: .wixburn
Source: python-3.11.4-amd64.exe.0.drStatic PE information: section name: .wixburn
Source: PythonBA.dll.1.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6E916 push ecx; ret 0_2_00F6E929
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3E916 push ecx; ret 1_2_00A3E929
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA91BAE push ecx; ret 1_2_6CAB8F93
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA910CD push ecx; ret 1_2_6CB10A20
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeFile created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeJump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeFile created: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dllJump to dropped file
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeFile created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeJump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeFile created: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dllJump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeDropped PE file which has not been started: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dllJump to dropped file
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeAPI coverage: 9.2 %
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F802DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00F80378h0_2_00F802DD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F802DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00F80371h0_2_00F802DD
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A502DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A50378h1_2_00A502DD
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A502DD GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A50371h1_2_00A502DD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F8488B FindFirstFileW,FindClose,0_2_00F8488B
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F59B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00F59B24
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F43D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00F43D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A5488B FindFirstFileW,FindClose,1_2_00A5488B
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A29B24 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,1_2_00A29B24
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A13D89 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_00A13D89
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAA599C FindFirstFileW,FindClose,1_2_6CAA599C
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAB4046 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,1_2_6CAB4046
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAF5DCD FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_6CAF5DCD
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F89B11 VirtualQuery,GetSystemInfo,0_2_00F89B11
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F6E684
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA9C4E0 SetThreadLocale,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,1_2_6CA9C4E0
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F78581 mov eax, dword ptr fs:[00000030h]0_2_00F78581
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F74503 mov eax, dword ptr fs:[00000030h]0_2_00F74503
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A48581 mov eax, dword ptr fs:[00000030h]1_2_00A48581
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A44503 mov eax, dword ptr fs:[00000030h]1_2_00A44503
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F43ADF GetProcessHeap,RtlFreeHeap,GetLastError,0_2_00F43ADF
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F6E1B8
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F6E684
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F7389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F7389A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6E817 SetUnhandledExceptionFilter,0_2_00F6E817
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3E1B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00A3E1B8
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3E684 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A3E684
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A4389A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00A4389A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_00A3E817 SetUnhandledExceptionFilter,1_2_00A3E817
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAC6574 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CAC6574
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAB8C2D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6CAB8C2D
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA94188 SetUnhandledExceptionFilter,1_2_6CA94188
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CAB82F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6CAB82F2
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: 1_2_6CA9E275 ShellExecuteW,1_2_6CA9E275
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeProcess created: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe "C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640 Jump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F81BB9 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_00F81BB9
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F83ED2 AllocateAndInitializeSid,CheckTokenMembership,0_2_00F83ED2
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F6EA47 cpuid 0_2_00F6EA47
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_6CAFE46A
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetLocaleInfoW,1_2_6CAFE0A5
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_6CAFE218
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetLocaleInfoW,1_2_6CAFE35F
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: EnumSystemLocalesW,1_2_6CAF89E4
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: EnumSystemLocalesW,1_2_6CAF87E4
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: EnumSystemLocalesW,1_2_6CAFDC50
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_6CAFDDBE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: EnumSystemLocalesW,1_2_6CAFDD11
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: EnumSystemLocalesW,1_2_6CAFDBCE
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeCode function: GetLocaleInfoW,1_2_6CAF9562
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exeQueries volume information: C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F54F5A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,0_2_00F54F5A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F4609A GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,0_2_00F4609A
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F4623E GetUserNameW,GetLastError,0_2_00F4623E
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F88C56 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_00F88C56
Source: C:\Users\user\Desktop\python-3.11.4-amd64.exeCode function: 0_2_00F4520D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,0_2_00F4520D

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		1
Windows Service		1
Exploitation for Privilege Escalation		1
Masquerading		OS Credential Dumping12
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Access Token Manipulation		1
Virtualization/Sandbox Evasion		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
Native API		Logon Script (Windows)1
Windows Service		1
Access Token Manipulation		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection		12
Process Injection		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync34
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
python-3.11.4-amd64.exe0%ReversingLabs
python-3.11.4-amd64.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe0%ReversingLabs
C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe0%VirustotalBrowse
C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll0%ReversingLabs
C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://appsyndication.org/2006/appsynapplicationc:0%URL Reputationsafe
http://appsyndication.org/2006/appsynapplicationc:0%URL Reputationsafe
http://appsyndication.org/2006/appsyn0%URL Reputationsafe
http://appsyndication.org/2006/appsyn0%URL Reputationsafe
http://crl3.digic0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.python.org/downloads/python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1662096169.000000000382F000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2912509644.0000000003640000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.drfalse
    		high
    https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://wixtoolset.org/schemas/thmutil/2010python-3.11.4-amd64.exe, 00000001.00000003.1662079168.0000000003830000.00000004.00000800.00020000.00000000.sdmp, Default.thm.1.drfalse
        		high
        https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msirpython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.python.org/ftp/python/3.11.4/amd64/test_d.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msitpython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msipython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://www.python.org/ftp/python/3.11.4/amd64/core_d.msiapython-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.python.org/ftp/python/3.11.4/amd64/core_d.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.python.org/ftp/python/3.11.4/amd64/test_d.msivpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://discuss.python.org/c/users/7Default.wxl.1.drfalse
                              		high
                              https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msipython-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msik_python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.python.org/ftp/python/3.11.4/amd64/tcltk_pdb.msitpython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://appsyndication.org/2006/appsynapplicationc:python-3.11.4-amd64.exe, python-3.11.4-amd64.exe.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiypython-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://docs.python.org/Default.wxl.1.drfalse
                                                		high
                                                https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msifpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.python.org/ftp/python/3.11.4/amd64/core_d.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msiapython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.python.org/ftp/python/3.11.4/amd64/BootstrapperApplicationData.xml.1.drfalse
                                                              		high
                                                              https://www.python.org/ftp/python/3.11.4/amd64/core_pdb.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.python.org/python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.python.org/ftp/python/3.11.4/amd64/dev_d.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.python.org/ftp/python/3.11.4/amd64/ucrt.msi~python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.python.org/ftp/python/3.11.4/amd64/tcltk_d.msifpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.python.org/python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Default.wxl.1.drfalse
                                                                                		high
                                                                                https://www.python.org/ftp/python/3.11.4/amd64/lib_d.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.python.org/ftp/python/3.11.4/amd64/core_d.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.python.org/ftp/python/3.11.4/amd64/exe_d.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl3.digicpython-3.11.4-amd64.exe, 00000000.00000002.2911419257.00000000008FB000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.python.org/ftp/python/3.11.4/amd64/lib_pdb.msiepython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.python.org/ftp/python/3.11.4/amd64/test_pdb.msipython-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.python.org/ftp/python/3.11.4/amd64/exe_pdb.msizpython-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://appsyndication.org/2006/appsynpython-3.11.4-amd64.exefalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://www.python.org/ftp/python/3.11.4/amd64/test_d.msipython-3.11.4-amd64.exe, 00000000.00000003.1657590081.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000003.1657389756.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2911537924.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000000.00000002.2912253341.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000002.2911653228.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660270494.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, python-3.11.4-amd64.exe, 00000001.00000003.1660371800.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              No contacted IP infos

                                                                                              General Information

                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                              Analysis ID:1432014
                                                                                              Start date and time:2024-04-26 09:36:10 +02:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 6m 4s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:7
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:python-3.11.4-amd64.exe
                                                                                              Detection:CLEAN
                                                                                              Classification:clean8.winEXE@3/7@0/0
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 113
                                                                                              • Number of non-executed functions: 262
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              No simulations

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              No context

                                                                                              Domains

                                                                                              No context

                                                                                              ASNs

                                                                                              No context

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Temp\Python 3.11.4 (64-bit)_20240426093700.log

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):14761
                                                                                              Entropy (8bit):5.242247897134095
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:QtsnW0RlnBxc6gnezEygyX2q/ezkZ9kDgLGdkDbkh3kPOdD3khkV+zDZk1k3bkde:dlnBxc6gnewfW2q/ekLGFmK2
                                                                                              MD5:7234F220A59F63C0A4788F7885E2D8FE
                                                                                              SHA1:F2CCE3E668FEFA3FD823D54D710FDCE15694F29B
                                                                                              SHA-256:5E5166E340C95D0C3CD5DDBA897954625182D58F03379B1E3EE81695534AF4B9
                                                                                              SHA-512:25F3ACE2A61F1B785C93B8038C823BA4DF0E4D04AA7B05707660EEB6A8CBD4ED6E9DFBC7213A55B88CA3726EAE2B8BB3713F55C18E00C1CDFAE9B4A3A8AFD6CB
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:[1B74:07D4][2024-04-26T09:37:00]i001: Burn v3.14.0.5722, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing string variable 'ActionLikeInstalling' to value 'Installing'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing string variable 'ActionLikeInstallation' to value 'Setup'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing string variable 'ShortVersion' to value '3.11'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing numeric variable 'ShortVersionNoDot' to value '311'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing string variable 'WinVer' to value '3.11'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing numeric variable 'WinVerNoDot' to value '311'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing numeric variable 'InstallAllUsers' to value '0'..[1B74:07D4][2024-04-26T09:37:00]i000: Initializing numeric variable 'InstallLauncherAllUser

                                                                                              C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\python-3.11.4-amd64.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):879104
                                                                                              Entropy (8bit):7.381277625665739
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:D5mWpI2jFM5sFzfTpi9GpNq2YSia0dLIqARMPAw4d:D5BjBbTpi9Kx3AEnYj4d
                                                                                              MD5:73084CDC98F16F144AEAA7CE8966A76A
                                                                                              SHA1:40E8D66A0D13454B25513C8444C763CAB00F2AB7
                                                                                              SHA-256:6846E876B507121739C7325D83C6CEF655748113F0EF1CB61759552DD76C9DB4
                                                                                              SHA-512:D674AA9C8EC2736FC4282D6AE7A15C87EF714C6D8F0CEEF5213C6925ABCE8E152EED4FA39525B5AA7C5BCF806FE7BFFBBBBD74E71F25FD9FF544825D407ABB71
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                              Reputation:low
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s..........................PE..L....RKa..........................................@.......................................@.................................<............e...........:.../...P...=...{..T....................{.......z..@............................................text.............................. ..`.rdata..t...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....e.......f..................@..@.reloc...=...P...>..................@..B........................................................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\BootstrapperApplicationData.xml

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (676), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):101404
                                                                                              Entropy (8bit):3.7255837301231836
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:XBgyB6JM/LpYizsYnXldL3lNeqdcXQpPKmb3jkuwG73LAyG3DcsGUX8Sg4091mYp:XFlhl4Yp
                                                                                              MD5:29F7C1AE17542F2947D43086CC8A2C61
                                                                                              SHA1:AD26076B5E86CDEB2E9F68F136577FFD40B9F824
                                                                                              SHA-256:82FDB1FB8BA06EA22EF1E0E790DCD66B51EB04085B3A8FD104EDAF1C8F008340
                                                                                              SHA-512:30EF345FB2D7CEB57B637D8AFDC3C417B4F10D2FBFDCFF0A352E830BB49C2D45BAFFE13F7637C7B4D41984EA41A91861DD86B2EF7E45581AEBB98DB1FBCB6B35
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".P.y.t.h.o.n. .3...1.1...4. .(.6.4.-.b.i.t.).". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.3.d.4.5.e.d.f.4.-.4.4.b.b.-.4.8.3.f.-.9.e.0.8.-.4.3.c.3.8.c.8.1.e.1.1.8.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.7.6.7.B.3.1.E.B.-.0.1.0.6.-.5.A.E.3.-.B.4.6.E.-.7.7.F.3.2.D.1.B.A.B.A.2.}.". .P.e.r.M.a.c.h.i.n.e.=.".n.o.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.F.e.a.t.u.r.e.I.n.f.o. .P.a.c.k.a.g.e.=.".e.x.e._.A.l.l.U.s.e.r.s.". .F.e.a.t.u.r.e.=.".D.e.f.a.u.l.t.F.e.a.t.u.r.e.". .S.i.z.e.=.".2.1.2.7.1.0.2.". .P.a.r.e.n.t.=.".". .T.i.t.l.e.=.".P.y.t.h.o.n. .3...1.1...4. .E.x.e.c.u.t.a.b.l.e.

                                                                                              C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.thm

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):12050
                                                                                              Entropy (8bit):5.202199468357687
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:0cUc9Oa2cacjcPnfEUcUr80Mpcu5cmc0pc3:0cUcAa2cacjcPfFcUx4cu5cmcQc3
                                                                                              MD5:4A006BB0FD949404E628D26F833C994B
                                                                                              SHA1:128BF94B6232C1591EE9D9D4B15953368838D8EF
                                                                                              SHA-256:BE2BAED45BCFB013E914E9D5BF6BC7C77A311F6F1723AFBB7EB1FAA7DA497E1B
                                                                                              SHA-512:B77383479E630060AEAACBB59E4F90AA0DB3037C9C37EBF668CF6669F48B9F57602210C8E0C20B92A20D1BAE1A371A98997B35F48082456F77964C7978664CD4
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="670" Height="412" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-14" Weight="500" Foreground="000000" Background="ffffff">Segoe UI</Font>.. <Font Id="1" Height="-26" Weight="500" Foreground="000000" Background="ffffff">Segoe UI</Font>.. <Font Id="2" Height="-24" Weight="500" Foreground="808080" Background="ffffff">Segoe UI</Font>.. <Font Id="3" Height="-14" Weight="500" Foreground="000000" Background="ffffff">Segoe UI</Font>.. <Font Id="4" Height="-14" Weight="500" Foreground="ff0000" Background="ffffff" Underline="yes">Segoe UI</Font>.. <Font Id="5" Height="-14" Weight="500" Foreground="808080" Background="ffffff">Segoe UI</Font>.... <Page Name="Help">.. <Text X="185" Y="11" Width="-11" Height="36" FontId="1" DisablePrefix="yes">#(loc.HelpHeader)</Text>.. <Image X="0" Y="0" Width="178" Height="382" Ima

                                                                                              C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\Default.wxl

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (349), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):9177
                                                                                              Entropy (8bit):5.078827763136586
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:JTqB3tcIyDykuiM7iIbY8gQOOeupqplqe7o7qiYici+iDF8zcz6/DuukOVZbRU84:k5J+nSuUBBr2NZK
                                                                                              MD5:E2E4ED5DD48AF4EEBE15726C7053749F
                                                                                              SHA1:8D7EEBBD2D8544724AC2FF0DA71AC1FF62121347
                                                                                              SHA-256:0111A0F259F5F498055B4C1218B30C21D4A8B7D893BCA04ED4E18FE01D3563D2
                                                                                              SHA-512:64C3010E4DD0FCFB2E236EA1ED464D1928DBE2F5A13DD0A71B4C446A7B986118955D37055857C5FB44A45500A598112641D6979D78883BE4C444E7FBC1292E05
                                                                                              Malicious:false
                                                                                              Reputation:low
                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Installing">Installing</String>.. <String Id="Installation">Setup</String>.. <String Id="Modifying">Updating</String>.. <String Id="Modification">Modify</String>.. <String Id="Repairing">Repairing</String>.. <String Id="Repair">Repair</String>.. <String Id="Uninstalling">Removing</String>.. <String Id="Uninstallation">Uninstall</String>.. .. <String Id="ElevateForCRTInstall">You will be prompted for Administrator privileges to install a C Runtime Library update (KB2999226).......Continue?</String>.. .. <String Id="CancelButton">&amp;Cancel</String>.. <String Id="CloseButton">&amp;Close</String>.. <String Id="InstallHeader">Install [WixBundleName]</String>.. <String Id="InstallMessage">Select Install Now to install Python with default settings, or choose

                                                                                              C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\PythonBA.dll

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):690176
                                                                                              Entropy (8bit):6.000284662502105
                                                                                              Encrypted:false
                                                                                              SSDEEP:6144:rEEKaxe1tHVjwLqKmlDGH6NmpHx6mI+BoSbGwizRfucj6GOUetELpO:Izaxe13w+XGH62Hx7I+BYfucjxlO
                                                                                              MD5:6382CA6E9024097C5B662B0147C67E7C
                                                                                              SHA1:E1134801E1D2834C0A2BE3F7D30BC6610760689F
                                                                                              SHA-256:CBAC589B8142D3C1DF2353471E928B2823F59B66E06E521619052DBE6385055C
                                                                                              SHA-512:0A38306AE961A64EB0DA531AE3F7B6F438BE94320B0E11CAF1B05A700D49632556405431B175606D3BFF13F89F658F3AF00037C1CD752B659169086CE247D6BB
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                              Reputation:low
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.3...`...`...`.s.a...`.s.a:..`.w.a...`.w.a...`.w.a...`.s.a...`.s.a...`.b.a...`.s.a...`...`I..`ov.a...`ov.a...`ovy`...`ov.a...`Rich...`................PE..L...B..d...........!...#.n..........YC....................................................@..................................V..........<........................7......8...............................@............P...............................text....l.......n.................. ..`.rdata...............r..............@..@.data....*... ......................@....idata..:$...P...&..................@..@.00cfg...............>..............@..@.rsrc...<............@..............@..@.reloc...@.......B...F..............@..B................................................................................................................................................................................................

                                                                                              C:\Windows\Temp\{CCA95E51-A09F-4242-B6EC-E83480F5CD87}\.ba\SideBar.png

                                                                                              Download File
                                                                                              Process:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              File Type:PNG image data, 176 x 382, 8-bit/color RGB, non-interlaced
                                                                                              Category:dropped
                                                                                              Size (bytes):51948
                                                                                              Entropy (8bit):7.980841800703768
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:/c/aRsg1fYfJt0Bg74nWPMMCNBaeQzxxj8ckBo:UcsgGfP0yCWTAaeyxxjGBo
                                                                                              MD5:888EB713A0095756252058C9727E088A
                                                                                              SHA1:C14F69F2BEF6BC3E2162B4DD78E9DF702D94CDB4
                                                                                              SHA-256:79434BD1368F47F08ACF6DB66638531D386BF15166D78D9BFEA4DA164C079067
                                                                                              SHA-512:7C59F4ADA242B19C2299B6789A65A1F34565FED78730C22C904DB16A9872FE6A07035C6D46A64EE94501FBCD96DE586A8A5303CA22F33DA357D455C014820CA0
                                                                                              Malicious:false
                                                                                              Preview:.PNG........IHDR.......~......@.y....gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD..............pHYs...........k.....IDATx...Y.e.v...f....YY.k....CC. H..I..E..M....)K.j".......p8...P.!...*dZ.l.![.M.`c..................ZsN.......YY.2.U>......{..s.5.c....g.H..WD....Q.........*......#.(1{..%f..""..Z...=..w...=*.......{...{..].~kN)1...*1..W..W.=...K.".n.{w.....Ad..,D.......1;.....b.011....QNBV#B..#...(.^...._=.B..9..;..~.ZVh....L..L,D.A...A.A.D.=. ...X.Y...U. %V..A...I@.+....DDAD.l..L..D..A.."D.A.L...9.(..#"...@....1.o.V..L.....Af&D8..M.._...AA.ND-.033.Qx.;....[......=.....) ....<.-.cb...,..A.......f<....DP.G.H...EA$.?..G...c....,".A..L..=H.X...3.F.y...G.&.....*...np;.=3S....b..w"bFL.G..[.A......A....M.Q.3.J.e.Pj.."|..fF.I.E^..H.h...|.x.....3...0.P..^.'A;(...P=::Of...../D..PpcF...."'W=........._...g..2..k.. ".].@?..k....c.7#$<..a.../.l.BAn...|....#.....l .VU..]g/..<T..u..N,.A...n.*h.d..A..BF.I.U....AA...(..D.nQ...&z("..Dn.,LT.

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.997603851114176
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:python-3.11.4-amd64.exe
                                                                                              File size:25'426'160 bytes
                                                                                              MD5:e4413bb7448cd13b437dffffba294ca0
                                                                                              SHA1:59dcc42113cd01346f7498a07c1265a4428b8864
                                                                                              SHA256:47be821c0f1825d90fc40f83a3ee3d3a691a3e16c8e21ac0cd56371362aaad50
                                                                                              SHA512:a48ee8992eee60a0d620dced71b9f96596f5dd510e3024015aca55884cdb3f9e2405734bfc13f3f40b79106a77bc442cce02ac4c8f5d16207448052b368fd52a
                                                                                              SSDEEP:786432:MHi7Bb2EJqoZYHzYoj8P3kajPHRKx2MlDMhzU:t21QYHzYojc31LHRKXxMZU
                                                                                              TLSH:B747333355E44255F6F214B3B238A230BDAC7E342B51886AD6C8FE1D69728A397770D3
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s.

                                                                                              File Icon

                                                                                              Icon Hash:02021a3a3e27641a

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x42e082
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:true
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x614B529A [Wed Sep 22 15:58:18 2021 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:6
                                                                                              OS Version Minor:0
                                                                                              File Version Major:6
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:6
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f57d7a40ebfca87e6f8082251d937ed8

                                                                                              Authenticode Signature

                                                                                              Signature Valid:true
                                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                              Signature Validation Error:The operation completed successfully
                                                                                              Error Number:0
                                                                                              Not Before, Not After
                                                                                              • 17/01/2022 00:00:00 15/01/2025 23:59:59
                                                                                              Subject Chain
                                                                                              • CN=Python Software Foundation, O=Python Software Foundation, L=Beaverton, S=Oregon, C=US
                                                                                              Version:3
                                                                                              Thumbprint MD5:B484BD77C3BCD0EC90BDE8AB8D42BC5D
                                                                                              Thumbprint SHA-1:36168EE17C1A240517388540C903BB6717DD2563
                                                                                              Thumbprint SHA-256:6045E624888E299179D5AE0CEDA57C9874FF6CCF889FA14B2D50F751BFB9E2F8
                                                                                              Serial:071F141B8B300D25F314EB230CD0D1DD

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              call 00007F10EC5611FEh
                                                                                              jmp 00007F10EC560B3Fh
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              mov eax, dword ptr [esp+08h]
                                                                                              mov ecx, dword ptr [esp+10h]
                                                                                              or ecx, eax
                                                                                              mov ecx, dword ptr [esp+0Ch]
                                                                                              jne 00007F10EC560CCBh
                                                                                              mov eax, dword ptr [esp+04h]
                                                                                              mul ecx
                                                                                              retn 0010h
                                                                                              push ebx
                                                                                              mul ecx
                                                                                              mov ebx, eax
                                                                                              mov eax, dword ptr [esp+08h]
                                                                                              mul dword ptr [esp+14h]
                                                                                              add ebx, eax
                                                                                              mov eax, dword ptr [esp+08h]
                                                                                              mul ecx
                                                                                              add edx, ebx
                                                                                              pop ebx
                                                                                              retn 0010h
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              int3
                                                                                              cmp cl, 00000040h
                                                                                              jnc 00007F10EC560CD7h
                                                                                              cmp cl, 00000020h
                                                                                              jnc 00007F10EC560CC8h
                                                                                              shrd eax, edx, cl
                                                                                              shr edx, cl
                                                                                              ret
                                                                                              mov eax, edx
                                                                                              xor edx, edx
                                                                                              and cl, 0000001Fh
                                                                                              shr eax, cl
                                                                                              ret
                                                                                              xor eax, eax
                                                                                              xor edx, edx
                                                                                              ret
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              jmp 00007F10EC560CCFh
                                                                                              push dword ptr [ebp+08h]
                                                                                              call 00007F10EC567364h
                                                                                              pop ecx
                                                                                              test eax, eax
                                                                                              je 00007F10EC560CD1h
                                                                                              push dword ptr [ebp+08h]
                                                                                              call 00007F10EC5673D6h
                                                                                              pop ecx
                                                                                              test eax, eax
                                                                                              je 00007F10EC560CA8h
                                                                                              pop ebp
                                                                                              ret
                                                                                              cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                              je 00007F10EC5615C4h
                                                                                              jmp 00007F10EC5615A1h
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              push dword ptr [ebp+08h]
                                                                                              call 00007F10EC5615DDh
                                                                                              pop ecx
                                                                                              pop ebp
                                                                                              ret
                                                                                              push ebp
                                                                                              mov ebp, esp
                                                                                              test byte ptr [ebp+08h], 00000001h
                                                                                              push esi
                                                                                              mov esi, ecx
                                                                                              mov dword ptr [esi], 00461394h
                                                                                              je 00007F10EC560CCCh
                                                                                              push 0000000Ch
                                                                                              push esi
                                                                                              call 00007F10EC560C9Dh
                                                                                              pop ecx
                                                                                              pop ecx

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x68c3c0xb4.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x165fc.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x183c9e00x2f10
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x850000x3dbc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x67b800x54.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x67bd40x18.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x67ac00x40.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x3d0.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x687bc0x100.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x49bc30x49c00d7850143023cdfec0067529eaffd1d8aFalse0.5406812764830509data6.56876435385695IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x4b0000x1f2740x1f400a6324dea1df27927c5953ca77e5c2b7dFalse0.300234375data5.076043008700175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0x6b0000x18140xc006bbbcb634109f843f6df0782c7e49c37False0.23404947916666666data2.8556964527712565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .wixburn0x6d0000x380x2003f4fcada9e4747ed017e05de029b5207False0.130859375data0.7436244141059085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x6e0000x165fc0x166004181a2e39e74ddff83b96080fc0c1589False0.5007637918994413data6.262587367315972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x850000x3dbc0x3e00da63acf23697f18857eb83358ef92845False0.8085307459677419data6.787116427178204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0x6e3880x3b55PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9815656066890512
                                                                                              RT_ICON0x71ee00x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.33568406205923834
                                                                                              RT_ICON0x735080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.4482942430703625
                                                                                              RT_ICON0x743b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.46344765342960287
                                                                                              RT_ICON0x74c580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5524193548387096
                                                                                              RT_ICON0x753200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4328034682080925
                                                                                              RT_ICON0x758880x35cdPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9848253829957162
                                                                                              RT_ICON0x78e580x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.16213982050070855
                                                                                              RT_ICON0x7d0800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2226141078838174
                                                                                              RT_ICON0x7f6280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3116791744840525
                                                                                              RT_ICON0x806d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.40491803278688526
                                                                                              RT_ICON0x810580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4423758865248227
                                                                                              RT_MESSAGETABLE0x814c00x2840dataEnglishUnited States0.28823757763975155
                                                                                              RT_GROUP_ICON0x83d000xaedataEnglishUnited States0.6379310344827587
                                                                                              RT_VERSION0x83db00x378dataEnglishUnited States0.4369369369369369
                                                                                              RT_MANIFEST0x841280x4d2XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminatorsEnglishUnited States0.47568881685575365

                                                                                              Imports

                                                                                              DLLImport
                                                                                              ADVAPI32.dllRegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, CreateWellKnownSid, InitializeAcl, DecryptFileW, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
                                                                                              USER32.dllPeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
                                                                                              OLEAUT32.dllVariantInit, SysAllocString, VariantClear, SysFreeString
                                                                                              GDI32.dllDeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
                                                                                              SHELL32.dllCommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
                                                                                              ole32.dllCoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CoInitializeSecurity, CLSIDFromProgID
                                                                                              KERNEL32.dllGetCPInfo, GetOEMCP, GetACP, CreateFileW, CloseHandle, GetLastError, HeapSetInformation, GetModuleHandleW, GetProcAddress, LocalFree, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, ExpandEnvironmentStringsW, CreateDirectoryW, GetFullPathNameW, GetTempFileNameW, GetTempPathW, Sleep, GetLocalTime, GetModuleFileNameW, CompareStringW, CreateFileA, SetFilePointer, WriteFile, GetCurrentProcessId, GetSystemDirectoryW, LoadLibraryW, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetCommandLineA, SetCurrentDirectoryW, GetCurrentDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, RemoveDirectoryW, SetFileAttributesW, MoveFileExW, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, GetCurrentProcess, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, GetVolumePathNameW, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetWindowsDirectoryW, GetNativeSystemInfo, GetCommandLineW, FreeLibrary, GetModuleHandleExW, GetComputerNameW, VerifyVersionInfoW, GetDateFormatW, GetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, WaitForSingleObject, GetProcessId, OpenProcess, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, LocalFileTimeToFileTime, SetEndOfFile, SetFileTime, ResetEvent, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, CreateMutexW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetThreadLocale, IsValidCodePage, FindFirstFileExW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileSizeEx, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetTimeZoneInformation, GetSystemInfo, VirtualProtect, VirtualQuery, GetSystemWow64DirectoryW, GetProcessHeap, GetFileType, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, LoadLibraryExA
                                                                                              RPCRT4.dllUuidCreate

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              No network behavior found

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:09:37:00
                                                                                              Start date:26/04/2024
                                                                                              Path:C:\Users\user\Desktop\python-3.11.4-amd64.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\python-3.11.4-amd64.exe"
                                                                                              Imagebase:0xf40000
                                                                                              File size:25'426'160 bytes
                                                                                              MD5 hash:E4413BB7448CD13B437DFFFFBA294CA0
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:1
                                                                                              Start time:09:37:00
                                                                                              Start date:26/04/2024
                                                                                              Path:C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\Temp\{63C45DCA-6831-4557-8A7A-DEEB494B92C5}\.cr\python-3.11.4-amd64.exe" -burn.clean.room="C:\Users\user\Desktop\python-3.11.4-amd64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=640
                                                                                              Imagebase:0xa10000
                                                                                              File size:879'104 bytes
                                                                                              MD5 hash:73084CDC98F16F144AEAA7CE8966A76A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              • Detection: 0%, Virustotal, Browse
                                                                                              Reputation:low
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Executed Functions

                                                                                                Function 00F4520D Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 314COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 704 f4520d-f452bb call f6f710 * 2 GetModuleHandleW call f80912 call f80ac6 call f41206 715 f452d1-f452e2 call f44361 704->715 716 f452bd 704->716 722 f452e4-f452e9 715->722 723 f452eb-f45307 call f4568e CoInitializeEx 715->723 717 f452c2-f452cc call f80657 716->717 725 f4554c-f45553 717->725 722->717 731 f45310-f4531c call f800c9 723->731 732 f45309-f4530e 723->732 727 f45555-f4555b call f4278d 725->727 728 f45560-f45562 725->728 727->728 729 f45564-f4556b 728->729 730 f45572-f45590 call f4d8c8 call f5a8bc call f5ab06 728->730 729->730 734 f4556d call f54264 729->734 753 f45592-f4559a 730->753 754 f455be-f455d1 call f4501c 730->754 741 f45330-f4533f call f812d3 731->741 742 f4531e 731->742 732->717 734->730 751 f45341-f45346 741->751 752 f45348-f45357 call f82f7b 741->752 744 f45323-f4532b call f80657 742->744 744->725 751->744 759 f45360-f4536f call f839da 752->759 760 f45359-f4535e 752->760 753->754 758 f4559c-f4559f 753->758 764 f455d3 call f83ea2 754->764 765 f455d8-f455df 754->765 758->754 762 f455a1-f455bc call f543c4 call f45678 758->762 772 f45371-f45376 759->772 773 f45378-f45397 GetVersionExW 759->773 760->744 762->754 764->765 769 f455e6-f455ed 765->769 770 f455e1 call f83381 765->770 775 f455f4-f455fb 769->775 776 f455ef call f8191f 769->776 770->769 772->744 779 f453d1-f45416 call f434ef call f45678 773->779 780 f45399-f453a3 GetLastError 773->780 782 f45602-f45604 775->782 783 f455fd call f801d8 775->783 776->775 806 f45418-f45423 call f4278d 779->806 807 f45429-f45439 call f57523 779->807 786 f453a5-f453ae 780->786 787 f453b0 780->787 784 f45606 CoUninitialize 782->784 785 f4560c-f45613 782->785 783->782 784->785 791 f45615-f45617 785->791 792 f4564e-f45657 call f80535 785->792 786->787 793 f453b7-f453cc call f438f5 787->793 794 f453b2 787->794 796 f4561d-f45623 791->796 797 f45619-f4561b 791->797 804 f4565e-f45675 call f80c18 call f6de30 792->804 805 f45659 call f44674 792->805 793->744 794->793 801 f45625-f4563e call f53df9 call f45678 796->801 797->801 801->792 823 f45640-f4564d call f45678 801->823 805->804 806->807 819 f45445-f4544e 807->819 820 f4543b 807->820 824 f45454-f45457 819->824 825 f45516-f45523 call f44db5 819->825 820->819 823->792 828 f4545d-f45460 824->828 829 f454ee-f4550a call f44b65 824->829 831 f45528-f4552c 825->831 833 f454c6-f454e2 call f44971 828->833 834 f45462-f45465 828->834 837 f45538-f4554a 829->837 843 f4550c 829->843 836 f4552e 831->836 831->837 833->837 848 f454e4 833->848 839 f45467-f4546a 834->839 840 f4549e-f454ba call f44b08 834->840 836->837 837->725 841 f4546c-f45471 839->841 842 f4547b-f4548e call f44d04 839->842 840->837 850 f454bc 840->850 841->842 842->837 851 f45494 842->851 843->825 848->829 850->833 851->840
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F4528F
                                                                                                  • Part of subcall function 00F80912: InitializeCriticalSection.KERNEL32(00FAC6EC,?,00F4529B,00000000,?,?,?,?,?,?), ref: 00F80929
                                                                                                  • Part of subcall function 00F41206: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00F452B7,00000000,?), ref: 00F41244
                                                                                                  • Part of subcall function 00F41206: GetLastError.KERNEL32(?,?,?,00F452B7,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00F4124E
                                                                                                • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00F452FD
                                                                                                  • Part of subcall function 00F812D3: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00F812F4
                                                                                                • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00F4538F
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F45399
                                                                                                • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F45606
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engine.cpp, xrefs: 00F453BD
                                                                                                • 3.14.0.5722, xrefs: 00F453FC
                                                                                                • Failed to run per-user mode., xrefs: 00F4550C
                                                                                                • Failed to initialize Wiutil., xrefs: 00F45359
                                                                                                • Failed to run embedded mode., xrefs: 00F454BC
                                                                                                • Failed to initialize COM., xrefs: 00F45309
                                                                                                • Failed to initialize XML util., xrefs: 00F45371
                                                                                                • Invalid run mode., xrefs: 00F45471
                                                                                                • Failed to initialize engine state., xrefs: 00F452E4
                                                                                                • Failed to parse command line., xrefs: 00F452BD
                                                                                                • Failed to run per-machine mode., xrefs: 00F454E4
                                                                                                • Failed to run untrusted mode., xrefs: 00F4552E
                                                                                                • Failed to get OS info., xrefs: 00F453C7
                                                                                                • Failed to initialize Regutil., xrefs: 00F45341
                                                                                                • Failed to initialize Cryputil., xrefs: 00F4531E
                                                                                                • Failed to initialize core., xrefs: 00F4543B
                                                                                                • Failed to run RunOnce mode., xrefs: 00F45494
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                                                                • String ID: 3.14.0.5722$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 3262001429-872186229
                                                                                                • Opcode ID: 9b43fe2ff59be0868f869c174166e350395d995f8bca2bd61a66fe1dcc573c51
                                                                                                • Instruction ID: ae4018746482635657985956dec7b4482e95e4e5ce29ad574a72869621c8bf79
                                                                                                • Opcode Fuzzy Hash: 9b43fe2ff59be0868f869c174166e350395d995f8bca2bd61a66fe1dcc573c51
                                                                                                • Instruction Fuzzy Hash: 3AB1D072D41A299BDB21BF608C46BFD7AB5AF04B10F040195FD08B6252DB789E84BF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F834D0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1458 f834d0-f834f4 GetModuleHandleA 1459 f83529-f8353a GetProcAddress 1458->1459 1460 f834f6-f83500 GetLastError 1458->1460 1461 f8353c-f83560 GetProcAddress * 3 1459->1461 1462 f8357d 1459->1462 1463 f8350d 1460->1463 1464 f83502-f8350b 1460->1464 1465 f83579-f8357b 1461->1465 1466 f83562-f83564 1461->1466 1467 f8357f-f8359c CoCreateInstance 1462->1467 1468 f8350f 1463->1468 1469 f83514-f83524 call f438f5 1463->1469 1464->1463 1465->1467 1466->1465 1471 f83566-f83568 1466->1471 1472 f83632-f83634 1467->1472 1473 f835a2-f835a4 1467->1473 1468->1469 1481 f83648-f8364d 1469->1481 1471->1465 1477 f8356a-f83577 1471->1477 1474 f83636-f8363d 1472->1474 1475 f83647 1472->1475 1478 f835a9-f835b9 1473->1478 1474->1475 1489 f8363f-f83641 ExitProcess 1474->1489 1475->1481 1477->1467 1479 f835bb-f835bf 1478->1479 1480 f835c3 1478->1480 1479->1478 1482 f835c1 1479->1482 1484 f835c5-f835d5 1480->1484 1485 f8364f-f83651 1481->1485 1486 f83655-f8365a 1481->1486 1488 f835dd 1482->1488 1490 f835e7-f835eb 1484->1490 1491 f835d7-f835db 1484->1491 1485->1486 1492 f8365c-f8365e 1486->1492 1493 f83662-f83667 1486->1493 1488->1490 1494 f835ed-f83600 call f8366a 1490->1494 1495 f83616-f83627 1490->1495 1491->1484 1491->1488 1492->1493 1494->1472 1500 f83602-f83614 1494->1500 1495->1472 1498 f83629-f83630 1495->1498 1498->1472 1500->1472 1500->1495
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00F83A7E,00000000,?,00000000), ref: 00F834EA
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F6BE27,?,00F4547D,?,00000000,?), ref: 00F834F6
                                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00F83536
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F83542
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00F8354D
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F83557
                                                                                                • CoCreateInstance.OLE32(00FAC7A0,00000000,00000001,00F8B878,?,?,?,?,?,?,?,?,?,?,?,00F6BE27), ref: 00F83592
                                                                                                • ExitProcess.KERNEL32 ref: 00F83641
                                                                                                Strings
                                                                                                • Wow64RevertWow64FsRedirection, xrefs: 00F8354F
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00F8351A
                                                                                                • kernel32.dll, xrefs: 00F834DA
                                                                                                • IsWow64Process, xrefs: 00F83530
                                                                                                • Wow64EnableWow64FsRedirection, xrefs: 00F83544
                                                                                                • Wow64DisableWow64FsRedirection, xrefs: 00F8353C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp$kernel32.dll
                                                                                                • API String ID: 2124981135-566418578
                                                                                                • Opcode ID: 2288b7f8672ae7143f88090681b575927f8a95eed5b96f9fbcae60582d83855d
                                                                                                • Instruction ID: 9bd4c572566a735073d03255149b4e3be92512ec1fa5951041981c3e3ee30e09
                                                                                                • Opcode Fuzzy Hash: 2288b7f8672ae7143f88090681b575927f8a95eed5b96f9fbcae60582d83855d
                                                                                                • Instruction Fuzzy Hash: 8041DB71E00316AFCB21ABA8C854FEE77A4EF05B60F154468E901EB360D771DE00AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F434EF: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00F410DD,?,00000000), ref: 00F43510
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00F410F6
                                                                                                  • Part of subcall function 00F41173: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F41184
                                                                                                  • Part of subcall function 00F41173: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F4118F
                                                                                                  • Part of subcall function 00F41173: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F4119D
                                                                                                  • Part of subcall function 00F41173: GetLastError.KERNEL32(?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F411B8
                                                                                                  • Part of subcall function 00F41173: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F411C0
                                                                                                  • Part of subcall function 00F41173: GetLastError.KERNEL32(?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F411D5
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00F8B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00F41131
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                                                                • API String ID: 3687706282-3151496603
                                                                                                • Opcode ID: 2451ef978fafa18658ac5c430c952d278aa3a0fde088f417a13265e5c36fa78f
                                                                                                • Instruction ID: 5d31647f5ea78f8ff6d2dcf318b17140f045db0cd7b26b2fcc80347086448dda
                                                                                                • Opcode Fuzzy Hash: 2451ef978fafa18658ac5c430c952d278aa3a0fde088f417a13265e5c36fa78f
                                                                                                • Instruction Fuzzy Hash: 9D216071D0021CABDB10EFA5CC0ABEEBFB8BB49714F104115EA11B7293D7745944EB60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A096 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed create working folder., xrefs: 00F5A0C9
                                                                                                • Failed to calculate working folder to ensure it exists., xrefs: 00F5A0B3
                                                                                                • Failed to copy working folder., xrefs: 00F5A0F1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectoryErrorLastProcessWindows
                                                                                                • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                                                                • API String ID: 3841436932-2072961686
                                                                                                • Opcode ID: 8e175468337d16407361fe751a76dad2974c6fd6da53ba71bb9282d8a1e39c03
                                                                                                • Instruction ID: 0729d3c4fbfa6b7334db600943229033c1cef6c81df3c43318db54977b84510d
                                                                                                • Opcode Fuzzy Hash: 8e175468337d16407361fe751a76dad2974c6fd6da53ba71bb9282d8a1e39c03
                                                                                                • Instruction Fuzzy Hash: CE01F132900169F78F326E65CD01C9F7E74DF80761B104211FD00B6190DF30CE24B692
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43ADF Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00F806D5,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00F80669,000001C7), ref: 00F43AE9
                                                                                                • RtlFreeHeap.NTDLL(00000000,?,00F806D5,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00F80669,000001C7,?,?), ref: 00F43AF0
                                                                                                • GetLastError.KERNEL32(?,00F806D5,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00F80669,000001C7,?,?), ref: 00F43AFA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ErrorFreeLastProcess
                                                                                                • String ID:
                                                                                                • API String ID: 406640338-0
                                                                                                • Opcode ID: cb0445858c121673930229343a7c3cf40017295240415f9c13e67e21dad89d6e
                                                                                                • Instruction ID: 8f118ee0d9d2432d7e4f99f50fe30a5ce935e82c3a5c5c2328558cf2861cfebd
                                                                                                • Opcode Fuzzy Hash: cb0445858c121673930229343a7c3cf40017295240415f9c13e67e21dad89d6e
                                                                                                • Instruction Fuzzy Hash: E1D01273A0063957862117E55C0CAAB7E68DF047B17014121FD15DA211D725CD00B7E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4DFC9 Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 648COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F4E0EE
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F4E7D2
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeHeapString$AllocateProcess
                                                                                                • String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`<u$always$c:\agent\_work\138\s\src\burn\engine\package.cpp$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$wininet.dll$yes
                                                                                                • API String ID: 336948655-2048013959
                                                                                                • Opcode ID: 1a7bd33397550510b1e0fa21cc5d3a123d3671be340d1e1c241d9ed83c1ce5f7
                                                                                                • Instruction ID: b14e4f125700c4d651e81df6613ce50b4f42798f26c33da70900b677397e6333
                                                                                                • Opcode Fuzzy Hash: 1a7bd33397550510b1e0fa21cc5d3a123d3671be340d1e1c241d9ed83c1ce5f7
                                                                                                • Instruction Fuzzy Hash: 27328D72E40226AFEF119B54CC41FAEBEA5BF04720F114265ED24BB291DB74ED10BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4FA6E Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 445COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 222 f4fa6e-f4fa9f call f83e1c 225 f4faa1 222->225 226 f4faa3-f4faa5 222->226 225->226 227 f4faa7-f4fab4 call f80657 226->227 228 f4fab9-f4fad2 call f83770 226->228 235 f4ffa1-f4ffa6 227->235 233 f4fad4-f4fad9 228->233 234 f4fade-f4faf3 call f83770 228->234 236 f4ff98-f4ff9f call f80657 233->236 246 f4faf5-f4fafa 234->246 247 f4faff-f4fb0c call f4eae9 234->247 238 f4ffae-f4ffb3 235->238 239 f4ffa8-f4ffaa 235->239 252 f4ffa0 236->252 242 f4ffb5-f4ffb7 238->242 243 f4ffbb-f4ffc0 238->243 239->238 242->243 244 f4ffc2-f4ffc4 243->244 245 f4ffc8-f4ffcc 243->245 244->245 249 f4ffd6-f4ffdb 245->249 250 f4ffce-f4ffd1 call f4278d 245->250 246->236 255 f4fb0e-f4fb13 247->255 256 f4fb18-f4fb2d call f83770 247->256 250->249 252->235 255->236 259 f4fb2f-f4fb34 256->259 260 f4fb39-f4fb4b call f850cb 256->260 259->236 263 f4fb4d-f4fb55 260->263 264 f4fb5a-f4fb6f call f83770 260->264 265 f4fe24-f4fe2d call f80657 263->265 269 f4fb71-f4fb76 264->269 270 f4fb7b-f4fb90 call f83770 264->270 265->252 269->236 274 f4fb92-f4fb97 270->274 275 f4fb9c-f4fbae call f8397c 270->275 274->236 278 f4fbb0-f4fbb5 275->278 279 f4fbba-f4fbd0 call f83e1c 275->279 278->236 282 f4fbd6-f4fbd8 279->282 283 f4fe7f-f4fe99 call f4ed63 279->283 284 f4fbe4-f4fbf9 call f8397c 282->284 285 f4fbda-f4fbdf 282->285 290 f4fea5-f4febd call f83e1c 283->290 291 f4fe9b-f4fea0 283->291 292 f4fc05-f4fc1a call f83770 284->292 293 f4fbfb-f4fc00 284->293 285->236 298 f4ff87-f4ff88 call f4f193 290->298 299 f4fec3-f4fec5 290->299 291->236 301 f4fc1c-f4fc1e 292->301 302 f4fc2a-f4fc3f call f83770 292->302 293->236 305 f4ff8d-f4ff91 298->305 303 f4fec7-f4fecc 299->303 304 f4fed1-f4feef call f83770 299->304 301->302 306 f4fc20-f4fc25 301->306 312 f4fc41-f4fc43 302->312 313 f4fc4f-f4fc64 call f83770 302->313 303->236 314 f4fef1-f4fef6 304->314 315 f4fefb-f4ff13 call f83770 304->315 305->252 309 f4ff93 305->309 306->236 309->236 312->313 316 f4fc45-f4fc4a 312->316 323 f4fc74-f4fc89 call f83770 313->323 324 f4fc66-f4fc68 313->324 314->236 321 f4ff15-f4ff17 315->321 322 f4ff20-f4ff38 call f83770 315->322 316->236 321->322 325 f4ff19-f4ff1e 321->325 331 f4ff45-f4ff5d call f83770 322->331 332 f4ff3a-f4ff3c 322->332 333 f4fc99-f4fcae call f83770 323->333 334 f4fc8b-f4fc8d 323->334 324->323 326 f4fc6a-f4fc6f 324->326 325->236 326->236 341 f4ff66-f4ff7e call f83770 331->341 342 f4ff5f-f4ff64 331->342 332->331 335 f4ff3e-f4ff43 332->335 343 f4fcb0-f4fcb2 333->343 344 f4fcbe-f4fcd3 call f83770 333->344 334->333 336 f4fc8f-f4fc94 334->336 335->236 336->236 341->298 350 f4ff80-f4ff85 341->350 342->236 343->344 347 f4fcb4-f4fcb9 343->347 351 f4fcd5-f4fcd7 344->351 352 f4fce3-f4fcf8 call f83770 344->352 347->236 350->236 351->352 353 f4fcd9-f4fcde 351->353 356 f4fd08-f4fd1d call f83770 352->356 357 f4fcfa-f4fcfc 352->357 353->236 361 f4fd2d-f4fd45 call f83770 356->361 362 f4fd1f-f4fd21 356->362 357->356 358 f4fcfe-f4fd03 357->358 358->236 366 f4fd55-f4fd6d call f83770 361->366 367 f4fd47-f4fd49 361->367 362->361 364 f4fd23-f4fd28 362->364 364->236 371 f4fd7d-f4fd92 call f83770 366->371 372 f4fd6f-f4fd71 366->372 367->366 368 f4fd4b-f4fd50 367->368 368->236 376 f4fe32-f4fe34 371->376 377 f4fd98-f4fdb5 CompareStringW 371->377 372->371 373 f4fd73-f4fd78 372->373 373->236 378 f4fe36-f4fe3d 376->378 379 f4fe3f-f4fe41 376->379 380 f4fdb7-f4fdbd 377->380 381 f4fdbf-f4fdd4 CompareStringW 377->381 378->379 382 f4fe43-f4fe48 379->382 383 f4fe4d-f4fe65 call f8397c 379->383 384 f4fe00-f4fe05 380->384 385 f4fdd6-f4fde0 381->385 386 f4fde2-f4fdf7 CompareStringW 381->386 382->236 383->283 392 f4fe67-f4fe69 383->392 384->379 385->384 387 f4fe07-f4fe1f call f438f5 386->387 388 f4fdf9 386->388 387->265 388->384 394 f4fe75 392->394 395 f4fe6b-f4fe70 392->395 394->283 395->236
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: StringVariant$AllocClearFreeInit
                                                                                                • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\138\s\src\burn\engine\registration.cpp$yes
                                                                                                • API String ID: 760788290-4190031805
                                                                                                • Opcode ID: 975fcc8fb40040aca8b7b332a3b96bf30ceb00c0d36fd5e69c5c3b370fde3cd4
                                                                                                • Instruction ID: 1b228dd60de1d0778aac23e6414da3fd63bfa5bd7de8b506f6bc7ab180ed3ad2
                                                                                                • Opcode Fuzzy Hash: 975fcc8fb40040aca8b7b332a3b96bf30ceb00c0d36fd5e69c5c3b370fde3cd4
                                                                                                • Instruction Fuzzy Hash: 65E1B672E44627BBDF12A660CC41EAEBA64BB05B60F550331FD19B71A0D761ED08BBC1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4B54B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 396 f4b54b-f4b5c0 call f6f710 * 2 401 f4b5c2-f4b5cc GetLastError 396->401 402 f4b5f8-f4b5fe 396->402 405 f4b5ce-f4b5d7 401->405 406 f4b5d9 401->406 403 f4b600 402->403 404 f4b602-f4b614 SetFilePointerEx 402->404 403->404 407 f4b616-f4b620 GetLastError 404->407 408 f4b648-f4b662 ReadFile 404->408 405->406 409 f4b5e0-f4b5ed call f438f5 406->409 410 f4b5db 406->410 411 f4b622-f4b62b 407->411 412 f4b62d 407->412 413 f4b664-f4b66e GetLastError 408->413 414 f4b699-f4b6a0 408->414 428 f4b5f2-f4b5f3 409->428 410->409 411->412 418 f4b634-f4b646 call f438f5 412->418 419 f4b62f 412->419 420 f4b670-f4b679 413->420 421 f4b67b 413->421 416 f4b6a6-f4b6af 414->416 417 f4bc97-f4bcab call f438f5 414->417 416->417 424 f4b6b5-f4b6c5 SetFilePointerEx 416->424 436 f4bcb0 417->436 418->428 419->418 420->421 426 f4b682-f4b694 call f438f5 421->426 427 f4b67d 421->427 430 f4b6c7-f4b6d1 GetLastError 424->430 431 f4b6fc-f4b714 ReadFile 424->431 426->428 427->426 434 f4bcb1-f4bcb7 call f80657 428->434 438 f4b6d3-f4b6dc 430->438 439 f4b6de 430->439 440 f4b716-f4b720 GetLastError 431->440 441 f4b74b-f4b752 431->441 451 f4bcb8-f4bcc8 call f6de30 434->451 436->434 438->439 445 f4b6e5-f4b6f2 call f438f5 439->445 446 f4b6e0 439->446 447 f4b722-f4b72b 440->447 448 f4b72d 440->448 443 f4bc7c-f4bc95 call f438f5 441->443 444 f4b758-f4b762 441->444 443->436 444->443 452 f4b768-f4b78b SetFilePointerEx 444->452 445->431 446->445 447->448 449 f4b734-f4b741 call f438f5 448->449 450 f4b72f 448->450 449->441 450->449 457 f4b7c2-f4b7da ReadFile 452->457 458 f4b78d-f4b797 GetLastError 452->458 461 f4b811-f4b829 ReadFile 457->461 462 f4b7dc-f4b7e6 GetLastError 457->462 465 f4b7a4 458->465 466 f4b799-f4b7a2 458->466 469 f4b860-f4b87b SetFilePointerEx 461->469 470 f4b82b-f4b835 GetLastError 461->470 467 f4b7f3 462->467 468 f4b7e8-f4b7f1 462->468 471 f4b7a6 465->471 472 f4b7ab-f4b7b8 call f438f5 465->472 466->465 475 f4b7f5 467->475 476 f4b7fa-f4b807 call f438f5 467->476 468->467 473 f4b8b5-f4b8d4 ReadFile 469->473 474 f4b87d-f4b887 GetLastError 469->474 477 f4b837-f4b840 470->477 478 f4b842 470->478 471->472 472->457 483 f4bc3d-f4bc47 GetLastError 473->483 484 f4b8da-f4b8dc 473->484 480 f4b894 474->480 481 f4b889-f4b892 474->481 475->476 476->461 477->478 485 f4b844 478->485 486 f4b849-f4b856 call f438f5 478->486 490 f4b896 480->490 491 f4b89b-f4b8ab call f438f5 480->491 481->480 488 f4bc54 483->488 489 f4bc49-f4bc52 483->489 493 f4b8dd-f4b8e4 484->493 485->486 486->469 496 f4bc56 488->496 497 f4bc5b-f4bc71 call f438f5 488->497 489->488 490->491 491->473 499 f4bc18-f4bc35 call f438f5 493->499 500 f4b8ea-f4b8f6 493->500 496->497 516 f4bc72-f4bc7a call f80657 497->516 511 f4bc3a-f4bc3b 499->511 504 f4b901-f4b90a 500->504 505 f4b8f8-f4b8ff 500->505 508 f4b910-f4b936 ReadFile 504->508 509 f4bbdb-f4bbf2 call f438f5 504->509 505->504 507 f4b944-f4b94b 505->507 513 f4b974-f4b98b call f43a1a 507->513 514 f4b94d-f4b96f call f438f5 507->514 508->483 512 f4b93c-f4b942 508->512 522 f4bbf7-f4bbfd call f80657 509->522 511->516 512->493 526 f4b98d-f4b9aa call f438f5 513->526 527 f4b9af-f4b9c4 SetFilePointerEx 513->527 514->511 516->451 532 f4bc03-f4bc04 522->532 526->434 530 f4ba04-f4ba29 ReadFile 527->530 531 f4b9c6-f4b9d0 GetLastError 527->531 533 f4ba60-f4ba6c 530->533 534 f4ba2b-f4ba35 GetLastError 530->534 536 f4b9d2-f4b9db 531->536 537 f4b9dd 531->537 542 f4bc05-f4bc07 532->542 538 f4ba6e-f4ba8a call f438f5 533->538 539 f4ba8f-f4ba93 533->539 543 f4ba37-f4ba40 534->543 544 f4ba42 534->544 536->537 540 f4b9e4-f4b9f4 call f438f5 537->540 541 f4b9df 537->541 538->522 547 f4ba95-f4bac9 call f438f5 call f80657 539->547 548 f4bace-f4bae1 call f84e3d 539->548 558 f4b9f9-f4b9ff call f80657 540->558 541->540 542->451 549 f4bc0d-f4bc13 call f43adf 542->549 543->544 550 f4ba44 544->550 551 f4ba49-f4ba5e call f438f5 544->551 547->542 565 f4bae3-f4bae8 548->565 566 f4baed-f4baf7 548->566 549->451 550->551 551->558 558->532 565->558 569 f4bb01-f4bb09 566->569 570 f4baf9-f4baff 566->570 572 f4bb15-f4bb18 569->572 573 f4bb0b-f4bb13 569->573 571 f4bb1a-f4bb7a call f43a1a 570->571 576 f4bb7c-f4bb98 call f438f5 571->576 577 f4bb9e-f4bbbf call f6ec10 call f4b2c8 571->577 572->571 573->571 576->577 577->542 584 f4bbc1-f4bbd1 call f438f5 577->584 584->509
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B5C2
                                                                                                • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B610
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B616
                                                                                                • ReadFile.KERNELBASE(00000000,00F444EB,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B65E
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B664
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B6C1
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B6C7
                                                                                                • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B710
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B716
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B787
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B78D
                                                                                                • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B7D6
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B7DC
                                                                                                • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B825
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B82B
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B877
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B87D
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B8D0
                                                                                                • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B932
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B9BC
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B9C6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\138\s\src\burn\engine\section.cpp
                                                                                                • API String ID: 3411815225-3112695413
                                                                                                • Opcode ID: 94596876b4df9df4cf0c1ed6882c7d99b9101389e162d52cb885b79167b672b6
                                                                                                • Instruction ID: 5c509fd7b21a87deb25b55e0eac475f68935d3149279e7bb32c73946f2b742c9
                                                                                                • Opcode Fuzzy Hash: 94596876b4df9df4cf0c1ed6882c7d99b9101389e162d52cb885b79167b672b6
                                                                                                • Instruction Fuzzy Hash: 4112B676E40235EBDB209B548C46FEA7E64AF44720F0141A5FE08BB282EB74DD40BB95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60BCF Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 587 f60bcf-f60be6 SetEvent 588 f60c28-f60c36 WaitForSingleObject 587->588 589 f60be8-f60bf2 GetLastError 587->589 590 f60c6d-f60c78 ResetEvent 588->590 591 f60c38-f60c42 GetLastError 588->591 592 f60bf4-f60bfd 589->592 593 f60bff 589->593 596 f60cb2-f60cb8 590->596 597 f60c7a-f60c84 GetLastError 590->597 594 f60c44-f60c4d 591->594 595 f60c4f 591->595 592->593 598 f60c06-f60c16 call f438f5 593->598 599 f60c01 593->599 594->595 602 f60c56-f60c6b call f438f5 595->602 603 f60c51 595->603 600 f60cba-f60cbd 596->600 601 f60ceb-f60d04 call f422e0 596->601 604 f60c86-f60c8f 597->604 605 f60c91 597->605 618 f60c1b-f60c23 call f80657 598->618 599->598 607 f60ce1-f60ce6 600->607 608 f60cbf-f60cdc call f438f5 600->608 621 f60d06-f60d17 call f80657 601->621 622 f60d1c-f60d27 SetEvent 601->622 602->618 603->602 604->605 611 f60c93 605->611 612 f60c98-f60cad call f438f5 605->612 615 f60fa1-f60fa6 607->615 627 f60f97-f60f9d call f80657 608->627 611->612 612->618 623 f60fab-f60fb1 615->623 624 f60fa8 615->624 618->615 643 f60f9e-f60fa0 621->643 629 f60d61-f60d6f WaitForSingleObject 622->629 630 f60d29-f60d33 GetLastError 622->630 624->623 627->643 632 f60d71-f60d7b GetLastError 629->632 633 f60da9-f60db4 ResetEvent 629->633 636 f60d35-f60d3e 630->636 637 f60d40 630->637 640 f60d7d-f60d86 632->640 641 f60d88 632->641 644 f60db6-f60dc0 GetLastError 633->644 645 f60dee-f60df5 633->645 636->637 638 f60d47-f60d5c call f438f5 637->638 639 f60d42 637->639 662 f60f96 638->662 639->638 640->641 649 f60d8f-f60da4 call f438f5 641->649 650 f60d8a 641->650 643->615 651 f60dc2-f60dcb 644->651 652 f60dcd 644->652 647 f60df7-f60dfa 645->647 648 f60e64-f60e87 CreateFileW 645->648 658 f60e27-f60e2b call f43a1a 647->658 659 f60dfc-f60dff 647->659 656 f60ec4-f60ed8 SetFilePointerEx 648->656 657 f60e89-f60e93 GetLastError 648->657 649->662 650->649 651->652 653 f60dd4-f60de9 call f438f5 652->653 654 f60dcf 652->654 653->662 654->653 668 f60f12-f60f1d SetEndOfFile 656->668 669 f60eda-f60ee4 GetLastError 656->669 663 f60e95-f60e9e 657->663 664 f60ea0 657->664 680 f60e30-f60e35 658->680 665 f60e20-f60e22 659->665 666 f60e01-f60e04 659->666 662->627 663->664 674 f60ea7-f60eba call f438f5 664->674 675 f60ea2 664->675 665->615 676 f60e16-f60e1b 666->676 677 f60e06-f60e0c 666->677 672 f60f54-f60f61 SetFilePointerEx 668->672 673 f60f1f-f60f29 GetLastError 668->673 678 f60ee6-f60eef 669->678 679 f60ef1 669->679 672->643 686 f60f63-f60f6d GetLastError 672->686 683 f60f36 673->683 684 f60f2b-f60f34 673->684 674->656 675->674 676->643 677->676 678->679 681 f60ef3 679->681 682 f60ef8-f60f0d call f438f5 679->682 687 f60e56-f60e5f 680->687 688 f60e37-f60e51 call f438f5 680->688 681->682 682->662 691 f60f3d-f60f52 call f438f5 683->691 692 f60f38 683->692 684->683 694 f60f6f-f60f78 686->694 695 f60f7a 686->695 687->643 688->662 691->662 692->691 694->695 696 f60f81-f60f91 call f438f5 695->696 697 f60f7c 695->697 696->662 697->696
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(?,?,?,?,?,00F6077F,?,?), ref: 00F60BDE
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F6077F,?,?), ref: 00F60BE8
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00F6077F,?,?), ref: 00F60C2D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F6077F,?,?), ref: 00F60C38
                                                                                                • ResetEvent.KERNEL32(?,?,?,?,?,00F6077F,?,?), ref: 00F60C70
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F6077F,?,?), ref: 00F60C7A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Event$ObjectResetSingleWait
                                                                                                • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 1865021742-4216264097
                                                                                                • Opcode ID: 82864d60465406349d5735ad925126279caab0347d819690eab1e9127e151960
                                                                                                • Instruction ID: 5916a03c595ce8822e00e710d053a2c6ef6cade2ac4b941e03562e59c7d5c0b6
                                                                                                • Opcode Fuzzy Hash: 82864d60465406349d5735ad925126279caab0347d819690eab1e9127e151960
                                                                                                • Instruction Fuzzy Hash: C591F137E81736BBE73116A45D0AB6B7A14AF00B30F224321BE15BA6D1EF55DC00B6D6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44DB5 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 852 f44db5-f44dfd call f6f710 call f434ef 857 f44e11-f44e1b call f598de 852->857 858 f44dff-f44e0c call f80657 852->858 864 f44e24-f44e33 call f598e4 857->864 865 f44e1d-f44e22 857->865 863 f44fad-f44fb7 858->863 866 f44fc2-f44fc6 863->866 867 f44fb9-f44fbe CloseHandle 863->867 873 f44e38-f44e3c 864->873 868 f44e59-f44e74 call f4204d 865->868 871 f44fd1-f44fd5 866->871 872 f44fc8-f44fcd CloseHandle 866->872 867->866 879 f44e76-f44e7b 868->879 880 f44e7d-f44e91 call f56a45 868->880 875 f44fd7-f44fdc CloseHandle 871->875 876 f44fe0-f44fe2 871->876 872->871 877 f44e53-f44e56 873->877 878 f44e3e 873->878 875->876 882 f44fe4-f44fe5 CloseHandle 876->882 883 f44fe7-f44ffb call f428a8 * 2 876->883 877->868 881 f44e43-f44e4e call f80657 878->881 879->881 891 f44e93 880->891 892 f44eab-f44ebf call f56aff 880->892 881->863 882->883 896 f45005-f45009 883->896 897 f44ffd-f45000 call f4278d 883->897 894 f44e98 891->894 904 f44ec1-f44ec6 892->904 905 f44ec8-f44ee3 call f4208f 892->905 898 f44e9d-f44ea6 call f80657 894->898 901 f45013-f45019 896->901 902 f4500b-f4500e call f4278d 896->902 897->896 910 f44faa 898->910 902->901 904->894 911 f44ee5-f44eea 905->911 912 f44eef-f44f08 call f4208f 905->912 910->863 911->881 915 f44f14-f44f40 CreateProcessW 912->915 916 f44f0a-f44f0f 912->916 917 f44f42-f44f4c GetLastError 915->917 918 f44f7d-f44f9c call f80ea4 915->918 916->881 920 f44f4e-f44f57 917->920 921 f44f59 917->921 918->863 925 f44f9e-f44fa5 call f80657 918->925 920->921 923 f44f60-f44f78 call f438f5 921->923 924 f44f5b 921->924 923->898 924->923 925->910
                                                                                                APIs
                                                                                                  • Part of subcall function 00F434EF: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00F410DD,?,00000000), ref: 00F43510
                                                                                                • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00F44FBC
                                                                                                • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00F44FCB
                                                                                                • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00F44FDA
                                                                                                • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00F44FE5
                                                                                                Strings
                                                                                                • burn.filehandle.self, xrefs: 00F44EC1
                                                                                                • Failed to launch clean room process: %ls, xrefs: 00F44F73
                                                                                                • "%ls" %ls, xrefs: 00F44EF6
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engine.cpp, xrefs: 00F44F66
                                                                                                • -%ls="%ls", xrefs: 00F44E62
                                                                                                • Failed to wait for clean room process: %ls, xrefs: 00F44F9F
                                                                                                • Failed to get path for current process., xrefs: 00F44DFF
                                                                                                • D, xrefs: 00F44F25
                                                                                                • Failed to allocate parameters for unelevated process., xrefs: 00F44E76
                                                                                                • Failed to append %ls, xrefs: 00F44E98
                                                                                                • burn.filehandle.attached, xrefs: 00F44E93
                                                                                                • burn.clean.room, xrefs: 00F44E5A
                                                                                                • %ls %ls, xrefs: 00F44ED1
                                                                                                • Failed to allocate full command-line., xrefs: 00F44F0A
                                                                                                • Failed to cache to clean room., xrefs: 00F44E3E
                                                                                                • Failed to append original command line., xrefs: 00F44EE5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$FileModuleName
                                                                                                • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 3884789274-535173987
                                                                                                • Opcode ID: efa482698f6fd12dab62732e10b959f452f3f5b0eb494a159723fe3207df8608
                                                                                                • Instruction ID: a218c24b4a7cf3e9e074898e17b37e24607cd338eb2db709be2bcd4f8c8e4329
                                                                                                • Opcode Fuzzy Hash: efa482698f6fd12dab62732e10b959f452f3f5b0eb494a159723fe3207df8608
                                                                                                • Instruction Fuzzy Hash: 37717532D0022ABBCB11ABA4CC45EEFBF78AF04720F114116FD10B7291D775AA45ABE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F57523 Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 929 f57523-f57568 call f6f710 call f476d4 934 f57574-f57585 call f4c4bb 929->934 935 f5756a-f5756f 929->935 941 f57587-f5758c 934->941 942 f57591-f575a2 call f4c322 934->942 936 f5780d-f57814 call f80657 935->936 943 f57815-f5781a 936->943 941->936 951 f575a4-f575a9 942->951 952 f575ae-f575c3 call f4c57a 942->952 945 f57822-f57826 943->945 946 f5781c-f5781d call f4278d 943->946 949 f57830-f57835 945->949 950 f57828-f5782b call f4278d 945->950 946->945 954 f57837-f57838 call f4278d 949->954 955 f5783d-f5784a call f4c271 949->955 950->949 951->936 961 f575c5-f575ca 952->961 962 f575cf-f575df call f6be03 952->962 954->955 963 f57854-f57858 955->963 964 f5784c-f5784f call f4278d 955->964 961->936 970 f575e1-f575e6 962->970 971 f575eb-f5765e call f55c9e 962->971 968 f57862-f57866 963->968 969 f5785a-f5785d call f4278d 963->969 964->963 973 f57870-f57876 968->973 974 f57868-f5786b call f43adf 968->974 969->968 970->936 978 f57660-f57665 971->978 979 f5766a-f5766f 971->979 974->973 978->936 980 f57676-f576ad call f45678 GetCurrentProcess call f80c8f call f48363 979->980 981 f57671 979->981 988 f576c7-f576de call f48363 980->988 989 f576af 980->989 981->980 995 f576e7-f576ec 988->995 996 f576e0-f576e5 988->996 990 f576b4-f576c2 call f80657 989->990 990->943 997 f576ee-f57700 call f48309 995->997 998 f57748-f5774d 995->998 996->990 1009 f57702-f57707 997->1009 1010 f5770c-f5771c call f4355e 997->1010 999 f5776d-f57776 998->999 1000 f5774f-f57761 call f48309 998->1000 1003 f57782-f5778d call f5a4fa 999->1003 1004 f57778-f5777b 999->1004 1000->999 1013 f57763-f57768 1000->1013 1012 f57792-f57796 1003->1012 1004->1003 1008 f5777d-f57780 1004->1008 1008->1003 1014 f577a5-f577a8 1008->1014 1009->936 1020 f5771e-f57723 1010->1020 1021 f57728-f5773c call f48309 1010->1021 1016 f5779f 1012->1016 1017 f57798-f5779d 1012->1017 1013->936 1018 f577af-f577c5 call f4d63d 1014->1018 1019 f577aa-f577ad 1014->1019 1016->1014 1017->936 1026 f577c7-f577cc 1018->1026 1027 f577ce-f577e6 call f4cc73 1018->1027 1019->943 1019->1018 1020->936 1021->998 1028 f5773e-f57743 1021->1028 1026->936 1031 f577ef-f57806 call f4c996 1027->1031 1032 f577e8-f577ed 1027->1032 1028->936 1031->943 1035 f57808 1031->1035 1032->936 1035->936
                                                                                                Strings
                                                                                                • Failed to set original source variable., xrefs: 00F57763
                                                                                                • Failed to set source process folder variable., xrefs: 00F5773E
                                                                                                • Failed to load manifest., xrefs: 00F575E1
                                                                                                • WixBundleUILevel, xrefs: 00F576CF, 00F576E0
                                                                                                • Failed to overwrite the %ls built-in variable., xrefs: 00F576B4
                                                                                                • Failed to extract bootstrapper application payloads., xrefs: 00F577E8
                                                                                                • Failed to initialize variables., xrefs: 00F5756A
                                                                                                • Failed to initialize internal cache functionality., xrefs: 00F57798
                                                                                                • Failed to get source process folder from path., xrefs: 00F5771E
                                                                                                • Failed to parse command line., xrefs: 00F57660
                                                                                                • Failed to load catalog files., xrefs: 00F57808
                                                                                                • Failed to set source process path variable., xrefs: 00F57702
                                                                                                • WixBundleSourceProcessFolder, xrefs: 00F5772D
                                                                                                • Failed to get manifest stream from container., xrefs: 00F575C5
                                                                                                • Failed to open manifest stream., xrefs: 00F575A4
                                                                                                • Failed to get unique temporary folder for bootstrapper application., xrefs: 00F577C7
                                                                                                • WixBundleSourceProcessPath, xrefs: 00F576F1
                                                                                                • Failed to open attached UX container., xrefs: 00F57587
                                                                                                • WixBundleElevated, xrefs: 00F5769E, 00F576AF
                                                                                                • WixBundleOriginalSource, xrefs: 00F57752
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalInitializeSection
                                                                                                • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                                                                • API String ID: 32694325-1564579409
                                                                                                • Opcode ID: 47924e4487947a5909903c4ae62eeb7a84c93af6a6e3c3f97b8bd134e61b6d95
                                                                                                • Instruction ID: 32f9709d5e908ed8f788a13860f0c67e1d91eb4b129d793a14bfe1a471d58dfa
                                                                                                • Opcode Fuzzy Hash: 47924e4487947a5909903c4ae62eeb7a84c93af6a6e3c3f97b8bd134e61b6d95
                                                                                                • Instruction Fuzzy Hash: FEA18872E44726BADB12AAA4DC45FEEBB6CBB04711F100126BE05E7180D774E948E7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F586B8 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1141 f586b8-f58706 CreateFileW 1142 f5874c-f5875c call f84d47 1141->1142 1143 f58708-f58712 GetLastError 1141->1143 1151 f58774-f58788 call f84322 1142->1151 1152 f5875e-f5876f call f80657 1142->1152 1144 f58714-f5871d 1143->1144 1145 f5871f 1143->1145 1144->1145 1147 f58726-f58747 call f438f5 call f80657 1145->1147 1148 f58721 1145->1148 1163 f588f0-f58900 call f6de30 1147->1163 1148->1147 1159 f587a3-f587a8 1151->1159 1160 f5878a-f5879e call f80657 1151->1160 1162 f588e9-f588ea FindCloseChangeNotification 1152->1162 1159->1162 1165 f587ae-f587bd SetFilePointerEx 1159->1165 1160->1162 1162->1163 1168 f587f7-f58807 call f85269 1165->1168 1169 f587bf-f587c9 GetLastError 1165->1169 1177 f58813-f58824 SetFilePointerEx 1168->1177 1178 f58809-f5880e 1168->1178 1171 f587d6 1169->1171 1172 f587cb-f587d4 1169->1172 1175 f587dd-f587f2 call f438f5 1171->1175 1176 f587d8 1171->1176 1172->1171 1180 f588e1-f588e8 call f80657 1175->1180 1176->1175 1181 f58826-f58830 GetLastError 1177->1181 1182 f5885e-f5886e call f85269 1177->1182 1178->1180 1180->1162 1184 f58832-f5883b 1181->1184 1185 f5883d 1181->1185 1182->1178 1193 f58870-f58880 call f85269 1182->1193 1184->1185 1188 f58844-f58859 call f438f5 1185->1188 1189 f5883f 1185->1189 1188->1180 1189->1188 1193->1178 1197 f58882-f58893 SetFilePointerEx 1193->1197 1198 f58895-f5889f GetLastError 1197->1198 1199 f588ca-f588d1 call f85269 1197->1199 1200 f588a1-f588aa 1198->1200 1201 f588ac 1198->1201 1205 f588d6-f588da 1199->1205 1200->1201 1203 f588b3-f588c8 call f438f5 1201->1203 1204 f588ae 1201->1204 1203->1180 1204->1203 1205->1162 1207 f588dc 1205->1207 1207->1180
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00F44E38,?,?,00000000,00F44E38,00000000), ref: 00F586FB
                                                                                                • GetLastError.KERNEL32 ref: 00F58708
                                                                                                  • Part of subcall function 00F84322: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00F843B8
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,00F8B4A8,00000000,00000000,00000000,?,00000000,00F8B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F587B5
                                                                                                • GetLastError.KERNEL32 ref: 00F587BF
                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00F8B4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F588EA
                                                                                                Strings
                                                                                                • Failed to copy engine from: %ls to: %ls, xrefs: 00F58790
                                                                                                • Failed to zero out original data offset., xrefs: 00F588DC
                                                                                                • cabinet.dll, xrefs: 00F58863
                                                                                                • Failed to seek to original data in exe burn section header., xrefs: 00F588C3
                                                                                                • Failed to seek to signature table in exe header., xrefs: 00F58854
                                                                                                • Failed to create engine file at path: %ls, xrefs: 00F58739
                                                                                                • Failed to seek to checksum in exe header., xrefs: 00F587ED
                                                                                                • Failed to seek to beginning of engine file: %ls, xrefs: 00F58761
                                                                                                • Failed to update signature offset., xrefs: 00F58809
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F5872C, 00F587E3, 00F5884A, 00F588B9
                                                                                                • msi.dll, xrefs: 00F587FC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorLast$ChangeCloseCreateFindNotificationPointerRead
                                                                                                • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\138\s\src\burn\engine\cache.cpp$cabinet.dll$msi.dll
                                                                                                • API String ID: 3608016165-3615985753
                                                                                                • Opcode ID: f657ba0cde238f75247f9d4da3f9f1451b18992613527438b0c16c4eaff99711
                                                                                                • Instruction ID: d2a393acf959a973bf9339e945344936efc97f4a8ca36e37520e0b3bbd3b49bb
                                                                                                • Opcode Fuzzy Hash: f657ba0cde238f75247f9d4da3f9f1451b18992613527438b0c16c4eaff99711
                                                                                                • Instruction Fuzzy Hash: BF51B473E41625BBEB116AA49C06FBF7968EF04B62F110125BE00FB181EE64DC05B7E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F476D4 Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 430COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1209 f476d4-f47fcf InitializeCriticalSection 1210 f47fd2-f47ff6 call f45699 1209->1210 1213 f48003-f48014 call f80657 1210->1213 1214 f47ff8-f47fff 1210->1214 1217 f48017-f48027 call f6de30 1213->1217 1214->1210 1215 f48001 1214->1215 1215->1217
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(00F57564,00F45435,00000000,00F454BD), ref: 00F476F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalInitializeSection
                                                                                                • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                                                                • API String ID: 32694325-3635313340
                                                                                                • Opcode ID: 0cf1fde2b89a6590417ae91b1b1e42c74c1b275b17d9b9b62b022eb29ac7a7a6
                                                                                                • Instruction ID: 4587592f028524bb7e7baccf8fd9875bdfacff9f1bc25c6e7b731055c809353c
                                                                                                • Opcode Fuzzy Hash: 0cf1fde2b89a6590417ae91b1b1e42c74c1b275b17d9b9b62b022eb29ac7a7a6
                                                                                                • Instruction Fuzzy Hash: 514259B0C116289FDB65DF5AD9887CDFAB4BB49304F5081EED50CAA212C7B00B889F95
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F582A6 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 152COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1221 f582a6-f582ef call f6f710 1224 f582f5-f58303 GetCurrentProcess call f80c8f 1221->1224 1225 f58468-f58475 call f422c9 1221->1225 1228 f58308-f58315 1224->1228 1232 f58484-f58494 call f6de30 1225->1232 1233 f58477 1225->1233 1230 f583a3-f583b1 GetTempPathW 1228->1230 1231 f5831b-f5832a GetWindowsDirectoryW 1228->1231 1234 f583b3-f583bd GetLastError 1230->1234 1235 f583eb-f583fd UuidCreate 1230->1235 1236 f58364-f58375 call f434a9 1231->1236 1237 f5832c-f58336 GetLastError 1231->1237 1238 f5847c-f58483 call f80657 1233->1238 1240 f583bf-f583c8 1234->1240 1241 f583ca 1234->1241 1245 f58406-f5841b StringFromGUID2 1235->1245 1246 f583ff-f58404 1235->1246 1260 f58377-f5837c 1236->1260 1261 f58381-f58397 call f437c6 1236->1261 1242 f58343 1237->1242 1243 f58338-f58341 1237->1243 1238->1232 1240->1241 1249 f583d1-f583e6 call f438f5 1241->1249 1250 f583cc 1241->1250 1251 f58345 1242->1251 1252 f5834a-f5835f call f438f5 1242->1252 1243->1242 1255 f5841d-f58437 call f438f5 1245->1255 1256 f58439-f5845a call f4204d 1245->1256 1246->1238 1249->1238 1250->1249 1251->1252 1252->1238 1255->1238 1269 f58463 1256->1269 1270 f5845c-f58461 1256->1270 1260->1238 1261->1235 1271 f58399-f5839e 1261->1271 1269->1225 1270->1238 1271->1238
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00F45501), ref: 00F582FC
                                                                                                  • Part of subcall function 00F80C8F: OpenProcessToken.ADVAPI32(?,00000008,?,00F45435,00000000,?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80CAD
                                                                                                  • Part of subcall function 00F80C8F: GetLastError.KERNEL32(?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80CB7
                                                                                                  • Part of subcall function 00F80C8F: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80D41
                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00F58322
                                                                                                • GetLastError.KERNEL32 ref: 00F5832C
                                                                                                • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00F583A9
                                                                                                • GetLastError.KERNEL32 ref: 00F583B3
                                                                                                • UuidCreate.RPCRT4(?), ref: 00F583F2
                                                                                                Strings
                                                                                                • Failed to concat Temp directory on windows path for working folder., xrefs: 00F58399
                                                                                                • Failed to copy working folder path., xrefs: 00F58477
                                                                                                • Failed to create working folder guid., xrefs: 00F583FF
                                                                                                • Failed to ensure windows path for working folder ended in backslash., xrefs: 00F58377
                                                                                                • Temp\, xrefs: 00F58381
                                                                                                • %ls%ls\, xrefs: 00F58444
                                                                                                • Failed to append bundle id on to temp path for working folder., xrefs: 00F5845C
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F58350, 00F583D7, 00F58428
                                                                                                • Failed to convert working folder guid into string., xrefs: 00F58432
                                                                                                • Failed to get temp path for working folder., xrefs: 00F583E1
                                                                                                • Failed to get windows path for working folder., xrefs: 00F5835A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
                                                                                                • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 2898636500-3402008805
                                                                                                • Opcode ID: 2bf451d29f7c56bb6c66b9bf643ef2997c1ecde3805d40ed35ac9fc84fc69037
                                                                                                • Instruction ID: bdefd834426831b7da383749b68510457e658eb846187e43cf7f9a14b42e3357
                                                                                                • Opcode Fuzzy Hash: 2bf451d29f7c56bb6c66b9bf643ef2997c1ecde3805d40ed35ac9fc84fc69037
                                                                                                • Instruction Fuzzy Hash: 2C412973E45329E7DB20E6A08C4AFAB76685B00B91F014161BF04F7180EA78DD4A7BE5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60FB4 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 216COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1272 f60fb4-f60fe0 CoInitializeEx 1273 f60ff4-f6103f call f7f882 1272->1273 1274 f60fe2-f60fef call f80657 1272->1274 1280 f61041-f61064 call f438f5 call f80657 1273->1280 1281 f61069-f6108b call f7f8a3 1273->1281 1279 f61257-f61267 call f6de30 1274->1279 1298 f61250-f61251 CoUninitialize 1280->1298 1289 f61145-f61150 SetEvent 1281->1289 1290 f61091-f61099 1281->1290 1291 f61152-f6115c GetLastError 1289->1291 1292 f6118f-f6119d WaitForSingleObject 1289->1292 1294 f6109f-f610a5 1290->1294 1295 f61248-f6124b call f7f8b3 1290->1295 1296 f6115e-f61167 1291->1296 1297 f61169 1291->1297 1301 f611d1-f611dc ResetEvent 1292->1301 1302 f6119f-f611a9 GetLastError 1292->1302 1294->1295 1300 f610ab-f610b3 1294->1300 1295->1298 1296->1297 1303 f6116d-f6117d call f438f5 1297->1303 1304 f6116b 1297->1304 1298->1279 1307 f610b5-f610b7 1300->1307 1308 f6112d-f61140 call f80657 1300->1308 1305 f61213-f61219 1301->1305 1306 f611de-f611e8 GetLastError 1301->1306 1309 f611b6 1302->1309 1310 f611ab-f611b4 1302->1310 1345 f61182-f6118a call f80657 1303->1345 1304->1303 1318 f61243 1305->1318 1319 f6121b-f6121e 1305->1319 1313 f611f5 1306->1313 1314 f611ea-f611f3 1306->1314 1316 f610ca-f610cd 1307->1316 1317 f610b9 1307->1317 1308->1295 1311 f611ba-f611cf call f438f5 1309->1311 1312 f611b8 1309->1312 1310->1309 1311->1345 1312->1311 1323 f611f7 1313->1323 1324 f611f9-f6120e call f438f5 1313->1324 1314->1313 1330 f61127 1316->1330 1331 f610cf 1316->1331 1326 f610bf-f610c8 1317->1326 1327 f610bb-f610bd 1317->1327 1318->1295 1328 f61220-f6123a call f438f5 1319->1328 1329 f6123f-f61241 1319->1329 1323->1324 1324->1345 1347 f61129-f6112b 1326->1347 1327->1347 1328->1345 1329->1295 1330->1347 1332 f610d6-f610db 1331->1332 1333 f61107-f6110c 1331->1333 1334 f610e4-f610e9 1331->1334 1335 f61115-f6111a 1331->1335 1336 f610f2-f610f7 1331->1336 1337 f61123-f61125 1331->1337 1338 f61100-f61105 1331->1338 1339 f6110e-f61113 1331->1339 1340 f6111c-f61121 1331->1340 1341 f610dd-f610e2 1331->1341 1342 f610eb-f610f0 1331->1342 1343 f610f9-f610fe 1331->1343 1332->1308 1333->1308 1334->1308 1335->1308 1336->1308 1337->1308 1338->1308 1339->1308 1340->1308 1341->1308 1342->1308 1343->1308 1345->1295 1347->1289 1347->1308
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000000), ref: 00F60FD6
                                                                                                • CoUninitialize.OLE32 ref: 00F61251
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeUninitialize
                                                                                                • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 3442037557-3038769977
                                                                                                • Opcode ID: 4c699470cd929ed87731ca1e4bedf5a0526c43ed07c6e1209b92d85603dc2d9b
                                                                                                • Instruction ID: b23a87c0e6e666382fe68f9e7ea8cd22ff73b783fcec5b867c1d63b38445a3cd
                                                                                                • Opcode Fuzzy Hash: 4c699470cd929ed87731ca1e4bedf5a0526c43ed07c6e1209b92d85603dc2d9b
                                                                                                • Instruction Fuzzy Hash: A9514C77D40236E7DB205754DD05E6B3618BF42B70B294365BE11BB290DA15CC40B7D6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44361 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157stringCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1353 f44361-f443b8 InitializeCriticalSection * 2 call f54d76 * 2 1358 f444dc-f444e6 call f4b54b 1353->1358 1359 f443be 1353->1359 1364 f444eb-f444ef 1358->1364 1360 f443c4-f443d1 1359->1360 1362 f443d7-f44403 lstrlenW * 2 CompareStringW 1360->1362 1363 f444cf-f444d6 1360->1363 1365 f44455-f44481 lstrlenW * 2 CompareStringW 1362->1365 1366 f44405-f44428 lstrlenW 1362->1366 1363->1358 1363->1360 1367 f444f1-f444fd call f80657 1364->1367 1368 f444fe-f44504 1364->1368 1365->1363 1372 f44483-f444a6 lstrlenW 1365->1372 1369 f44512-f44527 call f438f5 1366->1369 1370 f4442e-f44433 1366->1370 1367->1368 1384 f4452c-f44533 1369->1384 1370->1369 1373 f44439-f44449 call f42aea 1370->1373 1376 f444ac-f444b1 1372->1376 1377 f4453e-f44558 call f438f5 1372->1377 1387 f44507-f44510 1373->1387 1388 f4444f 1373->1388 1376->1377 1381 f444b7-f444c7 call f42aea 1376->1381 1377->1384 1381->1387 1391 f444c9 1381->1391 1389 f44534-f4453c call f80657 1384->1389 1387->1389 1388->1365 1389->1368 1391->1363
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00F452DE,?,?,00000000,?,?), ref: 00F4438D
                                                                                                • InitializeCriticalSection.KERNEL32(000000D0,?,?,00F452DE,?,?,00000000,?,?), ref: 00F44396
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00F452DE,?,?,00000000,?,?), ref: 00F443DC
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00F452DE,?,?,00000000,?,?), ref: 00F443E6
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00F452DE,?,?,00000000,?,?), ref: 00F443FA
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00F452DE,?,?,00000000,?,?), ref: 00F4440A
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00F452DE,?,?,00000000,?,?), ref: 00F4445A
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00F452DE,?,?,00000000,?,?), ref: 00F44464
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00F452DE,?,?,00000000,?,?), ref: 00F44478
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00F452DE,?,?,00000000,?,?), ref: 00F44488
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                                                                • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 3039292287-4238739692
                                                                                                • Opcode ID: c4d00a7b6f91cd1cb06dc85d9d0a9902f2f9d4966d90822c521302affef1a6dd
                                                                                                • Instruction ID: b623f8be37266359b504a05cc437551f029a43dfa77a7458ecfd098a686c041e
                                                                                                • Opcode Fuzzy Hash: c4d00a7b6f91cd1cb06dc85d9d0a9902f2f9d4966d90822c521302affef1a6dd
                                                                                                • Instruction Fuzzy Hash: 6751E771A40615BFCB24EB68DC86FDABB68EF00720F044115FA15EB191DB74F950EBA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4C343 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1393 f4c343-f4c375 1394 f4c377-f4c395 CreateFileW 1393->1394 1395 f4c3df-f4c3fb GetCurrentProcess * 2 DuplicateHandle 1393->1395 1398 f4c437-f4c43d 1394->1398 1399 f4c39b-f4c3a5 GetLastError 1394->1399 1396 f4c435 1395->1396 1397 f4c3fd-f4c407 GetLastError 1395->1397 1396->1398 1400 f4c414 1397->1400 1401 f4c409-f4c412 1397->1401 1404 f4c447 1398->1404 1405 f4c43f-f4c445 1398->1405 1402 f4c3a7-f4c3b0 1399->1402 1403 f4c3b2 1399->1403 1407 f4c416 1400->1407 1408 f4c41b-f4c433 call f438f5 1400->1408 1401->1400 1402->1403 1409 f4c3b4 1403->1409 1410 f4c3b9-f4c3cc call f438f5 1403->1410 1406 f4c449-f4c457 SetFilePointerEx 1404->1406 1405->1406 1412 f4c48e-f4c494 1406->1412 1413 f4c459-f4c463 GetLastError 1406->1413 1407->1408 1421 f4c3d1-f4c3da call f80657 1408->1421 1409->1410 1410->1421 1418 f4c496-f4c49a call f615f7 1412->1418 1419 f4c4b2-f4c4b8 1412->1419 1416 f4c465-f4c46e 1413->1416 1417 f4c470 1413->1417 1416->1417 1422 f4c477-f4c48c call f438f5 1417->1422 1423 f4c472 1417->1423 1427 f4c49f-f4c4a3 1418->1427 1421->1419 1431 f4c4aa-f4c4b1 call f80657 1422->1431 1423->1422 1427->1419 1430 f4c4a5 1427->1430 1430->1431 1431->1419
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00F4C533,00F4547D,?,?,00F454BD), ref: 00F4C38A
                                                                                                • GetLastError.KERNEL32(?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C39B
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?), ref: 00F4C3EA
                                                                                                • GetCurrentProcess.KERNEL32(000000FF,00000000,?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C3F0
                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C3F3
                                                                                                • GetLastError.KERNEL32(?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C3FD
                                                                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C44F
                                                                                                • GetLastError.KERNEL32(?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F4C459
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\138\s\src\burn\engine\container.cpp$crypt32.dll$feclient.dll
                                                                                                • API String ID: 2619879409-2236165814
                                                                                                • Opcode ID: e881c7770e7a97c39d2f5c9a432c7c5ca43817825a2f597f495aa3cda3d2c736
                                                                                                • Instruction ID: ca52beaab0b11187e3f1b4b450081a9c36563af37a41f1a8301a088d69c4e818
                                                                                                • Opcode Fuzzy Hash: e881c7770e7a97c39d2f5c9a432c7c5ca43817825a2f597f495aa3cda3d2c736
                                                                                                • Instruction Fuzzy Hash: 1941C436640201ABDB60DE599D49E6B7E69ABC4730B218029FD18DB291EB35C801FBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F82F7B Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1434 f82f7b-f82f9b call f4390c 1437 f82fa1-f82faf call f84ea2 1434->1437 1438 f830a5-f830a9 1434->1438 1442 f82fb4-f82fd3 GetProcAddress 1437->1442 1440 f830ab-f830ae call f4278d 1438->1440 1441 f830b3-f830b7 1438->1441 1440->1441 1444 f82fda-f82ff3 GetProcAddress 1442->1444 1445 f82fd5 1442->1445 1446 f82ffa-f83013 GetProcAddress 1444->1446 1447 f82ff5 1444->1447 1445->1444 1448 f8301a-f83033 GetProcAddress 1446->1448 1449 f83015 1446->1449 1447->1446 1450 f8303a-f83053 GetProcAddress 1448->1450 1451 f83035 1448->1451 1449->1448 1452 f8305a-f83073 GetProcAddress 1450->1452 1453 f83055 1450->1453 1451->1450 1454 f8307a-f83094 GetProcAddress 1452->1454 1455 f83075 1452->1455 1453->1452 1456 f8309b 1454->1456 1457 f83096 1454->1457 1455->1454 1456->1438 1457->1456
                                                                                                APIs
                                                                                                  • Part of subcall function 00F4390C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F4394B
                                                                                                  • Part of subcall function 00F4390C: GetLastError.KERNEL32 ref: 00F43955
                                                                                                  • Part of subcall function 00F84EA2: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00F84ED3
                                                                                                • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00F82FC5
                                                                                                • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00F82FE5
                                                                                                • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00F83005
                                                                                                • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00F83025
                                                                                                • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00F83045
                                                                                                • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00F83065
                                                                                                • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00F83085
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$ErrorLast$DirectorySystem
                                                                                                • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                                                                                • API String ID: 2510051996-1735120554
                                                                                                • Opcode ID: 479aea6e46744480d87c2adf4fa673ead21425cbd00621caec1c8fb6d0f563ec
                                                                                                • Instruction ID: 6b6c416cbc8b1e5e15b1b5f6addf0e83784398c6e3bdcd4f68e3b836f0a77063
                                                                                                • Opcode Fuzzy Hash: 479aea6e46744480d87c2adf4fa673ead21425cbd00621caec1c8fb6d0f563ec
                                                                                                • Instruction Fuzzy Hash: 2F31E3F494021DEADB12AF21EE56B663AF1E717B19F00412AE80096170EBB25941FFC5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F615F7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00F4C49F,?,00000000,?,00F4C533), ref: 00F6162E
                                                                                                • GetLastError.KERNEL32(?,00F4C49F,?,00000000,?,00F4C533,00F4547D,?,?,00F454BD,00F454BD,00000000,?,00000000), ref: 00F61637
                                                                                                Strings
                                                                                                • wininet.dll, xrefs: 00F6160D
                                                                                                • Failed to create begin operation event., xrefs: 00F61665
                                                                                                • Failed to create extraction thread., xrefs: 00F616F7
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F6165B, 00F616A1, 00F616ED
                                                                                                • Failed to copy file name., xrefs: 00F61619
                                                                                                • Failed to wait for operation complete., xrefs: 00F6170A
                                                                                                • Failed to create operation complete event., xrefs: 00F616AB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorEventLast
                                                                                                • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp$wininet.dll
                                                                                                • API String ID: 545576003-9491624
                                                                                                • Opcode ID: b0aa250de97ed9aba9f4314ebb41b8337ef1a339a755878f9f6eed727420b993
                                                                                                • Instruction ID: 5a2f430949f692e2b92a345bd8973308e1e5d1b17396c6ce104f74c26598a62b
                                                                                                • Opcode Fuzzy Hash: b0aa250de97ed9aba9f4314ebb41b8337ef1a339a755878f9f6eed727420b993
                                                                                                • Instruction Fuzzy Hash: 6E215AB7E4173A77E62116658C46E77BA5CBF00BB1B094222FD00FB281EB55DC007AE6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F800C9 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00F800F1
                                                                                                • GetProcAddress.KERNEL32(SystemFunction041), ref: 00F80103
                                                                                                • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00F80146
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F8015A
                                                                                                • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00F80192
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00F801A6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$ErrorLast
                                                                                                • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\138\s\src\libs\dutil\cryputil.cpp
                                                                                                • API String ID: 4214558900-403682633
                                                                                                • Opcode ID: a7dfb443e81ffccbc6962ec49073097a6b3c61f40216428b667cd151765cd265
                                                                                                • Instruction ID: ae7abac0ea29b1c8c52153df13d3f5bbfcd25e121f870f7f62d0877edb0fc9da
                                                                                                • Opcode Fuzzy Hash: a7dfb443e81ffccbc6962ec49073097a6b3c61f40216428b667cd151765cd265
                                                                                                • Instruction Fuzzy Hash: 142168B7E81B26A7D361EB54AC0D7A67990A7127B0F451121ED04B63B0EB74CC04BBD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60785 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00F607B5
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00F607CD
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00F607D2
                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00F607D5
                                                                                                • GetLastError.KERNEL32(?,?), ref: 00F607DF
                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00F6084E
                                                                                                • GetLastError.KERNEL32(?,?), ref: 00F6085B
                                                                                                Strings
                                                                                                • <the>.cab, xrefs: 00F607AE
                                                                                                • Failed to open cabinet file: %hs, xrefs: 00F6088C
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F60803, 00F6087F
                                                                                                • Failed to duplicate handle to cab container., xrefs: 00F6080D
                                                                                                • Failed to add virtual file pointer for cab container., xrefs: 00F60834
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 3030546534-4070612573
                                                                                                • Opcode ID: ccbe50cc2e66fbdb7c145133bc1862d031646a9feca4f336fc4bdfff5f715a32
                                                                                                • Instruction ID: 8f16c7fd0d594518a06bc185e3c9c79456a626a6fa2e60bc014a1e5b99f4ed6a
                                                                                                • Opcode Fuzzy Hash: ccbe50cc2e66fbdb7c145133bc1862d031646a9feca4f336fc4bdfff5f715a32
                                                                                                • Instruction Fuzzy Hash: 3E31D376D4163ABBDB219B659D09E9F7E68EF04770F210121F904B7191DB249D00BBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F46E72 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 164COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,00F45435,00000000,00F454BD,00000000,?,00F483A0,?,?,?,00000000,00000000), ref: 00F46E81
                                                                                                  • Part of subcall function 00F4571D: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00F46640,00F46640,?,00F456B3,?,?,00000000), ref: 00F45759
                                                                                                  • Part of subcall function 00F4571D: GetLastError.KERNEL32(?,00F456B3,?,?,00000000,?,?,00F46640,?,00F47FF2,?,?,?,?,?), ref: 00F45788
                                                                                                • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00F47011
                                                                                                Strings
                                                                                                • Failed to find variable value '%ls'., xrefs: 00F46E9C
                                                                                                • Failed to insert variable '%ls'., xrefs: 00F46EC6
                                                                                                • Setting numeric variable '%ls' to value %lld, xrefs: 00F46FB2
                                                                                                • Unsetting variable '%ls', xrefs: 00F46F9A, 00F46FCD
                                                                                                • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00F47023
                                                                                                • Attempt to set built-in variable value: %ls, xrefs: 00F46F0F
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46F04
                                                                                                • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00F46F86
                                                                                                • Failed to set value of variable: %ls, xrefs: 00F46FF9
                                                                                                • Setting string variable '%ls' to value '%ls', xrefs: 00F46FA1, 00F46FA9
                                                                                                • Setting hidden variable '%ls', xrefs: 00F46F3F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 2716280545-303591679
                                                                                                • Opcode ID: 08627b019c77fbc7e491d537474112a55d54c0a09fe87f2046abf27460c96792
                                                                                                • Instruction ID: 8456c648632c49678441e6f3755c9d5c87eeb7db81573f1effbda54f0ccee8eb
                                                                                                • Opcode Fuzzy Hash: 08627b019c77fbc7e491d537474112a55d54c0a09fe87f2046abf27460c96792
                                                                                                • Instruction Fuzzy Hash: 2451C971A00225ABCB30AE14DC4AFAB7FA8DB92724F110119FC45D6282E735DD55FBE2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F56A45 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00F44E8D,?,?), ref: 00F56A65
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,?,00F44E8D,?,?), ref: 00F56A6B
                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,?,00F44E8D,?,?), ref: 00F56A6E
                                                                                                • GetLastError.KERNEL32(?,?,00F44E8D,?,?), ref: 00F56A78
                                                                                                • CloseHandle.KERNEL32(000000FF,?,00F44E8D,?,?), ref: 00F56AF1
                                                                                                Strings
                                                                                                • %ls -%ls=%u, xrefs: 00F56AC5
                                                                                                • burn.filehandle.attached, xrefs: 00F56ABE
                                                                                                • Failed to append the file handle to the command line., xrefs: 00F56AD9
                                                                                                • Failed to duplicate file handle for attached container., xrefs: 00F56AA6
                                                                                                • c:\agent\_work\138\s\src\burn\engine\core.cpp, xrefs: 00F56A9C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                                                                                • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$c:\agent\_work\138\s\src\burn\engine\core.cpp
                                                                                                • API String ID: 4224961946-4194950708
                                                                                                • Opcode ID: 1d838303b53985bdd9f380c9da6cde00224eba9962674e1b923ec1ac5a1afa05
                                                                                                • Instruction ID: eb8ff53cbdc8b2f5552d575bd73ceb77212d26f7b1da268be2e5b156ed75d899
                                                                                                • Opcode Fuzzy Hash: 1d838303b53985bdd9f380c9da6cde00224eba9962674e1b923ec1ac5a1afa05
                                                                                                • Instruction Fuzzy Hash: 85119632A40726BBDB11ABB88D09A9E7B689F00B71F514211FE21F71D1D778DE01B790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83770 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(?), ref: 00F83786
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F837A2
                                                                                                • VariantClear.OLEAUT32(?), ref: 00F83829
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F83834
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00F837B9
                                                                                                • `<u, xrefs: 00F83834
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: StringVariant$AllocClearFreeInit
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 760788290-1436017577
                                                                                                • Opcode ID: 800bbb684419a0eaf07add1d341604b74a22578756fb42efd8c9113511450c50
                                                                                                • Instruction ID: 54dd3ab77d6eeac51ff73bc32bf86e42f6f994aa5b77a0a104c3384ec242f03c
                                                                                                • Opcode Fuzzy Hash: 800bbb684419a0eaf07add1d341604b74a22578756fb42efd8c9113511450c50
                                                                                                • Instruction Fuzzy Hash: 89219176D01219EFCB11EB54CC48EEEBBB9AF44B21F154168F901AB260DB35DE00EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80C8F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenProcessToken.ADVAPI32(?,00000008,?,00F45435,00000000,?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80CAD
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80CB7
                                                                                                • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80CE9
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80D02
                                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00F57696,00000000), ref: 00F80D41
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\procutil.cpp, xrefs: 00F80D2F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastToken$ChangeCloseFindInformationNotificationOpenProcess
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\procutil.cpp
                                                                                                • API String ID: 3650908616-1241729511
                                                                                                • Opcode ID: 21949eb6a0ea347f56763dcb20ed8002c20b2e74216cc2d278d55c0752f705ff
                                                                                                • Instruction ID: 3d4506c11432206a035564ac28273143c447debffb5797d40d4117c8c65891bb
                                                                                                • Opcode Fuzzy Hash: 21949eb6a0ea347f56763dcb20ed8002c20b2e74216cc2d278d55c0752f705ff
                                                                                                • Instruction Fuzzy Hash: 2021C977D01229EBCB21AF958C05AEEFBB8AF00720F514156AD15FB250DB309D04FB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F56AFF Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00F56B33
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00F56BA3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateFileHandle
                                                                                                • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                                                                                                • API String ID: 3498533004-3263533295
                                                                                                • Opcode ID: 26022d7b9998de6ac92ae674146254e0266bc6acf9cfcfda9c42b25d67c0752d
                                                                                                • Instruction ID: f1c8e2598491072db6a5d06c4efebe50bde0035b5d3930fd505a2b5c3e87e7bf
                                                                                                • Opcode Fuzzy Hash: 26022d7b9998de6ac92ae674146254e0266bc6acf9cfcfda9c42b25d67c0752d
                                                                                                • Instruction Fuzzy Hash: 22110831A40724BBDB116B688C45F9F3BA89B81B31F504211FD35F72D1D7748915A791
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84EA2 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00F84ED3
                                                                                                • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00F84F00
                                                                                                • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00F84F2C
                                                                                                • GetLastError.KERNEL32(00000000,00F8B7FC,?,00000000,?,00000000,?,00000000), ref: 00F84F6A
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00F84F9B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Global$AllocFree
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 1145190524-3168567549
                                                                                                • Opcode ID: 7645a8872982c5c2d5fbb5289962df7149895a96327e8ef8ce9a37e7482028eb
                                                                                                • Instruction ID: 75aa77019f1016803561860c7909b630fffa7c70b76c66b032f55e87b86a3c5a
                                                                                                • Opcode Fuzzy Hash: 7645a8872982c5c2d5fbb5289962df7149895a96327e8ef8ce9a37e7482028eb
                                                                                                • Instruction Fuzzy Hash: F531A737D4023AABC711AB958C41EEFBAA4AF44760F114155FE55EB241D774ED00B7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60940 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00F609E6
                                                                                                • GetLastError.KERNEL32(?,?,?), ref: 00F609F0
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F60A14
                                                                                                • Failed to move file pointer 0x%x bytes., xrefs: 00F60A21
                                                                                                • Invalid seek type., xrefs: 00F6097C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastPointer
                                                                                                • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2976181284-4208998094
                                                                                                • Opcode ID: 2723a8825443c9ea55a6f0149f6481ef263988e806c67c360908ad7804507db7
                                                                                                • Instruction ID: 9f6b7af6c782ba543290d1498c4b8c548758beba2c244e8a991bef72360b6064
                                                                                                • Opcode Fuzzy Hash: 2723a8825443c9ea55a6f0149f6481ef263988e806c67c360908ad7804507db7
                                                                                                • Instruction Fuzzy Hash: B931AE72A0021AEFDB14CFA8DC85DAEB7A9FF04364B148225F914D7751EB34E910EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4419A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?), ref: 00F441A8
                                                                                                • GetLastError.KERNEL32(?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?,00000000,00000000), ref: 00F441B6
                                                                                                • CreateDirectoryW.KERNEL32(?,840F01E8,00F45501,?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?,00000000), ref: 00F44226
                                                                                                • GetLastError.KERNEL32(?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?,00000000,00000000), ref: 00F44230
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp, xrefs: 00F44260
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateDirectoryErrorLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp
                                                                                                • API String ID: 1375471231-215211224
                                                                                                • Opcode ID: 68b0c6276fc84c9a33c17bf745c5d104ee0030199f75ce6c34f4428c871dc493
                                                                                                • Instruction ID: 68d70a3e0db69fdfa5441fd3e07693c168cb966d0d3d3df287b92fab675aa3a1
                                                                                                • Opcode Fuzzy Hash: 68b0c6276fc84c9a33c17bf745c5d104ee0030199f75ce6c34f4428c871dc493
                                                                                                • Instruction Fuzzy Hash: 0021D136A44231A7DB225AA54C45B7BBE54EFE5BB0F114121FD04FB240D7A4AD41B3D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4571D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00F46640,00F46640,?,00F456B3,?,?,00000000), ref: 00F45759
                                                                                                • GetLastError.KERNEL32(?,00F456B3,?,?,00000000,?,?,00F46640,?,00F47FF2,?,?,?,?,?), ref: 00F45788
                                                                                                Strings
                                                                                                • Failed to compare strings., xrefs: 00F457B6
                                                                                                • version.dll, xrefs: 00F4574B
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F457AC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareErrorLastString
                                                                                                • String ID: Failed to compare strings.$c:\agent\_work\138\s\src\burn\engine\variable.cpp$version.dll
                                                                                                • API String ID: 1733990998-3062438852
                                                                                                • Opcode ID: 9f5e4d78b71bb5f4dbc1a0fee455270ee56eeb0dac5cc73e3e628e25703f7287
                                                                                                • Instruction ID: 77d4e15f12d30a3c6a85cb3de209ba45d2bfdc63fd26ed63f9de7131ba0618de
                                                                                                • Opcode Fuzzy Hash: 9f5e4d78b71bb5f4dbc1a0fee455270ee56eeb0dac5cc73e3e628e25703f7287
                                                                                                • Instruction Fuzzy Hash: 0021F937A0051DEBC711AF98CD45A99BFA4AF49B70B310325ED15AB2C1D630ED01A790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F839DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoInitialize.OLE32(00000000), ref: 00F839E9
                                                                                                • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,00FAC7A0,00000001,00000000,00F4536B,?,?,?,?,?,?), ref: 00F83A21
                                                                                                • CLSIDFromProgID.OLE32(MSXML.DOMDocument,00FAC7A0,?,?,?,?,?,?), ref: 00F83A2D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FromProg$Initialize
                                                                                                • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                                                                                • API String ID: 4047641309-2356320334
                                                                                                • Opcode ID: dae3c75cfa1e29e4cc93a0546b0febb9ca3d434ef6880b0ee931801eb7ed030c
                                                                                                • Instruction ID: ea62c39fff275e5360218a88980ac477cf340f606dd737f999459f81b88694f4
                                                                                                • Opcode Fuzzy Hash: dae3c75cfa1e29e4cc93a0546b0febb9ca3d434ef6880b0ee931801eb7ed030c
                                                                                                • Instruction Fuzzy Hash: 23F0EC75B482755FC7146765AC44B977DA4DB42F70F14003AE583D20B0E378D982BBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F608AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F612C5: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00F608DA,?,?,?), ref: 00F612ED
                                                                                                  • Part of subcall function 00F612C5: GetLastError.KERNEL32(?,00F608DA,?,?,?), ref: 00F612F7
                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00F608E8
                                                                                                • GetLastError.KERNEL32 ref: 00F608F2
                                                                                                Strings
                                                                                                • Failed to read during cabinet extraction., xrefs: 00F60920
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F60916
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLast$PointerRead
                                                                                                • String ID: Failed to read during cabinet extraction.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2170121939-2593745101
                                                                                                • Opcode ID: 7e3b90b035585d79d5711793e272935e9df3bd79a69a91d034c7c6c4f607d510
                                                                                                • Instruction ID: 18f2d202df500e44661460d0bda16c1bcbd4bfc76a07548e3513ce0e3f5c0521
                                                                                                • Opcode Fuzzy Hash: 7e3b90b035585d79d5711793e272935e9df3bd79a69a91d034c7c6c4f607d510
                                                                                                • Instruction Fuzzy Hash: 9801A172A0062AABDB119F95DD09E9B7BA8FF44764B110115FE04A7291DB30D910EBE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F612C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00F608DA,?,?,?), ref: 00F612ED
                                                                                                • GetLastError.KERNEL32(?,00F608DA,?,?,?), ref: 00F612F7
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F6131B
                                                                                                • Failed to move to virtual file pointer., xrefs: 00F61325
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastPointer
                                                                                                • String ID: Failed to move to virtual file pointer.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2976181284-2495663704
                                                                                                • Opcode ID: 08ee7a8cef63eebc93f9b02e2aa23f30cbe747790629982dccae801464a9c3ed
                                                                                                • Instruction ID: 512cb6e74b70192a39148897d8365a9f8c3b2fb947ad0e0166f56578a48d2589
                                                                                                • Opcode Fuzzy Hash: 08ee7a8cef63eebc93f9b02e2aa23f30cbe747790629982dccae801464a9c3ed
                                                                                                • Instruction Fuzzy Hash: ED01F233A0023AB7D7221B869C0698BFF14FF00B71705812AFD2C9A610DB25DC20ABD8
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00F843B8
                                                                                                • GetLastError.KERNEL32 ref: 00F8441B
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F8443F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastRead
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 1948546556-3168567549
                                                                                                • Opcode ID: 7ac928c09b3f1c5973250b9b65e7d036b0042f384eb6990cbde42c80de94f81b
                                                                                                • Instruction ID: 5b8d5841af3389fbcf04d61123b8d2d1f0d1206f2b773b05a060a9b28be606d2
                                                                                                • Opcode Fuzzy Hash: 7ac928c09b3f1c5973250b9b65e7d036b0042f384eb6990cbde42c80de94f81b
                                                                                                • Instruction Fuzzy Hash: D1319271E0026A9BDB21EF59DC407DAB7B4BB04761F0040A6E949E7240D7B4ADC4BB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F85269 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00F843DF,?,?,?), ref: 00F8528D
                                                                                                • GetLastError.KERNEL32(?,?,00F843DF,?,?,?), ref: 00F85297
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F852C0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastWrite
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 442123175-3168567549
                                                                                                • Opcode ID: bf7012912cb483b54ea0f403d3c68f33548c08fcd3f5e6eeb78c56e9720f342a
                                                                                                • Instruction ID: ce86f46a6fb3db8ddafdedc9f47dabc2d64e08c600db78c368bd7b4dbc5c0a20
                                                                                                • Opcode Fuzzy Hash: bf7012912cb483b54ea0f403d3c68f33548c08fcd3f5e6eeb78c56e9720f342a
                                                                                                • Instruction Fuzzy Hash: CDF08C73A01629EBC721AE9ACC45EDFBB6DBB85B61B014261FD04E7140DB70ED00A7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84D47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00F58758,00000000,00000000,00000000,00000000,00000000), ref: 00F84D5F
                                                                                                • GetLastError.KERNEL32(?,?,?,00F58758,00000000,00000000,00000000,00000000,00000000), ref: 00F84D69
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F84D8D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastPointer
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 2976181284-3168567549
                                                                                                • Opcode ID: aa056cccb357a1347adc230cd46180d329b92310d8dc499c17b15164e481a492
                                                                                                • Instruction ID: f1bbfdaad19775234b8ea9a67a98cc6f6926dd97286fe48a7a617caf18aee08a
                                                                                                • Opcode Fuzzy Hash: aa056cccb357a1347adc230cd46180d329b92310d8dc499c17b15164e481a492
                                                                                                • Instruction Fuzzy Hash: F4F04F77A0022AABDB21AF95DC09DEB7FA8EF04760B014054FD05AB251E730ED10EBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4390C Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F4394B
                                                                                                • GetLastError.KERNEL32 ref: 00F43955
                                                                                                • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00F439BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: DirectoryErrorLastLibraryLoadSystem
                                                                                                • String ID:
                                                                                                • API String ID: 1230559179-0
                                                                                                • Opcode ID: 098093269e7b249670f19d6d508bbe5bae0bb8561f94ad1a52b28de5b8639761
                                                                                                • Instruction ID: b7723cd9675da84f5356be9794343bd17fef5d87d36c802d5ce82bdaa18f9e99
                                                                                                • Opcode Fuzzy Hash: 098093269e7b249670f19d6d508bbe5bae0bb8561f94ad1a52b28de5b8639761
                                                                                                • Instruction Fuzzy Hash: 8821FCB7D01339A7DB20AB649C8AF9B7B6DAF00720F114161BD54E7281D774DE44AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7F8A9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F7F890
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID: PAXn
                                                                                                • API String ID: 1269201914-1132047434
                                                                                                • Opcode ID: 97923d60fab2b6eb6a32ffe4608db8f70d0f6bc2f31a892008d33a50baf6b9ad
                                                                                                • Instruction ID: e810b616b6d236174ecb33aa87707344dcd173c55fa5594ce44c5b4ce2e28dfd
                                                                                                • Opcode Fuzzy Hash: 97923d60fab2b6eb6a32ffe4608db8f70d0f6bc2f31a892008d33a50baf6b9ad
                                                                                                • Instruction Fuzzy Hash: 8CB012E227C1016C330863446D06D36294CC0C6F20330C12FF405C0143DAD44D463233
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7F899 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F7F890
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID: PAXn
                                                                                                • API String ID: 1269201914-1132047434
                                                                                                • Opcode ID: 6315d29a87bff69b3bed6272525d4257dfeaf1be39040451f1bf7a00bb5abf9d
                                                                                                • Instruction ID: 9f26f4a897f0403ee61b28b3071cfc30e2c9bf23923733554bf3e6127b8fe3a6
                                                                                                • Opcode Fuzzy Hash: 6315d29a87bff69b3bed6272525d4257dfeaf1be39040451f1bf7a00bb5abf9d
                                                                                                • Instruction Fuzzy Hash: F3B092E22680016C220862445E06936254CC0C6B10330802AB406C0142DE8549063133
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7F878 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F7F890
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID: PAXn
                                                                                                • API String ID: 1269201914-1132047434
                                                                                                • Opcode ID: 9c1c1b62887ac8b3714df2519d94074c69e1c53e9ca2aae9ed8302e174426204
                                                                                                • Instruction ID: a386d08b88dd106317776b3692b4be306f6470e4e023a3c8b4a69dcfb2e8e34d
                                                                                                • Opcode Fuzzy Hash: 9c1c1b62887ac8b3714df2519d94074c69e1c53e9ca2aae9ed8302e174426204
                                                                                                • Instruction Fuzzy Hash: E4B012E22BC0017C330823405D06C36250CC0D2F11330C13FF805C0043EAC44D063033
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43A1A Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 1357844191-0
                                                                                                • Opcode ID: 095ac8283e89f736c72fe559378b9765ece7f66c4b72d48f498a4ad2ee5165b2
                                                                                                • Instruction ID: 8462c40ffd932c82463ad735633453617c0557b91f4811339a0063e0f129174a
                                                                                                • Opcode Fuzzy Hash: 095ac8283e89f736c72fe559378b9765ece7f66c4b72d48f498a4ad2ee5165b2
                                                                                                • Instruction Fuzzy Hash: B0C0123219420DA78B005FF4DC0DC9A379CA7147027048400B515C6120C738E0109760
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83A38 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(?), ref: 00F83A6D
                                                                                                  • Part of subcall function 00F834D0: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00F83A7E,00000000,?,00000000), ref: 00F834EA
                                                                                                  • Part of subcall function 00F834D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00F6BE27,?,00F4547D,?,00000000,?), ref: 00F834F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorHandleInitLastModuleVariant
                                                                                                • String ID:
                                                                                                • API String ID: 52713655-0
                                                                                                • Opcode ID: 248dfebfee5fab9a635c46c6e96ca2b18fcfee2e62421d725d43e610d44d9990
                                                                                                • Instruction ID: 9a4f9a72cac994ae57658c1b027c0c542efb08237325f486b0b1865d6a50bd31
                                                                                                • Opcode Fuzzy Hash: 248dfebfee5fab9a635c46c6e96ca2b18fcfee2e62421d725d43e610d44d9990
                                                                                                • Instruction Fuzzy Hash: F6312BB6E006299BCB11DFA9C884ADEBBB8EF48710F01456AE915FB351D6749D048BA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F435D3 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00F58BB5,0000001C,80070490,00000000,00000000,80070490), ref: 00F435F3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FolderPath
                                                                                                • String ID:
                                                                                                • API String ID: 1514166925-0
                                                                                                • Opcode ID: 4827da63ddc2813f4ba5240ede9ea6c4baf14941d68751f29dabb1124d5d3864
                                                                                                • Instruction ID: 1d283ee6db560084fd38b44d0e985d873cdaa777a6b30fe5161aeab28fbdd9d9
                                                                                                • Opcode Fuzzy Hash: 4827da63ddc2813f4ba5240ede9ea6c4baf14941d68751f29dabb1124d5d3864
                                                                                                • Instruction Fuzzy Hash: E9E012722011297BE7016B65BC01DEF7F9CDF153617114421FE40D6150D765DA10A7B4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F899E5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F899FD
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID:
                                                                                                • API String ID: 1269201914-0
                                                                                                • Opcode ID: 5afd40792f18f7e0f16ff45c2068d21fe48c478550632928047231b3c753fcdf
                                                                                                • Instruction ID: 92509d625d1fe2bf9e0fefc54c97534dbd9d4a4f3dc953538f9668e2f974dce0
                                                                                                • Opcode Fuzzy Hash: 5afd40792f18f7e0f16ff45c2068d21fe48c478550632928047231b3c753fcdf
                                                                                                • Instruction Fuzzy Hash: F9B012C335C1067C330831405D86C76161CC1C3F10334451EF401C0043EDC84D423233
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F89A16 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F899FD
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID:
                                                                                                • API String ID: 1269201914-0
                                                                                                • Opcode ID: 1f2395d05d8ee0ea4d659e66f95f040d309eaba0ae1d4049e6c8dd275ec56b5d
                                                                                                • Instruction ID: 4570dbc295a7c43329c9972ce605c0517372ad6ab8fe5d057e098420a49e7e75
                                                                                                • Opcode Fuzzy Hash: 1f2395d05d8ee0ea4d659e66f95f040d309eaba0ae1d4049e6c8dd275ec56b5d
                                                                                                • Instruction Fuzzy Hash: 53B012C225C2016C330871446E42D77165CC1C3F10334451EF404C0143EDC94D033233
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F89A06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00F899FD
                                                                                                  • Part of subcall function 00F89CCB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F89D3E
                                                                                                  • Part of subcall function 00F89CCB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F89D4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                • String ID:
                                                                                                • API String ID: 1269201914-0
                                                                                                • Opcode ID: 02cfa9ad8b0d7a10e8d7be951a9fba0e58ea66e29fd46d12a6798dbb389a62a7
                                                                                                • Instruction ID: e26070f038104f5e3e7ac4d0ed91b0ba692dc2ccc69b33a87512bfa122060441
                                                                                                • Opcode Fuzzy Hash: 02cfa9ad8b0d7a10e8d7be951a9fba0e58ea66e29fd46d12a6798dbb389a62a7
                                                                                                • Instruction Fuzzy Hash: D6B012C226C0016C330871445D02D76165CC1C3F10334C61EF804C0147EDC84D063233
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F414AC Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00F422DC,?,00000000,?,00000000,?,00F439E0,00000000,?,00000104), ref: 00F414DC
                                                                                                  • Part of subcall function 00F43C9A: GetProcessHeap.KERNEL32(00000000,000001C7,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA2
                                                                                                  • Part of subcall function 00F43C9A: HeapSize.KERNEL32(00000000,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ProcessSizelstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3492610842-0
                                                                                                • Opcode ID: 5634bbe9cbcc80373d21bff2e1a91562db5fef9fbdc4a761d3fe3432d2d3ba57
                                                                                                • Instruction ID: 429fce84401d7f6c5229435f64f9b5e3b03604d0987fedaf59896d73d6237bb7
                                                                                                • Opcode Fuzzy Hash: 5634bbe9cbcc80373d21bff2e1a91562db5fef9fbdc4a761d3fe3432d2d3ba57
                                                                                                • Instruction Fuzzy Hash: 6C01D432500228BBDF219E65DC84FDB7FA9BF81770F158111FE19AB1A1C774AD80B6A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Non-executed Functions

                                                                                                Function 00F43D89 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 309fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00F43DE8
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F43DFB
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00F43E47
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F43E51
                                                                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00F43E98
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F43EA2
                                                                                                • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00F43EF0
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F43F01
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00F43FD3
                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00F43FE7
                                                                                                • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00F44010
                                                                                                • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00F44033
                                                                                                • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00F4404C
                                                                                                • FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00F4405C
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F44071
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F440A0
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F440C2
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F440E4
                                                                                                • RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00F440EE
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F440F8
                                                                                                • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00F4411C
                                                                                                • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F44137
                                                                                                • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00F4416D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                                                                                • String ID: *.*$DEL$c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp
                                                                                                • API String ID: 1544372074-3319449219
                                                                                                • Opcode ID: a632118d9224e9d6fabf2559484cb77f5ce956c00fac7d7308a8c2ba2e1f4d9e
                                                                                                • Instruction ID: 07998f7cdca96fb3f8ee896f05429f00e07beae18b388bdd92b7c236d27cf68e
                                                                                                • Opcode Fuzzy Hash: a632118d9224e9d6fabf2559484cb77f5ce956c00fac7d7308a8c2ba2e1f4d9e
                                                                                                • Instruction Fuzzy Hash: 38A10973D01239A7DB3196688C09BEABE686F40730F014291EE54FB191D775EE94EBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F64085 Relevance: 43.0, Strings: 34, Instructions: 497COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to add the list of dependencies to ignore to the properties., xrefs: 00F64565
                                                                                                • Failed to enable logging for package: %ls to: %ls, xrefs: 00F642BA
                                                                                                • Failed to add obfuscated properties to argument string., xrefs: 00F64332
                                                                                                • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 00F64490
                                                                                                • REINSTALL=ALL, xrefs: 00F6446E, 00F644E8
                                                                                                • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 00F644A7
                                                                                                • Failed to install MSI package., xrefs: 00F645E1
                                                                                                • IGNOREDEPENDENCIES, xrefs: 00F64540, 00F6461F
                                                                                                • Failed to add patch properties to argument string., xrefs: 00F64398
                                                                                                • msasn1.dll, xrefs: 00F642A6
                                                                                                • Failed to add feature action properties to argument string., xrefs: 00F64354
                                                                                                • WixBundleExecutePackageAction, xrefs: 00F64252, 00F6474F
                                                                                                • Failed to add reinstall all property on minor upgrade., xrefs: 00F64485
                                                                                                • Failed to uninstall MSI package., xrefs: 00F6468A
                                                                                                • Failed to add patch properties to obfuscated argument string., xrefs: 00F643BA
                                                                                                • WixBundleExecutePackageCacheFolder, xrefs: 00F64205, 00F6473F
                                                                                                • Failed to add properties to argument string., xrefs: 00F642FE
                                                                                                • %ls %ls=ALL, xrefs: 00F64551, 00F64630
                                                                                                • Failed to run maintanance mode for MSI package., xrefs: 00F64591
                                                                                                • REBOOT=ReallySuppress, xrefs: 00F6443B, 00F64607
                                                                                                • feclient.dll, xrefs: 00F64160, 00F641E8, 00F642B8, 00F643E6, 00F64673
                                                                                                • VersionString, xrefs: 00F64129, 00F6418A
                                                                                                • ACTION=ADMIN, xrefs: 00F645A4
                                                                                                • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 00F64536
                                                                                                • Failed to initialize external UI handler., xrefs: 00F6428F
                                                                                                • Failed to add ADMIN property on admin install., xrefs: 00F645B9
                                                                                                • crypt32.dll, xrefs: 00F642A5
                                                                                                • Failed to get cached path for package: %ls, xrefs: 00F641EA
                                                                                                • Failed to perform minor upgrade of MSI package., xrefs: 00F644D3
                                                                                                • Failed to add feature action properties to obfuscated argument string., xrefs: 00F64376
                                                                                                • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 00F64522
                                                                                                • Failed to build MSI path., xrefs: 00F64238
                                                                                                • Failed to add reboot suppression property on install., xrefs: 00F64456
                                                                                                • Failed to add reboot suppression property on uninstall., xrefs: 00F64618
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$crypt32.dll$feclient.dll$msasn1.dll
                                                                                                • API String ID: 0-2033600224
                                                                                                • Opcode ID: 60833eaba43204ed83fb0eb25ebcd9dd81be8dd29b6bdb87679717b6c58e26a4
                                                                                                • Instruction ID: e8086d7a5d9ed1b34f8ea77b7da78e4421424cacbf3d0becdca7e0b078691a6c
                                                                                                • Opcode Fuzzy Hash: 60833eaba43204ed83fb0eb25ebcd9dd81be8dd29b6bdb87679717b6c58e26a4
                                                                                                • Instruction Fuzzy Hash: 71029372900625AFDF22AF54CC51FA9BB7ABB44710F0401A5F908A7251D732EEA0FBD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F81BB9 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 336COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00F81C51
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81C5B
                                                                                                • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00F81CA8
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81CAE
                                                                                                • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00F81CE8
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81CEE
                                                                                                • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00F81D2E
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81D34
                                                                                                • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00F81D74
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81D7A
                                                                                                • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00F81DBA
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81DC0
                                                                                                • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00F81EB1
                                                                                                • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00F81EEB
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81EF5
                                                                                                • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00F81F2D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81F37
                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F81F70
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F81F7A
                                                                                                • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00F81FB8
                                                                                                • LocalFree.KERNEL32(?), ref: 00F81FCE
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\srputil.cpp, xrefs: 00F81C7C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\srputil.cpp
                                                                                                • API String ID: 267631441-2057723657
                                                                                                • Opcode ID: 41ff096a4072e6fad4280dfc4716d3aab12cf7a1b6e403f214b91fb77ae861d1
                                                                                                • Instruction ID: 551dd59c3dae2acf1da110ed6578d960a69d1723723264412b29d9413371409a
                                                                                                • Opcode Fuzzy Hash: 41ff096a4072e6fad4280dfc4716d3aab12cf7a1b6e403f214b91fb77ae861d1
                                                                                                • Instruction Fuzzy Hash: CDC172B6C4123DABDB309B959C48BDBFABCBF45710F0106AAA909F7240D7709D459FA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6C132 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 375COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to append relation type to install arguments for related bundle package, xrefs: 00F6C3A7
                                                                                                • Failed to copy install arguments for related bundle package, xrefs: 00F6C386
                                                                                                • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00F6C184
                                                                                                • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00F6C2AC
                                                                                                • -%ls, xrefs: 00F6C14F
                                                                                                • Failed to copy uninstall arguments for related bundle package, xrefs: 00F6C422
                                                                                                • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00F6C1BD
                                                                                                • Failed to copy key for pseudo bundle payload., xrefs: 00F6C1F2
                                                                                                • Failed to copy version for pseudo bundle., xrefs: 00F6C52C
                                                                                                • Failed to copy local source path for pseudo bundle., xrefs: 00F6C23A
                                                                                                • Failed to copy key for pseudo bundle., xrefs: 00F6C33F
                                                                                                • Failed to copy filename for pseudo bundle., xrefs: 00F6C216
                                                                                                • Failed to copy download source for pseudo bundle., xrefs: 00F6C268
                                                                                                • Failed to copy display name for pseudo bundle., xrefs: 00F6C54E
                                                                                                • Failed to append relation type to repair arguments for related bundle package, xrefs: 00F6C3F0
                                                                                                • Failed to allocate memory for dependency providers., xrefs: 00F6C4DD
                                                                                                • Failed to copy cache id for pseudo bundle., xrefs: 00F6C35E
                                                                                                • Failed to copy repair arguments for related bundle package, xrefs: 00F6C3CF
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pseudobundle.cpp, xrefs: 00F6C178, 00F6C1B1, 00F6C2A0, 00F6C4D1
                                                                                                • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00F6C443
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateProcess
                                                                                                • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$c:\agent\_work\138\s\src\burn\engine\pseudobundle.cpp
                                                                                                • API String ID: 1357844191-3972778097
                                                                                                • Opcode ID: a4ae7ae1465ef10662890a380ddbf99ea2d14548659e8d336b0c68d06077bb1c
                                                                                                • Instruction ID: 5948bc542062a9b331ec1acb9b3f9c2a685cb636934e8e18a10bb25d3f2d2136
                                                                                                • Opcode Fuzzy Hash: a4ae7ae1465ef10662890a380ddbf99ea2d14548659e8d336b0c68d06077bb1c
                                                                                                • Instruction Fuzzy Hash: 5EC1F272A40612AFDB15DE69CC56B7A7AA8BF09710F048129FC95DB351DB74EC00BBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44674 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140sleepshutdownCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00F4469D
                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F446A4
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F446AE
                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00F446FE
                                                                                                • GetLastError.KERNEL32 ref: 00F44708
                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00F4474C
                                                                                                • GetLastError.KERNEL32 ref: 00F44756
                                                                                                • Sleep.KERNEL32(000003E8), ref: 00F44792
                                                                                                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00F447A3
                                                                                                • GetLastError.KERNEL32 ref: 00F447AD
                                                                                                • CloseHandle.KERNEL32(?), ref: 00F44803
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                                                                                • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 2241679041-3611283357
                                                                                                • Opcode ID: 324212fc3c01a63028ed6db1be07e85f0211eeb3221d259ab87cb95963fcae59
                                                                                                • Instruction ID: 69185cca0ed0fdb82129d5cf1ca48ab49d65a772fa726babc16a6156fd5e6630
                                                                                                • Opcode Fuzzy Hash: 324212fc3c01a63028ed6db1be07e85f0211eeb3221d259ab87cb95963fcae59
                                                                                                • Instruction Fuzzy Hash: EA41CA77E40729ABD7205BA49C4ABBFBE68AF01B60F110125FE01FB191E764AD0177E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54F5A Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 164pipeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00F54F88
                                                                                                • GetLastError.KERNEL32(?,00000000,?,?,00F445B7,?), ref: 00F54F91
                                                                                                • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,00F445B7,?), ref: 00F55033
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?), ref: 00F55040
                                                                                                • CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,00F445B7), ref: 00F550BB
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00F445B7,?), ref: 00F550C6
                                                                                                • CloseHandle.KERNEL32(00000000,c:\agent\_work\138\s\src\burn\engine\pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,00F445B7,?), ref: 00F55106
                                                                                                • LocalFree.KERNEL32(00000000,?,00F445B7,?), ref: 00F55134
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pipe.cpp, xrefs: 00F54FB5, 00F55064, 00F550EA
                                                                                                • Failed to allocate full name of cache pipe: %ls, xrefs: 00F5509D
                                                                                                • Failed to create pipe: %ls, xrefs: 00F55071, 00F550F7
                                                                                                • Failed to allocate full name of pipe: %ls, xrefs: 00F54FFF
                                                                                                • \\.\pipe\%ls.Cache, xrefs: 00F55087
                                                                                                • Failed to create the security descriptor for the connection event and pipe., xrefs: 00F54FBF
                                                                                                • \\.\pipe\%ls, xrefs: 00F54FE9
                                                                                                • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00F54F83
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                                                                                                • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\138\s\src\burn\engine\pipe.cpp
                                                                                                • API String ID: 1214480349-3091705230
                                                                                                • Opcode ID: 80603151892a3c167bc2073d35bd90bc87ec432cf002c561e5c97b237fe427c4
                                                                                                • Instruction ID: d00d1e03298ea4832e12d3cf8b83812f62d6010b88262764ff6bde90395b9ac8
                                                                                                • Opcode Fuzzy Hash: 80603151892a3c167bc2073d35bd90bc87ec432cf002c561e5c97b237fe427c4
                                                                                                • Instruction Fuzzy Hash: 4C51C672D40626BBDB219AA4CC46FDEBB64AF14B61F110111FE10BA1D0E3759E44BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7FE7F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 172encryptionfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00F59EE1,00000003,000007D0,00000003,?,000007D0,?,000007D0), ref: 00F7FEE4
                                                                                                • GetLastError.KERNEL32 ref: 00F7FEEE
                                                                                                • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 00F7FF2B
                                                                                                • GetLastError.KERNEL32 ref: 00F7FF35
                                                                                                • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00F7FF7C
                                                                                                • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00F7FFA0
                                                                                                • GetLastError.KERNEL32 ref: 00F7FFAA
                                                                                                • CryptDestroyHash.ADVAPI32(00000000), ref: 00F7FFE7
                                                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F7FFFE
                                                                                                • GetLastError.KERNEL32 ref: 00F80017
                                                                                                • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00F8004F
                                                                                                • GetLastError.KERNEL32 ref: 00F80059
                                                                                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 00F80092
                                                                                                • GetLastError.KERNEL32 ref: 00F800A0
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\cryputil.cpp, xrefs: 00F7FFCE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\cryputil.cpp
                                                                                                • API String ID: 3955742341-2390292976
                                                                                                • Opcode ID: 4c5d600a11a3286255ec6d9f9d0c099e329bb136235c292d9055af0b7213f70a
                                                                                                • Instruction ID: bdb65ed20d4d38c6ef1a53900e5603c08fa056956a68632e854c93b760540aba
                                                                                                • Opcode Fuzzy Hash: 4c5d600a11a3286255ec6d9f9d0c099e329bb136235c292d9055af0b7213f70a
                                                                                                • Instruction Fuzzy Hash: 2751E737D40239ABD7318B549C04BEB7A64AB05761F0181A6FE4CFA190DB748D88FBE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F59E7B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 180COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to move verified file to complete payload path: %ls, xrefs: 00F5A049
                                                                                                • Failed to get cached path for package with cache id: %ls, xrefs: 00F59EA5
                                                                                                • moving, xrefs: 00F5A006
                                                                                                • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00F59FA8
                                                                                                • Failed to transfer working path to unverified path for payload: %ls., xrefs: 00F59F81
                                                                                                • copying, xrefs: 00F5A00D, 00F5A015
                                                                                                • Failed to concat complete cached path., xrefs: 00F59ED1
                                                                                                • Failed to create unverified path., xrefs: 00F59F4B
                                                                                                • Failed to reset permissions on unverified cached payload: %ls, xrefs: 00F59FCE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
                                                                                                • API String ID: 0-1289240508
                                                                                                • Opcode ID: 3fc7ff53f5bf13c3aa87091ca9568825858940cce83b9c1c3f3a70d342df07fb
                                                                                                • Instruction ID: e6c29071cc9e17247398beed8678104d4db8ac457b8e0cd118fa4c9dca2d68d9
                                                                                                • Opcode Fuzzy Hash: 3fc7ff53f5bf13c3aa87091ca9568825858940cce83b9c1c3f3a70d342df07fb
                                                                                                • Instruction Fuzzy Hash: 45514E32D4421AFBDF226B94CC02FDD7B75AF04751F104151FE00B61A1E77A9A64BB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4635B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 143COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetVersionExW.KERNEL32(0000011C), ref: 00F463A9
                                                                                                • GetLastError.KERNEL32 ref: 00F463B3
                                                                                                Strings
                                                                                                • Failed to get OS info., xrefs: 00F463E1
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F463D7
                                                                                                • Failed to set variant value., xrefs: 00F464D4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastVersion
                                                                                                • String ID: Failed to get OS info.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 305913169-505467846
                                                                                                • Opcode ID: 73cb10a49e8ea7c03727877839a1d20417d53a70c937ce1df7a296da8dd1ff8e
                                                                                                • Instruction ID: 693b65067dee1d2d1825ab199b80cdefb806c7c39d621842a9cdb10a07cb10a3
                                                                                                • Opcode Fuzzy Hash: 73cb10a49e8ea7c03727877839a1d20417d53a70c937ce1df7a296da8dd1ff8e
                                                                                                • Instruction Fuzzy Hash: CF419672E00228ABDB20DB99DC45FEF7FB8DB86750F10019AB905E7250DA74DE41EB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4609A Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 106timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetSystemTime.KERNEL32(?), ref: 00F460C5
                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00F460D9
                                                                                                • GetLastError.KERNEL32 ref: 00F460EB
                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00F4613F
                                                                                                • GetLastError.KERNEL32 ref: 00F46149
                                                                                                Strings
                                                                                                • Failed to allocate the buffer for the Date., xrefs: 00F46127
                                                                                                • Failed to get the Date., xrefs: 00F4616E
                                                                                                • Failed to get the required buffer length for the Date., xrefs: 00F46110
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46106, 00F46164
                                                                                                • Failed to set variant value., xrefs: 00F46187
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: DateErrorFormatLast$SystemTime
                                                                                                • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 2700948981-3071540250
                                                                                                • Opcode ID: 8a4183886bf2f650cb757aec57927e5e417bbb57082027aa845cb6ce912768c3
                                                                                                • Instruction ID: c83c5124d22bd5b8c643ce3412bf9a07b634cbab66551b2afadd438ebc356f2d
                                                                                                • Opcode Fuzzy Hash: 8a4183886bf2f650cb757aec57927e5e417bbb57082027aa845cb6ce912768c3
                                                                                                • Instruction Fuzzy Hash: B0318872E406297BDB11ABA8CC46FEF7E68AF45B10F110125FE00F7192DA65DD04A7E2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F802DD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00FAC6EC,00000000,?,?,?,?,00F61188,8007139F,Invalid operation for this state.,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00F8030B
                                                                                                • GetCurrentProcessId.KERNEL32(00000000,?,00F61188,8007139F,Invalid operation for this state.,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00F8031B
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00F80324
                                                                                                • GetLocalTime.KERNEL32(8007139F,?,00F61188,8007139F,Invalid operation for this state.,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00F8033A
                                                                                                • LeaveCriticalSection.KERNEL32(00FAC6EC,00F61188,?,00000000,0000FDE9,?,00F61188,8007139F,Invalid operation for this state.,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00F80431
                                                                                                Strings
                                                                                                • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00F803D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                                                                • API String ID: 296830338-59366893
                                                                                                • Opcode ID: 97ee6f299fd7beb28dc6d2a4a79dc4047ac1857e11b51a816b3b8a79d2f7c67e
                                                                                                • Instruction ID: 9c6c6ab3952aec9dfd6b6c70475945cf0c56d28673b9ab84fd9f4ebbfca7068f
                                                                                                • Opcode Fuzzy Hash: 97ee6f299fd7beb28dc6d2a4a79dc4047ac1857e11b51a816b3b8a79d2f7c67e
                                                                                                • Instruction Fuzzy Hash: D5418372E00219ABDB51EFA4CC49AFEB7B8EB09751F544125FA01E6160DB388D44FBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F59B24 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 00F59BD3
                                                                                                • lstrlenW.KERNEL32(?), ref: 00F59BFA
                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F59C5A
                                                                                                • FindClose.KERNEL32(00000000), ref: 00F59C65
                                                                                                  • Part of subcall function 00F43D89: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00F43DE8
                                                                                                  • Part of subcall function 00F43D89: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00F43DFB
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
                                                                                                • String ID: *.*$.unverified
                                                                                                • API String ID: 457978746-2528915496
                                                                                                • Opcode ID: e32f4065b89fb715d712d340c9d14b62a0edf9b488158a1af825d41bcec55844
                                                                                                • Instruction ID: e87ab0cdbbfd03d8c36b99475d959bdcdc916c0ee968b9fadec7f137b9700b0e
                                                                                                • Opcode Fuzzy Hash: e32f4065b89fb715d712d340c9d14b62a0edf9b488158a1af825d41bcec55844
                                                                                                • Instruction Fuzzy Hash: FE41853090452DEADF65AB64DC4DBEE77F8AF44316F4041A1EA08E10A1E7B59EC8EF14
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F88C56 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00F88CAB
                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00F88CBD
                                                                                                Strings
                                                                                                • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00F88D08
                                                                                                • crypt32.dll, xrefs: 00F88C7B
                                                                                                • feclient.dll, xrefs: 00F88C85
                                                                                                • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00F88C94
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$InformationLocalSpecificSystemZone
                                                                                                • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
                                                                                                • API String ID: 1772835396-1985132828
                                                                                                • Opcode ID: 7270a13f35357526417135e85be05e849cb96ccbc5a90b7d7778f39b68f26042
                                                                                                • Instruction ID: 574eff28c6c612f7128c227af49fe8ed2528d57f1dd8b01e034e7268e0979c8d
                                                                                                • Opcode Fuzzy Hash: 7270a13f35357526417135e85be05e849cb96ccbc5a90b7d7778f39b68f26042
                                                                                                • Instruction Fuzzy Hash: B821EAA6901128FADB60DBA9DC05EBFB3FCEB4D711F004556B945E2190E73CAA80E770
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7AA98 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1343COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: __floor_pentium4
                                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                • API String ID: 4168288129-2761157908
                                                                                                • Opcode ID: 9780cd051644633e9be7454f404a32533a91f1ce52bf4e5d1174b8280271ce44
                                                                                                • Instruction ID: 595a4b3ad16e095482cf079b46fb82c5cb0258e78c8a2c6474f05c6df0e4fad3
                                                                                                • Opcode Fuzzy Hash: 9780cd051644633e9be7454f404a32533a91f1ce52bf4e5d1174b8280271ce44
                                                                                                • Instruction Fuzzy Hash: C4C25E71E046288FDB25CE28DD407E9B3B5EB89315F1581EBD80DE7240E779AE819F42
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4623E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • Failed to get the user name., xrefs: 00F462A1
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46297
                                                                                                • Failed to set variant value., xrefs: 00F462BD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastNameUser
                                                                                                • String ID: Failed to get the user name.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 2054405381-589247725
                                                                                                • Opcode ID: 0df2ebf9a6e99fa7aa84f134e70ad624124cc5d21dd864a7c5dbae9c4b1d8be0
                                                                                                • Instruction ID: eab2c746f0b11863a07ae58821d834fd77a59cbbad5228805e713ef0d2d482d9
                                                                                                • Opcode Fuzzy Hash: 0df2ebf9a6e99fa7aa84f134e70ad624124cc5d21dd864a7c5dbae9c4b1d8be0
                                                                                                • Instruction Fuzzy Hash: D001D232A0032877CB21AB549C06AEB7BA8AF01720F114255FC14E7281DBB8DE446BE2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F420A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FormatMessageW.KERNEL32(00F44307,00F45506,?,00000000,00000000,00000000,?,80070656,?,?,?,00F5E6CA,00000000,00F45506,00000000,80070656), ref: 00F420D4
                                                                                                • GetLastError.KERNEL32(?,?,?,00F5E6CA,00000000,00F45506,00000000,80070656,?,?,00F5412F,00F45506,?,80070656,00000001,crypt32.dll), ref: 00F420E1
                                                                                                • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00F5E6CA,00000000,00F45506,00000000,80070656,?,?,00F5412F,00F45506), ref: 00F42128
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\strutil.cpp, xrefs: 00F42105
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\strutil.cpp
                                                                                                • API String ID: 1365068426-1498286024
                                                                                                • Opcode ID: 81bb415108770473ee29d8acb4e328bcce877f58ae745800c16a9b7a271ea5c8
                                                                                                • Instruction ID: 8cb9a785d24780bd19116829b092dea88e42cc10947cf89cad9e80dc30ee2dd4
                                                                                                • Opcode Fuzzy Hash: 81bb415108770473ee29d8acb4e328bcce877f58ae745800c16a9b7a271ea5c8
                                                                                                • Instruction Fuzzy Hash: 09015EB7940229FBDB109B95CC09AEEBEACEB04750F014165BD05E6241E6749E00EBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F66A02 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00F669AE,00000000,00000003), ref: 00F66A19
                                                                                                • GetLastError.KERNEL32(?,00F669AE,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00F66D9D,?), ref: 00F66A23
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\msuengine.cpp, xrefs: 00F66A47
                                                                                                • Failed to set service start type., xrefs: 00F66A51
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ChangeConfigErrorLastService
                                                                                                • String ID: Failed to set service start type.$c:\agent\_work\138\s\src\burn\engine\msuengine.cpp
                                                                                                • API String ID: 1456623077-3939833892
                                                                                                • Opcode ID: 9e8ca23a3b04b855c7015b62584b76ec700b154eb4860351a09ee38d08cc9d87
                                                                                                • Instruction ID: d503e01617cfbf2c43d3e36bddd33df2b07bb1409210174f03e3b7503bf0d19d
                                                                                                • Opcode Fuzzy Hash: 9e8ca23a3b04b855c7015b62584b76ec700b154eb4860351a09ee38d08cc9d87
                                                                                                • Instruction Fuzzy Hash: 49F0E533A45239739A2126D99C0AA9B7E089F01BB0B118311FE28FA1D1EF198C10B7E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7389A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F73992
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F7399C
                                                                                                • UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 00F739A9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                • String ID:
                                                                                                • API String ID: 3906539128-0
                                                                                                • Opcode ID: b832425fffbdc1eef148e6a247100f049ae537a5019419286b9104e76bfdb10d
                                                                                                • Instruction ID: 466489482d61a8b7a323f0813d7a8d624d639a11d1a902776397eb8fb8009aba
                                                                                                • Opcode Fuzzy Hash: b832425fffbdc1eef148e6a247100f049ae537a5019419286b9104e76bfdb10d
                                                                                                • Instruction Fuzzy Hash: 4931D375D0121DABCB21DF24DC8879DBBB8BF08310F5041EAE41CA7251E7749B859F45
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F74503 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,00F74502,00000000,80004004,?,00000000,?,00F71731), ref: 00F74525
                                                                                                • TerminateProcess.KERNEL32(00000000,?,00F74502,00000000,80004004,?,00000000,?,00F71731), ref: 00F7452C
                                                                                                • ExitProcess.KERNEL32 ref: 00F7453E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                • String ID:
                                                                                                • API String ID: 1703294689-0
                                                                                                • Opcode ID: 7048c2117f2923f82bb2daea13c9f035a8c62ebb5864c69ce2860cdaedf09938
                                                                                                • Instruction ID: 39c5963b190537b9c981870a2607d33ddf69f693a8e5e2f89443444b5086723f
                                                                                                • Opcode Fuzzy Hash: 7048c2117f2923f82bb2daea13c9f035a8c62ebb5864c69ce2860cdaedf09938
                                                                                                • Instruction Fuzzy Hash: 26E0EC3145154CAFCF126F54DC0D9AC3B69FB40395F498416FA09CA131CB39ED92EB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7A600 Relevance: 3.5, APIs: 2, Instructions: 452COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 11f708f5448ef02d584e702d3f548cd34cb687d87299eecc1415ec0065b92091
                                                                                                • Instruction ID: e3b96a4a74a8954d886588153245c82d3bacbb60cdb9af19cd04c66487d89151
                                                                                                • Opcode Fuzzy Hash: 11f708f5448ef02d584e702d3f548cd34cb687d87299eecc1415ec0065b92091
                                                                                                • Instruction Fuzzy Hash: AF024F71E012199FDF14CFA8C9806AEBBF1FF88324F16826AD919A7341D7359D01DB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83ED2 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F84061: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00F83F01,?), ref: 00F840D2
                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F83F25
                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F83F36
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                • String ID:
                                                                                                • API String ID: 2114926846-0
                                                                                                • Opcode ID: 4c36c4fa643a86e9887416ca5db6122f24d41c54b24701eaadee44dfb2650576
                                                                                                • Instruction ID: 386512dfeb024c795ab15fafe69ec2dc0ca26ce2399e735969dcf806fc14abb5
                                                                                                • Opcode Fuzzy Hash: 4c36c4fa643a86e9887416ca5db6122f24d41c54b24701eaadee44dfb2650576
                                                                                                • Instruction Fuzzy Hash: E91139B1D0030EABDB10EFA5CC85AEFBBF8FF08704F504439A611A6151D7749A44DB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8488B Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNEL32(00F6907E,?,00000100,00000000,00000000), ref: 00F848C6
                                                                                                • FindClose.KERNEL32(00000000), ref: 00F848D2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirst
                                                                                                • String ID:
                                                                                                • API String ID: 2295610775-0
                                                                                                • Opcode ID: d2eb48f14d56a52264884ed6f8a895fe5ef4c2e4bb310ca2d913f921a2eb6053
                                                                                                • Instruction ID: bc55cc929270f362fc0af0cb8262965b4313df66bb6955baced9febe51998f41
                                                                                                • Opcode Fuzzy Hash: d2eb48f14d56a52264884ed6f8a895fe5ef4c2e4bb310ca2d913f921a2eb6053
                                                                                                • Instruction Fuzzy Hash: 6F01F475A0020DABCB10EFA9DC89DEFB7ACEBD5325F400065E818D7181C734AD4D9B64
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7F2A2 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F7F29D,?,?,00000008,?,?,00F7EF31,00000000), ref: 00F7F4CF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionRaise
                                                                                                • String ID:
                                                                                                • API String ID: 3997070919-0
                                                                                                • Opcode ID: 3819ceff370fd0d84b00d549a14bb8e9e957418bc27e332c12155e908b1a5b4a
                                                                                                • Instruction ID: 8d2d8253cb732609c9b32f0f23144ce35078bd63dd250f8c87619aaa73ecc849
                                                                                                • Opcode Fuzzy Hash: 3819ceff370fd0d84b00d549a14bb8e9e957418bc27e332c12155e908b1a5b4a
                                                                                                • Instruction Fuzzy Hash: E4B13A32A10609CFD714CF28C486B657BE0FF45364F29C669E89ACF2A1C335E996DB41
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6E817 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0002E823,00F6DEF9), ref: 00F6E81C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                • String ID:
                                                                                                • API String ID: 3192549508-0
                                                                                                • Opcode ID: ea68546eb7cb475bca6c2033be9b77abf4e563c8177cdaa40f4e3add4e50f040
                                                                                                • Instruction ID: 56c369da976f50ea8891a86b642bd875a65cc5a55b701b6c3db817d8655beac8
                                                                                                • Opcode Fuzzy Hash: ea68546eb7cb475bca6c2033be9b77abf4e563c8177cdaa40f4e3add4e50f040
                                                                                                • Instruction Fuzzy Hash:
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F72905 Relevance: 1.5, Strings: 1, Instructions: 240COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: 054d639b79e1fa0916f482214204ca77125c430476f6e6f82cb6e7ecb61e2d30
                                                                                                • Instruction ID: b531d6039d1afc7befdeaa3e267af79cf38c7578143fee66caee8095c569d3e1
                                                                                                • Opcode Fuzzy Hash: 054d639b79e1fa0916f482214204ca77125c430476f6e6f82cb6e7ecb61e2d30
                                                                                                • Instruction Fuzzy Hash: BB616C71E0030566EBB89A2948917BE73B5EB41720F08C51FE64EEB2C1D729DE42B353
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F726D1 Relevance: 1.5, Strings: 1, Instructions: 217COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0
                                                                                                • API String ID: 0-4108050209
                                                                                                • Opcode ID: 17e95ed392a724f7cd599a3e1a6932c07ecfe8e0e91b59132266eab648f21c0b
                                                                                                • Instruction ID: 252cd2d352eee3ab44d44edc46937f73c6d02ba53ee76e938ff06787df472ec9
                                                                                                • Opcode Fuzzy Hash: 17e95ed392a724f7cd599a3e1a6932c07ecfe8e0e91b59132266eab648f21c0b
                                                                                                • Instruction Fuzzy Hash: 10515C71E0074857DBFD896C8A957BE779AAF41320F18C02FD48ED7282C6269E46B353
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F702B6 Relevance: .3, Instructions: 254COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction ID: 1bbdbb02d018d09d09c27c97f8fb563f786600bc4e89e66d3ffd65238e63a912
                                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                • Instruction Fuzzy Hash: 689192736090A38ADB69863A857443EFFE15E523B131A47AFE4F7CA1C1EE20C554F621
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F70571 Relevance: .2, Instructions: 244COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction ID: 673c51433cd687af12dc825a3090c137e27295c4fdefa76c646f8937ad88827d
                                                                                                • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                                                                • Instruction Fuzzy Hash: 589183735090A38ADB2D4239843443EFFE15E923B171A47AFE4F6CA1C5EE24D564FA21
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6FFEF Relevance: .2, Instructions: 240COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction ID: 6f8ea17538270a938d4d0e29e6b2e6b61fc72b44edb80ef16d4f4536d6a4e060
                                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                • Instruction Fuzzy Hash: AB9196736090E38ADB694639847853EFFE15E523B131A47AFE4F6CA0C1EE14C564F621
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6FD45 Relevance: .2, Instructions: 232COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction ID: ba5fffe677833a27acd0a0e8ce176b57f67189e8d7b300922cf2657aeb530721
                                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                • Instruction Fuzzy Hash: CD8162736090A34ADB29467E953443EFFE15A523B131A07BEE4F3CA1D2EE249558F620
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7DD42 Relevance: .1, Instructions: 105COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 0ad760b3f6f6027701978b26aa33bcb253567f05bd427a2d9773546e4ac39578
                                                                                                • Instruction ID: 9d15bf8d16cb6ef8e052471734ef53c7d77369358c9c3e983b02b597f252438c
                                                                                                • Opcode Fuzzy Hash: 0ad760b3f6f6027701978b26aa33bcb253567f05bd427a2d9773546e4ac39578
                                                                                                • Instruction Fuzzy Hash: FB21B673F2043847770CC47E8C522BDB6E1C78C501745827AF8A6DA3C1D968D917E2E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7DC1E Relevance: .1, Instructions: 82COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 22b90bf9b751aa968d7e19f7cf15422c401b39a088c01bd96912b38e577a2271
                                                                                                • Instruction ID: 91dab640253d08f271e7f02f944a26796b14b5438787234682f2b4487dedb5f9
                                                                                                • Opcode Fuzzy Hash: 22b90bf9b751aa968d7e19f7cf15422c401b39a088c01bd96912b38e577a2271
                                                                                                • Instruction Fuzzy Hash: 8411A723F30C295B275C816D8C132BAA2D6DBD825074F533BD82AE7384E994DE23D290
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F78581 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 9cc6b2dd824b08b2f17b87951fe2886d4bc0a590ba30c1ec50195a6cc8cb7c91
                                                                                                • Instruction ID: 929cf0ab9c522914f5d1ae55d76b195b73a977f3670d22c9bebd933cdb945bab
                                                                                                • Opcode Fuzzy Hash: 9cc6b2dd824b08b2f17b87951fe2886d4bc0a590ba30c1ec50195a6cc8cb7c91
                                                                                                • Instruction Fuzzy Hash: E3E0DF32911228EBC710DA888C48C5AF3ACEB04B20B04819BB808C3100C6708E00D7D2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F50022 Relevance: 86.2, APIs: 1, Strings: 48, Instructions: 482registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00F50618
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close
                                                                                                • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.14.0.5722$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$crypt32.dll
                                                                                                • API String ID: 3535843008-2557340968
                                                                                                • Opcode ID: c0abf196b091359ce8a02d727c4a5bd00452c1b1f304b2b81488115cf1558c8e
                                                                                                • Instruction ID: 3c06b5d6b79c5fd43e29ed64d9c714106fd79b28f713c5fe8a5a8711cfb1731e
                                                                                                • Opcode Fuzzy Hash: c0abf196b091359ce8a02d727c4a5bd00452c1b1f304b2b81488115cf1558c8e
                                                                                                • Instruction Fuzzy Hash: B2F1CB31D41627FBDF126660CD12BAD7665BF00761F040260FE00B66A2EF65ED69BBC1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4CE67 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 365COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,00F454D5,00000000,00F8CBA8,00F454BD,00000000), ref: 00F4CF9D
                                                                                                Strings
                                                                                                • Failed to find catalog., xrefs: 00F4D276
                                                                                                • Failed to get @LayoutOnly., xrefs: 00F4D23F
                                                                                                • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00F4D261
                                                                                                • Container, xrefs: 00F4CFF5
                                                                                                • Failed to get next node., xrefs: 00F4D2D0
                                                                                                • Failed to allocate memory for payload structs., xrefs: 00F4CEF3
                                                                                                • download, xrefs: 00F4CF8F
                                                                                                • LayoutOnly, xrefs: 00F4D037
                                                                                                • Hash, xrefs: 00F4D161
                                                                                                • Failed to to find container: %ls, xrefs: 00F4D22E
                                                                                                • Failed to hex decode @CertificateRootThumbprint., xrefs: 00F4D268
                                                                                                • Failed to parse @FileSize., xrefs: 00F4D249
                                                                                                • FilePath, xrefs: 00F4CF55
                                                                                                • DownloadUrl, xrefs: 00F4D083
                                                                                                • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00F4D25A
                                                                                                • Failed to get @CertificateRootThumbprint., xrefs: 00F4D26F
                                                                                                • Failed to get @Packaging., xrefs: 00F4D2BB
                                                                                                • c:\agent\_work\138\s\src\burn\engine\payload.cpp, xrefs: 00F4CEE9
                                                                                                • Failed to select payload nodes., xrefs: 00F4CE95
                                                                                                • Catalog, xrefs: 00F4D196
                                                                                                • Failed to get @Container., xrefs: 00F4D235
                                                                                                • Failed to get @Catalog., xrefs: 00F4D27D
                                                                                                • Failed to hex decode the Payload/@Hash., xrefs: 00F4D284
                                                                                                • Failed to get @Id., xrefs: 00F4D2C9
                                                                                                • Failed to get @FilePath., xrefs: 00F4D2C2
                                                                                                • Packaging, xrefs: 00F4CF70
                                                                                                • embedded, xrefs: 00F4CFAF
                                                                                                • CertificateRootThumbprint, xrefs: 00F4D124
                                                                                                • Invalid value for @Packaging: %ls, xrefs: 00F4D2A8
                                                                                                • Failed to get @FileSize., xrefs: 00F4D253
                                                                                                • Payload, xrefs: 00F4CE82
                                                                                                • Failed to get payload node count., xrefs: 00F4CEBA
                                                                                                • SourcePath, xrefs: 00F4D05A
                                                                                                • Failed to get @SourcePath., xrefs: 00F4D299
                                                                                                • external, xrefs: 00F4CFCB
                                                                                                • Failed to get @Hash., xrefs: 00F4D28B
                                                                                                • FileSize, xrefs: 00F4D0AC
                                                                                                • CertificateRootPublicKeyIdentifier, xrefs: 00F4D0E7
                                                                                                • Failed to get @DownloadUrl., xrefs: 00F4D292
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateCompareProcessString
                                                                                                • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$c:\agent\_work\138\s\src\burn\engine\payload.cpp$download$embedded$external
                                                                                                • API String ID: 1171520630-1769029782
                                                                                                • Opcode ID: d3e295328b21df92d538719f1bf38fda0ab3e9f2dd0210cb89f7a66dcd97bba5
                                                                                                • Instruction ID: 403e90218dd7d9713a9c923dfc54adeb71e637238f2b89abdfc156864f173dfe
                                                                                                • Opcode Fuzzy Hash: d3e295328b21df92d538719f1bf38fda0ab3e9f2dd0210cb89f7a66dcd97bba5
                                                                                                • Instruction Fuzzy Hash: 6DC1B172D4162ABFDB11AA50CC45FAEBE65AB04B20F200265FD01B71A0D7B5EF14BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48552 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00F454BD,?,00000000,80070490,?,?,?,?,?,?,?,?,00F6BFC1,?,00F454BD,?), ref: 00F48583
                                                                                                • LeaveCriticalSection.KERNEL32(00F454BD,?,?,?,?,?,?,?,?,00F6BFC1,?,00F454BD,?,00F454BD,00F454BD,Chain), ref: 00F488E6
                                                                                                Strings
                                                                                                • Failed to change variant type., xrefs: 00F488BC
                                                                                                • Failed to get next node., xrefs: 00F488D8
                                                                                                • version, xrefs: 00F48708
                                                                                                • Value, xrefs: 00F48641
                                                                                                • Failed to get @Hidden., xrefs: 00F488CA
                                                                                                • Failed to get @Value., xrefs: 00F4886E
                                                                                                • Failed to select variable nodes., xrefs: 00F485A0
                                                                                                • Failed to insert variable '%ls'., xrefs: 00F48878
                                                                                                • string, xrefs: 00F486D3
                                                                                                • Hidden, xrefs: 00F4860B
                                                                                                • Attempt to set built-in variable value: %ls, xrefs: 00F488AA
                                                                                                • Persisted, xrefs: 00F48626
                                                                                                • Initializing numeric variable '%ls' to value '%ls', xrefs: 00F486BE
                                                                                                • Initializing version variable '%ls' to value '%ls', xrefs: 00F4872F
                                                                                                • Failed to set value of variable: %ls, xrefs: 00F48889
                                                                                                • Failed to set variant value., xrefs: 00F48867
                                                                                                • Type, xrefs: 00F4867F
                                                                                                • Failed to get @Id., xrefs: 00F488D1
                                                                                                • Failed to find variable value '%ls'., xrefs: 00F488B4
                                                                                                • Initializing hidden variable '%ls', xrefs: 00F4874D
                                                                                                • Failed to get @Persisted., xrefs: 00F488C3
                                                                                                • Failed to get @Type., xrefs: 00F48860
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F4889B
                                                                                                • Failed to set variant encryption, xrefs: 00F4887F
                                                                                                • Variable, xrefs: 00F4858D
                                                                                                • Invalid value for @Type: %ls, xrefs: 00F4884D
                                                                                                • numeric, xrefs: 00F48698
                                                                                                • Failed to get variable node count., xrefs: 00F485BD
                                                                                                • Initializing string variable '%ls' to value '%ls', xrefs: 00F486F6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$c:\agent\_work\138\s\src\burn\engine\variable.cpp$numeric$string$version
                                                                                                • API String ID: 3168844106-1391453742
                                                                                                • Opcode ID: bfe753afde5b497db96e3f5f19a65d62ad2989684e6b64ca2ef0e54f905f5239
                                                                                                • Instruction ID: 5def94dd236d724cd0c5ccfe3376018295f15bc8afcfba10437fdd57765167f7
                                                                                                • Opcode Fuzzy Hash: bfe753afde5b497db96e3f5f19a65d62ad2989684e6b64ca2ef0e54f905f5239
                                                                                                • Instruction Fuzzy Hash: 7FB1DF72D00219FBCF11AB94CC45EEEBFB5AF44B60F200265FD11B6291DB349A41BBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F66B41 Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 378COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00F5BDA0,00000007,?,?,?), ref: 00F66B95
                                                                                                  • Part of subcall function 00F80F42: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00F45F1B,00000000), ref: 00F80F57
                                                                                                  • Part of subcall function 00F80F42: GetProcAddress.KERNEL32(00000000), ref: 00F80F5E
                                                                                                  • Part of subcall function 00F80F42: GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80F79
                                                                                                • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00F66F84
                                                                                                • CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00F66F98
                                                                                                Strings
                                                                                                • Failed to get process exit code., xrefs: 00F66EA1
                                                                                                • Bootstrapper application aborted during MSU progress., xrefs: 00F66EC9
                                                                                                • c:\agent\_work\138\s\src\burn\engine\msuengine.cpp, xrefs: 00F66E02, 00F66E97, 00F66EBF
                                                                                                • "%ls" "%ls" /quiet /norestart, xrefs: 00F66CBD
                                                                                                • Failed to format MSU uninstall command., xrefs: 00F66CFE
                                                                                                • SysNative\, xrefs: 00F66BDF
                                                                                                • WixBundleExecutePackageCacheFolder, xrefs: 00F66C80, 00F66FB0
                                                                                                • Failed to append log path to MSU command-line., xrefs: 00F66D49
                                                                                                • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00F66CEA
                                                                                                • Failed to determine WOW64 status., xrefs: 00F66BA7
                                                                                                • Failed to append log switch to MSU command-line., xrefs: 00F66D2B
                                                                                                • /log:, xrefs: 00F66D17
                                                                                                • Failed to append SysNative directory., xrefs: 00F66BF2
                                                                                                • Failed to find Windows directory., xrefs: 00F66BD4
                                                                                                • D, xrefs: 00F66DB0
                                                                                                • wusa.exe, xrefs: 00F66C15
                                                                                                • Failed to format MSU install command., xrefs: 00F66CD1
                                                                                                • Failed to find System32 directory., xrefs: 00F66C0A
                                                                                                • Failed to build MSU path., xrefs: 00F66CAA
                                                                                                • Failed to get action arguments for MSU package., xrefs: 00F66C4B
                                                                                                • Failed to allocate WUSA.exe path., xrefs: 00F66C28
                                                                                                • Failed to CreateProcess on path: %ls, xrefs: 00F66E0F
                                                                                                • 2, xrefs: 00F66E28
                                                                                                • Failed to get cached path for package: %ls, xrefs: 00F66C71
                                                                                                • Failed to wait for executable to complete: %ls, xrefs: 00F66F13
                                                                                                • Failed to ensure WU service was enabled to install MSU package., xrefs: 00F66DA3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$c:\agent\_work\138\s\src\burn\engine\msuengine.cpp$wusa.exe
                                                                                                • API String ID: 1400713077-2496767321
                                                                                                • Opcode ID: f7d3b67d03de4ec7ac10fd5be00ad9af2a428d14c3d604725d316b741d1974e8
                                                                                                • Instruction ID: f2e1ee8f4634389e8b0d67a60f39b40af19f272c1580157ef9497adecb8eab42
                                                                                                • Opcode Fuzzy Hash: f7d3b67d03de4ec7ac10fd5be00ad9af2a428d14c3d604725d316b741d1974e8
                                                                                                • Instruction Fuzzy Hash: E9D18071A0031AFBEF11AFE4DD85FAEBBB8AF18704F104025BA00E6191E7B59944BB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F87836 Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 339COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00F87949
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87B12
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87BAF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$FreeHeap$AllocateCompareProcess
                                                                                                • String ID: ($@$`<u$author$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp$category$entry$generator$icon$link$logo$subtitle$title$updated
                                                                                                • API String ID: 1555028553-4287375924
                                                                                                • Opcode ID: 0cf16cfdbba06fa6ba3fc3daca4dc7a33429ea3be3cd7aa4802e172b25329200
                                                                                                • Instruction ID: 3aaeb166e30634fb43feecf75e6c62742ef2f03e18563f3d4fc251a2dc6b45b6
                                                                                                • Opcode Fuzzy Hash: 0cf16cfdbba06fa6ba3fc3daca4dc7a33429ea3be3cd7aa4802e172b25329200
                                                                                                • Instruction Fuzzy Hash: 00B16C72948316BBDB11FAA4CC82FEDBA65AF05730F304354F521AA1E5DB74EA40E790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F874FB Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 297COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00FA750C,000000FF,?,?,?), ref: 00F875C2
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00F875E7
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00F87607
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00F87623
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00F8764B
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00F87667
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00F876A0
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00F876D9
                                                                                                  • Part of subcall function 00F87144: SysFreeString.OLEAUT32(00000000), ref: 00F8727D
                                                                                                  • Part of subcall function 00F87144: SysFreeString.OLEAUT32(00000000), ref: 00F872BC
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8775D
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8780D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$Compare$Free
                                                                                                • String ID: ($`<u$author$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                • API String ID: 318886736-2736160394
                                                                                                • Opcode ID: ee5202b26096e734596385190f577c23abe6febe8a6ef53193bf11850e3f050e
                                                                                                • Instruction ID: ec3f0ad7c1dcd806f1c90bba7a9f1863df8eb64529b07a490bad0917cec82dd0
                                                                                                • Opcode Fuzzy Hash: ee5202b26096e734596385190f577c23abe6febe8a6ef53193bf11850e3f050e
                                                                                                • Instruction Fuzzy Hash: BAA16C72D48316BBDB21BBA4CC85FEDBA64AB05730F304355F925AA1D0D774EA40EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D221 Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 283synchronizationprocessCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • UuidCreate.RPCRT4(?), ref: 00F6D296
                                                                                                • StringFromGUID2.OLE32(?,?,00000027), ref: 00F6D2BF
                                                                                                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 00F6D3A8
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F6D3B2
                                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 00F6D44B
                                                                                                • WaitForSingleObject.KERNEL32(00F8B4F0,000000FF,?,?,?,?), ref: 00F6D456
                                                                                                • ReleaseMutex.KERNEL32(00F8B4F0,?,?,?,?), ref: 00F6D480
                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00F6D4A1
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F6D4AF
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F6D4E7
                                                                                                  • Part of subcall function 00F6D129: WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,00F6D425,?), ref: 00F6D148
                                                                                                  • Part of subcall function 00F6D129: ReleaseMutex.KERNEL32(?,?,?,00F6D425,?), ref: 00F6D15C
                                                                                                  • Part of subcall function 00F6D129: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F6D1A1
                                                                                                  • Part of subcall function 00F6D129: ReleaseMutex.KERNEL32(?), ref: 00F6D1B4
                                                                                                  • Part of subcall function 00F6D129: SetEvent.KERNEL32(?), ref: 00F6D1BD
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F6D590
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F6D5A8
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp, xrefs: 00F6D2D4, 00F6D3D6, 00F6D4D3, 00F6D50B
                                                                                                • Failed to convert netfx chainer guid into string., xrefs: 00F6D2DE
                                                                                                • D, xrefs: 00F6D38D
                                                                                                • Failed to process netfx chainer message., xrefs: 00F6D42B
                                                                                                • NetFxSection.%ls, xrefs: 00F6D2EC
                                                                                                • %ls /pipe %ls, xrefs: 00F6D362
                                                                                                • Failed to get netfx return code., xrefs: 00F6D4DD
                                                                                                • Failed to allocate event name., xrefs: 00F6D322
                                                                                                • NetFxEvent.%ls, xrefs: 00F6D30E
                                                                                                • Failed to wait for netfx chainer process to complete, xrefs: 00F6D515
                                                                                                • Failed to allocate netfx chainer arguments., xrefs: 00F6D376
                                                                                                • Failed to CreateProcess on path: %ls, xrefs: 00F6D3E1
                                                                                                • Failed to create netfx chainer., xrefs: 00F6D341
                                                                                                • Failed to create netfx chainer guid., xrefs: 00F6D2A3
                                                                                                • Failed to allocate section name., xrefs: 00F6D300
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
                                                                                                • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp
                                                                                                • API String ID: 1533322865-2112840804
                                                                                                • Opcode ID: b28674580f5bc014a8cb0ed86f394cd26e9ad31bae8f9f4ac458d1b35860c587
                                                                                                • Instruction ID: cc5252a8c01e9849a5971e9424528fc0934dae35ce81a78e22995131cb485829
                                                                                                • Opcode Fuzzy Hash: b28674580f5bc014a8cb0ed86f394cd26e9ad31bae8f9f4ac458d1b35860c587
                                                                                                • Instruction Fuzzy Hash: ACA1AF72E40329ABDB21DBA4CC45FAEBBB8AF04320F154165E909FB251DB359D40AF91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5554D Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,75C0B390,?,00F445B7,?,00F8B4F0), ref: 00F5556E
                                                                                                • GetCurrentProcessId.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F55579
                                                                                                • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F555B0
                                                                                                • ConnectNamedPipe.KERNEL32(?,00000000,?,00F445B7,?,00F8B4F0), ref: 00F555C5
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F555CF
                                                                                                • Sleep.KERNEL32(00000064,?,00F445B7,?,00F8B4F0), ref: 00F55604
                                                                                                • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55627
                                                                                                • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55642
                                                                                                • WriteFile.KERNEL32(?,00F445B7,00F8B4F0,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F5565D
                                                                                                • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55678
                                                                                                • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55693
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F556EE
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F55722
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F55756
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F5578A
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F557BB
                                                                                                • GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F557EC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                                                                                • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp$crypt32.dll
                                                                                                • API String ID: 2944378912-629510435
                                                                                                • Opcode ID: 608f447e0020185ad5dbd240b0b2110a88ed9ef0580ea590089bdee45a1d13d0
                                                                                                • Instruction ID: 1342bce53342a1a347e2c1d2d3803f7b0aaffd0553b418566fed25b283c3e7ef
                                                                                                • Opcode Fuzzy Hash: 608f447e0020185ad5dbd240b0b2110a88ed9ef0580ea590089bdee45a1d13d0
                                                                                                • Instruction Fuzzy Hash: EF61C877D90739A7DB2096A48C59FAEB9A85F04F62F120121FF00FB180E664DD05ABE5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4A4C5 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4A509
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4A531
                                                                                                • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00F4A830
                                                                                                Strings
                                                                                                • Failed to read registry value., xrefs: 00F4A7B9
                                                                                                • Failed to format key string., xrefs: 00F4A516
                                                                                                • Failed to get expand environment string., xrefs: 00F4A79E
                                                                                                • Failed to format value string., xrefs: 00F4A53E
                                                                                                • Failed to set variable., xrefs: 00F4A7F2
                                                                                                • Failed to query registry key value size., xrefs: 00F4A60D
                                                                                                • Failed to query registry key value., xrefs: 00F4A695
                                                                                                • Failed to allocate string buffer., xrefs: 00F4A724
                                                                                                • Unsupported registry key value type. Type = '%u', xrefs: 00F4A6C3
                                                                                                • Registry key not found. Key = '%ls', xrefs: 00F4A569
                                                                                                • Failed to allocate memory registry value., xrefs: 00F4A640
                                                                                                • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00F4A5D3
                                                                                                • c:\agent\_work\138\s\src\burn\engine\search.cpp, xrefs: 00F4A601, 00F4A636, 00F4A689, 00F4A792
                                                                                                • Failed to open registry key., xrefs: 00F4A5A4
                                                                                                • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00F4A808
                                                                                                • Failed to change value type., xrefs: 00F4A7D4, 00F4A7F7
                                                                                                • Failed to clear variable., xrefs: 00F4A58F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open@16$Close
                                                                                                • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\138\s\src\burn\engine\search.cpp
                                                                                                • API String ID: 2348241696-920797553
                                                                                                • Opcode ID: 280d2233cb78c909fee9c0e4fbe0fd642b739ad14ee9321d6a7c46fb397d565f
                                                                                                • Instruction ID: 24ec0f8f971346a93e955a169a22f95b18efb53b8d666cfabb0b32d15b3f28b6
                                                                                                • Opcode Fuzzy Hash: 280d2233cb78c909fee9c0e4fbe0fd642b739ad14ee9321d6a7c46fb397d565f
                                                                                                • Instruction Fuzzy Hash: 62A1C673E80129BBCF21AAA4CD45BEEBE78AF04720F154125FD01BB151E7359D10BB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F457E2 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,00F4A97A,00000100,000002C0,000002C0,00000100), ref: 00F45807
                                                                                                • lstrlenW.KERNEL32(000002C0,?,00F4A97A,00000100,000002C0,000002C0,00000100), ref: 00F45811
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00F45A16
                                                                                                • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00F4A97A,00000100,000002C0,000002C0,00000100), ref: 00F45CB9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 1026845265-2015882285
                                                                                                • Opcode ID: ea5af89420d3b643247f6a87699ea3712ced610313059f87e46996f6e0e0833a
                                                                                                • Instruction ID: b7367d5cc8e3bd4d9b2b9ec5e77475fb59a7156513bc7e19712abed7bb00bc20
                                                                                                • Opcode Fuzzy Hash: ea5af89420d3b643247f6a87699ea3712ced610313059f87e46996f6e0e0833a
                                                                                                • Instruction Fuzzy Hash: 1DF18472D00629ABDB11FFA48C45EAF7FA4EF44F60F158125FD05AB141D7389A01BBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6CC70 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 239synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,00F6D33B,?,?,?), ref: 00F6CCB6
                                                                                                • GetLastError.KERNEL32(?,?,00F6D33B,?,?,?), ref: 00F6CCC3
                                                                                                • ReleaseMutex.KERNEL32(?), ref: 00F6CF2B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                                                                                                • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                                                                                • API String ID: 3944734951-3103995003
                                                                                                • Opcode ID: a1bf3e930dab60e3879b22c5b0161015817e4d813b2e5120081b2ef5de802e8f
                                                                                                • Instruction ID: 1b307345fe6e511f9ac07ed00d4dda769ff4a36329f3ec3c7700d4d71db2a97c
                                                                                                • Opcode Fuzzy Hash: a1bf3e930dab60e3879b22c5b0161015817e4d813b2e5120081b2ef5de802e8f
                                                                                                • Instruction Fuzzy Hash: AE8118B7A41726BBC3218B64CC09FAABEA4AF15760F014121FD98AB251DB35DD00F7E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4EAE9 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 230COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F83770: VariantInit.OLEAUT32(?), ref: 00F83786
                                                                                                  • Part of subcall function 00F83770: SysAllocString.OLEAUT32(?), ref: 00F837A2
                                                                                                  • Part of subcall function 00F83770: VariantClear.OLEAUT32(?), ref: 00F83829
                                                                                                  • Part of subcall function 00F83770: SysFreeString.OLEAUT32(00000000), ref: 00F83834
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,00F8CBA8,?,?,Action,?,?,?,00000000,00F454BD), ref: 00F4EBBA
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 00F4EC04
                                                                                                Strings
                                                                                                • Failed to get @Action., xrefs: 00F4ED10
                                                                                                • Action, xrefs: 00F4EB77
                                                                                                • Upgrade, xrefs: 00F4EBF7
                                                                                                • Addon, xrefs: 00F4EC41
                                                                                                • Detect, xrefs: 00F4EBAB
                                                                                                • cabinet.dll, xrefs: 00F4EC61
                                                                                                • comres.dll, xrefs: 00F4EBCD
                                                                                                • Failed to get @Id., xrefs: 00F4ED09
                                                                                                • Invalid value for @Action: %ls, xrefs: 00F4ECF9
                                                                                                • Failed to get RelatedBundle element count., xrefs: 00F4EB3E
                                                                                                • RelatedBundle, xrefs: 00F4EAF7
                                                                                                • Failed to resize Patch code array in registration, xrefs: 00F4ECEA
                                                                                                • Failed to resize Detect code array in registration, xrefs: 00F4ECD5
                                                                                                • Patch, xrefs: 00F4EC84
                                                                                                • Failed to resize Addon code array in registration, xrefs: 00F4ECE3
                                                                                                • Failed to get next RelatedBundle element., xrefs: 00F4ED17
                                                                                                • Failed to resize Upgrade code array in registration, xrefs: 00F4ECDC
                                                                                                • version.dll, xrefs: 00F4EC17
                                                                                                • Failed to get RelatedBundle nodes, xrefs: 00F4EB19
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
                                                                                                • API String ID: 702752599-259800149
                                                                                                • Opcode ID: d320593489ee30b0bebb2e836062e9fcdf41091803cbcafb632d81c4a32a7669
                                                                                                • Instruction ID: 27eda393703e464cf0cc5badb6d29eb7da044b651d0138b1f88c52ec0de18635
                                                                                                • Opcode Fuzzy Hash: d320593489ee30b0bebb2e836062e9fcdf41091803cbcafb632d81c4a32a7669
                                                                                                • Instruction Fuzzy Hash: 07719A71E4562ABBDB109E54CC81EAEBBB4FF04720F204254EE21A72D1D734EE51EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54755 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 184fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00F54C68,00F8B4D8,?,feclient.dll,00000000,?,?), ref: 00F5476C
                                                                                                • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00F54C68,00F8B4D8,?,feclient.dll,00000000,?,?), ref: 00F5478D
                                                                                                • GetLastError.KERNEL32(?,00F54C68,00F8B4D8,?,feclient.dll,00000000,?,?), ref: 00F54793
                                                                                                • ReadFile.KERNEL32(feclient.dll,00000000,00F8B508,?,00000000,00000000,00F8B509,?,00F54C68,00F8B4D8,?,feclient.dll,00000000,?,?), ref: 00F54821
                                                                                                • GetLastError.KERNEL32(?,00F54C68,00F8B4D8,?,feclient.dll,00000000,?,?), ref: 00F54827
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastRead$CurrentProcess
                                                                                                • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp$feclient.dll$msasn1.dll
                                                                                                • API String ID: 1233551569-1453137465
                                                                                                • Opcode ID: af463413a906271d9aeb89581803871c05ff03563b2e413870d5db54e9c721f8
                                                                                                • Instruction ID: 31c15a595e3e01532d306bb58901ae38320f90a1a3e08b96365f94e2ddf65bc7
                                                                                                • Opcode Fuzzy Hash: af463413a906271d9aeb89581803871c05ff03563b2e413870d5db54e9c721f8
                                                                                                • Instruction Fuzzy Hash: 0A51D537D40726B7EB119A949C46FAF7A68AF00B26F110125BF10BB280E774ED45B7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F626AA Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 144COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: StringVariant$AllocClearFreeInit
                                                                                                • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                                                                                                • API String ID: 760788290-1911311241
                                                                                                • Opcode ID: 0cbcdf72eed7685919258c710545d7d98c52ac64105b12076e5e00b8a869074d
                                                                                                • Instruction ID: 74926c3eb64a30850d557d03fc8d6aefd7b5398271171c911d7c4ad66d6e553b
                                                                                                • Opcode Fuzzy Hash: 0cbcdf72eed7685919258c710545d7d98c52ac64105b12076e5e00b8a869074d
                                                                                                • Instruction Fuzzy Hash: 47410872E44F26B6EF51A5749D82FAA76586B00B30F204326FD10B72D2C764ED00B7D2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49030 Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetStringTypeW.KERNEL32(00000001,5600F8DC,00000001,?,00F499FC,?,00000000,00000000,?,?,00F499E4,?,?,00000000,?), ref: 00F4906E
                                                                                                Strings
                                                                                                • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00F49300
                                                                                                • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00F494C6
                                                                                                • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00F49220
                                                                                                • c:\agent\_work\138\s\src\burn\engine\condition.cpp, xrefs: 00F49142, 00F4920C, 00F49288, 00F492EC, 00F4942A, 00F4946E, 00F494B2
                                                                                                • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00F4943E
                                                                                                • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00F49482
                                                                                                • AND, xrefs: 00F4937A
                                                                                                • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00F4929C
                                                                                                • -, xrefs: 00F491D6
                                                                                                • Failed to set symbol value., xrefs: 00F4911E
                                                                                                • NOT, xrefs: 00F49399
                                                                                                • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00F49156
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: StringType
                                                                                                • String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$c:\agent\_work\138\s\src\burn\engine\condition.cpp
                                                                                                • API String ID: 4177115715-1912921257
                                                                                                • Opcode ID: 371ee2e3e223b553595bfeb82aef8328372ee0ee8055f2898f21484cb13ee89e
                                                                                                • Instruction ID: 4e45d078a5b6e70d4aca6eb29e96db702d1183f0215c01df364e8557692c1ca9
                                                                                                • Opcode Fuzzy Hash: 371ee2e3e223b553595bfeb82aef8328372ee0ee8055f2898f21484cb13ee89e
                                                                                                • Instruction Fuzzy Hash: A4F1DEB2B08201EBEB15DF54C889BBB7FA8FB05710F244506FD159A285C3F5DA91EB80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F61A65 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 211COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00F61B6C
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00F61B8A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareHeapString$AllocateProcess
                                                                                                • String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$c:\agent\_work\138\s\src\burn\engine\exeengine.cpp$error$forceReboot$scheduleReboot$success
                                                                                                • API String ID: 2664528157-823451179
                                                                                                • Opcode ID: 60a45e9fb0e039bd9b5f915c184031fe65ca7471f9f0f7512e324997631f7eab
                                                                                                • Instruction ID: 62911503998d93870e352e238626f5a12c4a6eadae7ed7cb6941af32a80a0894
                                                                                                • Opcode Fuzzy Hash: 60a45e9fb0e039bd9b5f915c184031fe65ca7471f9f0f7512e324997631f7eab
                                                                                                • Instruction Fuzzy Hash: 0A61BE71E4421AABDB109B54CD45EAEBBB4BF41730F244255F825AB2D0DB74DA00FB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F56BB2 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 355synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F4D552: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00F57027,000000B8,00000000,?,00000000,75C0B390), ref: 00F4D561
                                                                                                  • Part of subcall function 00F4D552: LeaveCriticalSection.KERNEL32(000000D0,?,00F57027,000000B8,00000000,?,00000000,75C0B390), ref: 00F4D584
                                                                                                • ReleaseMutex.KERNEL32(00000000,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00F56F76
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00F56F7F
                                                                                                • CloseHandle.KERNEL32(?,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00F56F9F
                                                                                                  • Part of subcall function 00F6BB0B: SetThreadExecutionState.KERNEL32(80000001), ref: 00F6BB10
                                                                                                Strings
                                                                                                • UX aborted apply begin., xrefs: 00F56C84
                                                                                                • comres.dll, xrefs: 00F56FC5
                                                                                                • Another per-user setup is already executing., xrefs: 00F56CC4
                                                                                                • Another per-machine setup is already executing., xrefs: 00F56DB8
                                                                                                • Failed to register bundle., xrefs: 00F56DDB
                                                                                                • Failed to cache engine to working directory., xrefs: 00F56D58
                                                                                                • Failed while caching, aborting execution., xrefs: 00F56E7D
                                                                                                • crypt32.dll, xrefs: 00F56CB6
                                                                                                • Failed to set initial apply variables., xrefs: 00F56CEE
                                                                                                • Failed to create cache thread., xrefs: 00F56E55
                                                                                                • Failed to elevate., xrefs: 00F56D7E
                                                                                                • Engine cannot start apply because it is busy with another action., xrefs: 00F56C13
                                                                                                • c:\agent\_work\138\s\src\burn\engine\core.cpp, xrefs: 00F56C7A, 00F56E4B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCriticalHandleSection$EnterExecutionLeaveMutexReleaseStateThread
                                                                                                • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$c:\agent\_work\138\s\src\burn\engine\core.cpp$comres.dll$crypt32.dll
                                                                                                • API String ID: 303827279-252372456
                                                                                                • Opcode ID: e0acc8a5389aa70962e2525beba0a83cd78941621a3455d359072e970b415b1e
                                                                                                • Instruction ID: 4636f6c6b41d707782ed80cd369603e576a3f5f61f37577ec6b45328087fc4fc
                                                                                                • Opcode Fuzzy Hash: e0acc8a5389aa70962e2525beba0a83cd78941621a3455d359072e970b415b1e
                                                                                                • Instruction Fuzzy Hash: 80C1C172D01215EBDF159F60CC85BEE37A8AF04712F44417AFE19EB241EB349948EBA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F87BE1 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 205COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00F87C41
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00F87C66
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00F87C86
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00F87CB9
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00F87CD5
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87D00
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87D77
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87DC3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$Compare$Free
                                                                                                • String ID: `<u$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                • API String ID: 318886736-782967201
                                                                                                • Opcode ID: cebaf0843c620f75e4a69f17f6896d6914d2b068653284fe3ffe6a3cf524d16a
                                                                                                • Instruction ID: e10bffa8e8550bb2e0de9902c6c5328f52638c801221ad6c83851081802a1fd9
                                                                                                • Opcode Fuzzy Hash: cebaf0843c620f75e4a69f17f6896d6914d2b068653284fe3ffe6a3cf524d16a
                                                                                                • Instruction Fuzzy Hash: BA611B76D08219FBCB15FBA4CC45FEDB7B8AF05721F2442A5E521A71A0D730EA40EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F88514 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 308COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00F88541
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00F8855C
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 00F885FF
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,00F8B508,00000000), ref: 00F8863E
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00F88691
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00F8B508,000000FF,true,000000FF), ref: 00F886AF
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00F886E7
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00F8882B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: application$c:\agent\_work\138\s\src\libs\dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
                                                                                                • API String ID: 1825529933-2703766385
                                                                                                • Opcode ID: c1a311c9fa7bdb24bd1839352be239a72d911b92fbfe4aa9380cad27699707ce
                                                                                                • Instruction ID: 56a6a566f5e710aa3bb3da99263bd2fb24c00249f831d6c57b34f6148e74d540
                                                                                                • Opcode Fuzzy Hash: c1a311c9fa7bdb24bd1839352be239a72d911b92fbfe4aa9380cad27699707ce
                                                                                                • Instruction Fuzzy Hash: 36B1C371A04706ABCB50AF58CC85F9A7BB6BF04770FA44614F925DB2D1DB74E802EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E33A Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 145registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F5E223: LoadBitmapW.USER32(?,00000001), ref: 00F5E259
                                                                                                  • Part of subcall function 00F5E223: GetLastError.KERNEL32 ref: 00F5E265
                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00F5E39B
                                                                                                • RegisterClassW.USER32(?), ref: 00F5E3AF
                                                                                                • GetLastError.KERNEL32 ref: 00F5E3BA
                                                                                                • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00F5E4BF
                                                                                                • DeleteObject.GDI32(00000000), ref: 00F5E4CE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                                                                                                • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$c:\agent\_work\138\s\src\burn\engine\splashscreen.cpp
                                                                                                • API String ID: 164797020-989680284
                                                                                                • Opcode ID: baff1bfeccd7052263b04c56033ba78ff8402ee23e7e0b060bef44c2487e0541
                                                                                                • Instruction ID: 3080da6945b886a2ca4ec9264a6e267e581641b8ea9dc13faba5d5983bdcb076
                                                                                                • Opcode Fuzzy Hash: baff1bfeccd7052263b04c56033ba78ff8402ee23e7e0b060bef44c2487e0541
                                                                                                • Instruction Fuzzy Hash: 1741A57790061ABFEB119BE4DD49AEEBB78FF04721F104125FE01A6151DB349E08BB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F69C22 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 232threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForMultipleObjects.KERNEL32(00000001,00F6BA8B,00000000,000000FF,00000001,00000000,00000000,00F6BA8B,00000001,?), ref: 00F69C87
                                                                                                • GetLastError.KERNEL32 ref: 00F69DF7
                                                                                                • GetExitCodeThread.KERNEL32(?,00000001), ref: 00F69E37
                                                                                                • GetLastError.KERNEL32 ref: 00F69E41
                                                                                                Strings
                                                                                                • Invalid execute action., xrefs: 00F69E97
                                                                                                • Failed to wait for cache check-point., xrefs: 00F69E28
                                                                                                • c:\agent\_work\138\s\src\burn\engine\apply.cpp, xrefs: 00F69E1E, 00F69E68
                                                                                                • Failed to get cache thread exit code., xrefs: 00F69E72
                                                                                                • Failed to execute MSP package., xrefs: 00F69D0C
                                                                                                • Cache thread exited unexpectedly., xrefs: 00F69E88
                                                                                                • Failed to execute MSI package., xrefs: 00F69CE7
                                                                                                • Failed to execute dependency action., xrefs: 00F69D77
                                                                                                • Failed to execute MSU package., xrefs: 00F69D3C
                                                                                                • Failed to execute compatible package action., xrefs: 00F69DB4
                                                                                                • Failed to execute package provider registration action., xrefs: 00F69D58
                                                                                                • Failed to execute EXE package., xrefs: 00F69CBE
                                                                                                • Failed to load compatible package on per-machine package., xrefs: 00F69D9D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                                                                                                • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$c:\agent\_work\138\s\src\burn\engine\apply.cpp
                                                                                                • API String ID: 3703294532-3690680958
                                                                                                • Opcode ID: fb126a130f8ffbdd29fe241318bb40e11abd6db56f27efd487784f00adcc7b42
                                                                                                • Instruction ID: 4419ef947edede65827a35e1518b94944f4baf0f95a43f09866837f8fb126aba
                                                                                                • Opcode Fuzzy Hash: fb126a130f8ffbdd29fe241318bb40e11abd6db56f27efd487784f00adcc7b42
                                                                                                • Instruction Fuzzy Hash: 61716D71E4422AEFDB10CF64CD41EAE7BBCEB14710B10456AF905E7280D7B5DE01ABA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F2A7 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 182registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F83F62: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00F83FB1
                                                                                                • RegCloseKey.ADVAPI32(00000000,?,00F90FB8,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 00F4F4D7
                                                                                                  • Part of subcall function 00F8194C: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00F4F324,00F90FB8,Resume,00000005,?,00000000,00000000,00000000), ref: 00F81961
                                                                                                Strings
                                                                                                • BundleResumeCommandLine, xrefs: 00F4F3DF, 00F4F472
                                                                                                • Failed to write resume command line value., xrefs: 00F4F3F4
                                                                                                • Failed to delete run key value., xrefs: 00F4F465
                                                                                                • Failed to write Installed value., xrefs: 00F4F34D
                                                                                                • Failed to delete resume command line value., xrefs: 00F4F4B3
                                                                                                • Failed to write Resume value., xrefs: 00F4F32A
                                                                                                • "%ls" /%ls, xrefs: 00F4F37C
                                                                                                • Failed to create run key., xrefs: 00F4F3B4
                                                                                                • c:\agent\_work\138\s\src\burn\engine\registration.cpp, xrefs: 00F4F45B, 00F4F4A9
                                                                                                • Resume, xrefs: 00F4F319
                                                                                                • Installed, xrefs: 00F4F33C
                                                                                                • Failed to write run key value., xrefs: 00F4F3D2
                                                                                                • Failed to format resume command line for RunOnce., xrefs: 00F4F390
                                                                                                • burn.runonce, xrefs: 00F4F371
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseValueVersion
                                                                                                • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$c:\agent\_work\138\s\src\burn\engine\registration.cpp
                                                                                                • API String ID: 2348918689-1449905986
                                                                                                • Opcode ID: c797fcb5cb2f03a4493d937c759035d43fcd98bb40b5b74a12df067873a5ece2
                                                                                                • Instruction ID: 2cd66d9975d0da36e4cc85dae019b8d700c2f06667dd83b489a9637127134d5f
                                                                                                • Opcode Fuzzy Hash: c797fcb5cb2f03a4493d937c759035d43fcd98bb40b5b74a12df067873a5ece2
                                                                                                • Instruction Fuzzy Hash: F751D532D4032ABBDF11AEA4CC06ABF7E64BB00724F154135FD09B61A1DB789958B791
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6CA82 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32(74DE8FB0,00000000,00000000), ref: 00F6CA8E
                                                                                                  • Part of subcall function 00F54E07: UuidCreate.RPCRT4(?), ref: 00F54E3A
                                                                                                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00F622B1,?,?,00000000,?,?,?), ref: 00F6CB6C
                                                                                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F6CB76
                                                                                                • GetProcessId.KERNEL32(00F622B1,?,?,00000000,?,?,?,?), ref: 00F6CBAE
                                                                                                  • Part of subcall function 00F5554D: lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,75C0B390,?,00F445B7,?,00F8B4F0), ref: 00F5556E
                                                                                                  • Part of subcall function 00F5554D: GetCurrentProcessId.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F55579
                                                                                                  • Part of subcall function 00F5554D: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F555B0
                                                                                                  • Part of subcall function 00F5554D: ConnectNamedPipe.KERNEL32(?,00000000,?,00F445B7,?,00F8B4F0), ref: 00F555C5
                                                                                                  • Part of subcall function 00F5554D: GetLastError.KERNEL32(?,00F445B7,?,00F8B4F0), ref: 00F555CF
                                                                                                  • Part of subcall function 00F5554D: Sleep.KERNEL32(00000064,?,00F445B7,?,00F8B4F0), ref: 00F55604
                                                                                                  • Part of subcall function 00F5554D: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55627
                                                                                                  • Part of subcall function 00F5554D: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55642
                                                                                                  • Part of subcall function 00F5554D: WriteFile.KERNEL32(?,00F445B7,00F8B4F0,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F5565D
                                                                                                  • Part of subcall function 00F5554D: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00F445B7,?,00F8B4F0), ref: 00F55678
                                                                                                  • Part of subcall function 00F80EA4: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00F44F98,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00F80EB0
                                                                                                  • Part of subcall function 00F80EA4: GetLastError.KERNEL32(?,00F44F98,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F80EBE
                                                                                                • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00F6C9E2,?,?,?,?,?,00000000,?,?,?,?), ref: 00F6CC32
                                                                                                • CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00F6C9E2,?,?,?,?,?,00000000,?,?,?,?), ref: 00F6CC41
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,00F6C9E2,?,?,?,?,?,00000000,?,?,?), ref: 00F6CC58
                                                                                                Strings
                                                                                                • %ls -%ls %ls %ls %u, xrefs: 00F6CB31
                                                                                                • Failed to create embedded pipe., xrefs: 00F6CB18
                                                                                                • c:\agent\_work\138\s\src\burn\engine\embedded.cpp, xrefs: 00F6CB97
                                                                                                • Failed to create embedded process at path: %ls, xrefs: 00F6CBA4
                                                                                                • Failed to create embedded pipe name and client token., xrefs: 00F6CAF1
                                                                                                • burn.embedded, xrefs: 00F6CB29
                                                                                                • Failed to wait for embedded process to connect to pipe., xrefs: 00F6CBD0
                                                                                                • Failed to wait for embedded executable: %ls, xrefs: 00F6CC15
                                                                                                • Failed to process messages from embedded message., xrefs: 00F6CBF5
                                                                                                • Failed to allocate embedded command., xrefs: 00F6CB45
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
                                                                                                • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$c:\agent\_work\138\s\src\burn\engine\embedded.cpp
                                                                                                • API String ID: 875070380-4141207472
                                                                                                • Opcode ID: b8131ec3c602db0e73130e6ca1728871d3f308ef162b8d9249f54169ffefdc8b
                                                                                                • Instruction ID: a1edad5cb70fcbe9fdf46168b57cdc2f041e79cffbc8f8acecde8975f5eea487
                                                                                                • Opcode Fuzzy Hash: b8131ec3c602db0e73130e6ca1728871d3f308ef162b8d9249f54169ffefdc8b
                                                                                                • Instruction Fuzzy Hash: DE516072D00229BBDF11AB94DD46FEEBBB8AF04710F100122FA44B6290DB759944ABD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4ED63 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 172COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(?), ref: 00F4EEF1
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • SysFreeString.OLEAUT32(?), ref: 00F4EEA9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeHeapString$AllocateProcess
                                                                                                • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`<u$c:\agent\_work\138\s\src\burn\engine\registration.cpp
                                                                                                • API String ID: 336948655-1090680074
                                                                                                • Opcode ID: 369e37bb371743a33c4c748308492cb169d18c7a32ec59285a3fc34019553b13
                                                                                                • Instruction ID: 7aba36dca3e52921fc8e4a6078c8040324c39cdee19b82038ad0d0f55ad63154
                                                                                                • Opcode Fuzzy Hash: 369e37bb371743a33c4c748308492cb169d18c7a32ec59285a3fc34019553b13
                                                                                                • Instruction Fuzzy Hash: 38519075E4131AABEB15DB54CC85EAEBFB4BF04B60B154169FC05AB290D770DE00BB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8835E Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00F88848,00000001,?), ref: 00F8837E
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00F88848,00000001,?), ref: 00F88399
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00F88848,00000001,?), ref: 00F883B4
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00F88848,00000001,?), ref: 00F88420
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00F88848,00000001,?), ref: 00F88444
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00F88848,00000001,?), ref: 00F88468
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00F88848,00000001,?), ref: 00F88488
                                                                                                • lstrlenW.KERNEL32(006C0064,?,00F88848,00000001,?), ref: 00F884A3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString$lstrlen
                                                                                                • String ID: algorithm$c:\agent\_work\138\s\src\libs\dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
                                                                                                • API String ID: 1657112622-1522978707
                                                                                                • Opcode ID: d787d1b98094a3f4bda939c6ad57358af8491239053fc4175552e3d61c79b161
                                                                                                • Instruction ID: 0a7077815d3cd45db855bafd9b5ac2ce71b6cbac1e23bc95f2bec7d0b710538a
                                                                                                • Opcode Fuzzy Hash: d787d1b98094a3f4bda939c6ad57358af8491239053fc4175552e3d61c79b161
                                                                                                • Instruction Fuzzy Hash: F851DC72548713BBDF21AF54CC85FA67A61AB15B70F604710F534AE2D1CBA4EC41E790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4A0EF Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 214COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4A167
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open@16
                                                                                                • String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                                                                                                • API String ID: 3613110473-2134270738
                                                                                                • Opcode ID: 489e69fb5d2c2e574d58e1f33a81ea9bcb35ccec7e112402668ae99ab6bf435d
                                                                                                • Instruction ID: 393cc9a436bea99e30ce3acd058b0bfd510740aacd2b26b82b06135096c836dc
                                                                                                • Opcode Fuzzy Hash: 489e69fb5d2c2e574d58e1f33a81ea9bcb35ccec7e112402668ae99ab6bf435d
                                                                                                • Instruction Fuzzy Hash: 9F61B233E80118BBDB11AEA8CD45EEE7FA8EB45710F204165FD04AA251D676DF40BB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54B9D Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 157sleepfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00F54BF7
                                                                                                • GetLastError.KERNEL32 ref: 00F54C05
                                                                                                • Sleep.KERNEL32(00000064), ref: 00F54C29
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorFileLastSleep
                                                                                                • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\138\s\src\burn\engine\pipe.cpp$feclient.dll
                                                                                                • API String ID: 408151869-1154546980
                                                                                                • Opcode ID: b05fff4b61871d6175f8b5173e6200c2efbf55cb9e509b90c1f0193a75f1ab13
                                                                                                • Instruction ID: 26464a5207ef2619070d74bcb73ceae82f603cb0687ed56aef5e5e8fdc7f0fa3
                                                                                                • Opcode Fuzzy Hash: b05fff4b61871d6175f8b5173e6200c2efbf55cb9e509b90c1f0193a75f1ab13
                                                                                                • Instruction Fuzzy Hash: 28415B37D41735B7DB2156A08C0AFAE7A64AF0073AF114210FE10BB1D0D769BD84B6D4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F618 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 151registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00F50565,InstallerVersion,InstallerVersion,00000000,00F50565,InstallerName,InstallerName,00000000,00F50565,Date,InstalledDate,00000000,00F50565,LogonUser), ref: 00F4F7C6
                                                                                                  • Part of subcall function 00F8199A: RegSetValueExW.ADVAPI32(00020006,00F90FB8,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00F4F3CC,00000000,?,00020006), ref: 00F819CD
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseValue
                                                                                                • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                                                                                                • API String ID: 3132538880-2703781546
                                                                                                • Opcode ID: 0970d14bd93b51558ae5293e7da94721809ead9ebaace0992ae249bfbfde4b5c
                                                                                                • Instruction ID: 20c5e2eaaa6a93e6ae889c69be6bfa3c1f321115c3f921a69975fb2a497e9009
                                                                                                • Opcode Fuzzy Hash: 0970d14bd93b51558ae5293e7da94721809ead9ebaace0992ae249bfbfde4b5c
                                                                                                • Instruction Fuzzy Hash: 20418732E41665B7DF226654CC46EEE7E29EB40B20F114170FC04B62A2C779DD19B7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E720 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TlsSetValue.KERNEL32(?,?), ref: 00F5E766
                                                                                                • RegisterClassW.USER32(?), ref: 00F5E792
                                                                                                • GetLastError.KERNEL32 ref: 00F5E79D
                                                                                                • CreateWindowExW.USER32(00000080,00F9A23C,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00F5E804
                                                                                                • GetLastError.KERNEL32 ref: 00F5E80E
                                                                                                • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00F5E8AC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                                                                                                • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\138\s\src\burn\engine\uithread.cpp
                                                                                                • API String ID: 213125376-2797729333
                                                                                                • Opcode ID: 70310e65739de29071f810410a568d0704b4ad604a19b8a51b2cb5540ccb62c9
                                                                                                • Instruction ID: c8db373db3a064298c7928e6fcd76357305738bc58e0e0dd9206eca432a76f1c
                                                                                                • Opcode Fuzzy Hash: 70310e65739de29071f810410a568d0704b4ad604a19b8a51b2cb5540ccb62c9
                                                                                                • Instruction Fuzzy Hash: AF41A772D00619EBDB149BA0DC49BDABFB8FF05762F104125FE15B6150E7309A48EBE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6C571 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 271COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to copy local source path for passthrough pseudo bundle., xrefs: 00F6C7B4
                                                                                                • Failed to allocate memory for pseudo bundle payload hash., xrefs: 00F6C7AA
                                                                                                • Failed to recreate command-line arguments., xrefs: 00F6C840
                                                                                                • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00F6C7E4
                                                                                                • Failed to copy download source for passthrough pseudo bundle., xrefs: 00F6C78C
                                                                                                • Failed to copy key for passthrough pseudo bundle payload., xrefs: 00F6C7C2
                                                                                                • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00F6C5B1
                                                                                                • Failed to copy key for passthrough pseudo bundle., xrefs: 00F6C785
                                                                                                • Failed to copy filename for passthrough pseudo bundle., xrefs: 00F6C7BB
                                                                                                • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00F6C8A9
                                                                                                • Failed to copy install arguments for passthrough bundle package, xrefs: 00F6C85F
                                                                                                • Failed to copy related arguments for passthrough bundle package, xrefs: 00F6C87F
                                                                                                • Failed to copy cache id for passthrough pseudo bundle., xrefs: 00F6C802
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pseudobundle.cpp, xrefs: 00F6C5A5, 00F6C79E, 00F6C7D8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateProcess
                                                                                                • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$c:\agent\_work\138\s\src\burn\engine\pseudobundle.cpp
                                                                                                • API String ID: 1357844191-3179816169
                                                                                                • Opcode ID: d0d69ba5e8aee2fe810e2d52cc4f23a5cc33de9eb8c11035cc7a7f15a69dd1b7
                                                                                                • Instruction ID: f9a476b45cc340e5f9e81fe120e8d622520234a64ec4a1b80c6929b2821682e8
                                                                                                • Opcode Fuzzy Hash: d0d69ba5e8aee2fe810e2d52cc4f23a5cc33de9eb8c11035cc7a7f15a69dd1b7
                                                                                                • Instruction Fuzzy Hash: 31B15476A00616EFDB51CF68C881F65BBA1BB08710F118269FD949B361DB75E820EFD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6DC09 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 203stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00F6DC24
                                                                                                Strings
                                                                                                • Failed to initialize BITS job callback., xrefs: 00F6DD45
                                                                                                • Failed to download BITS job., xrefs: 00F6DDBB
                                                                                                • Falied to start BITS job., xrefs: 00F6DDDC
                                                                                                • c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp, xrefs: 00F6DC3A, 00F6DD2D
                                                                                                • Failed to copy download URL., xrefs: 00F6DC6B
                                                                                                • Failed to complete BITS job., xrefs: 00F6DDCE
                                                                                                • Failed to create BITS job., xrefs: 00F6DCB3
                                                                                                • Failed to add file to BITS job., xrefs: 00F6DCF1
                                                                                                • Failed to set callback interface for BITS job., xrefs: 00F6DD5C
                                                                                                • Failed to set credentials for BITS job., xrefs: 00F6DCD2
                                                                                                • Failed while waiting for BITS download., xrefs: 00F6DDD5
                                                                                                • Invalid BITS engine URL: %ls, xrefs: 00F6DC46
                                                                                                • Failed to create BITS job callback., xrefs: 00F6DD37
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen
                                                                                                • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp
                                                                                                • API String ID: 1659193697-2643649894
                                                                                                • Opcode ID: b32a9deda513bb25c7afc6548c73ae01800ab057a2fc55dfc7963380a4597acc
                                                                                                • Instruction ID: 84dd84da6281d051c8af775f9f3564f70d2d3bbad42076d131f25b1a98b721c8
                                                                                                • Opcode Fuzzy Hash: b32a9deda513bb25c7afc6548c73ae01800ab057a2fc55dfc7963380a4597acc
                                                                                                • Instruction Fuzzy Hash: CD51A176F00225EBCB11AF94CC85EAE7BB8EF05B20B224155FD04AB291D775DD10BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4BD4F Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4BDA1
                                                                                                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 00F4BEAE
                                                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 00F4BEB8
                                                                                                • WaitForInputIdle.USER32(?,?), ref: 00F4BF0C
                                                                                                • CloseHandle.KERNEL32(?,?,?), ref: 00F4BF57
                                                                                                • CloseHandle.KERNEL32(?,?,?), ref: 00F4BF64
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
                                                                                                • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$c:\agent\_work\138\s\src\burn\engine\approvedexe.cpp
                                                                                                • API String ID: 155678114-1623605306
                                                                                                • Opcode ID: 3d5131cd46b8676c48ac301116c8b74926f63209a446c1c1b2524b2156f0d73a
                                                                                                • Instruction ID: 0eb45e2b135195bb47e5a9abbb435f2cd1682d202c5baec7914220b1ee0a7c83
                                                                                                • Opcode Fuzzy Hash: 3d5131cd46b8676c48ac301116c8b74926f63209a446c1c1b2524b2156f0d73a
                                                                                                • Instruction Fuzzy Hash: 01513772D0021ABBDF12AFE0CC429EEBF79AF04310B144565FE14B6162E7359E64BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6684E Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00F66D9D,?), ref: 00F66887
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00F66D9D,?,?,?), ref: 00F66894
                                                                                                • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00F66D9D,?,?,?), ref: 00F668DC
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00F66D9D,?,?,?), ref: 00F668E8
                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00F66D9D,?,?,?), ref: 00F66922
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00F66D9D,?,?,?), ref: 00F6692C
                                                                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00F669E3
                                                                                                • CloseServiceHandle.ADVAPI32(?), ref: 00F669ED
                                                                                                Strings
                                                                                                • Failed to read configuration for WU service., xrefs: 00F66993
                                                                                                • c:\agent\_work\138\s\src\burn\engine\msuengine.cpp, xrefs: 00F668B8, 00F6690C, 00F66950
                                                                                                • Failed to mark WU service to start on demand., xrefs: 00F669B4
                                                                                                • Failed to open service control manager., xrefs: 00F668C2
                                                                                                • Failed to query status of WU service., xrefs: 00F6695A
                                                                                                • wuauserv, xrefs: 00F668D6
                                                                                                • Failed to open WU service., xrefs: 00F66916
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
                                                                                                • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$c:\agent\_work\138\s\src\burn\engine\msuengine.cpp$wuauserv
                                                                                                • API String ID: 971853308-2240853446
                                                                                                • Opcode ID: 3f63d4c2a017a618e73e93815fb60f07e8cfb081bd5442ba98e595fa1286811b
                                                                                                • Instruction ID: ad4e9b0255d62c9fb93e472333d74a9b2e58c469dcb9f1633e6528c7b89d7d28
                                                                                                • Opcode Fuzzy Hash: 3f63d4c2a017a618e73e93815fb60f07e8cfb081bd5442ba98e595fa1286811b
                                                                                                • Instruction Fuzzy Hash: B741B676E40329ABDB11ABB98C45AAFBBB4AF44720F154025FD05FB241DB74DC04BBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4B2C8 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 137COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00F4BBBB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B2D0
                                                                                                • GetLastError.KERNEL32(?,00F4BBBB,00000008,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F4B2DC
                                                                                                • _memcmp.LIBVCRUNTIME ref: 00F4B384
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorHandleLastModule_memcmp
                                                                                                • String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$c:\agent\_work\138\s\src\burn\engine\section.cpp
                                                                                                • API String ID: 3888311042-79629970
                                                                                                • Opcode ID: 56b54538d7e9eb806010f835b820384bd93ac5622100faf57be6566c4a970751
                                                                                                • Instruction ID: d228052dd5bf67c38d5c11c1fe744e8e3386e24b2bb1e976bc2b79a6b4fb8828
                                                                                                • Opcode Fuzzy Hash: 56b54538d7e9eb806010f835b820384bd93ac5622100faf57be6566c4a970751
                                                                                                • Instruction Fuzzy Hash: CA410A32780711EBC3216E569C47FAA7A14AF80B31F254025FD015F283EBA9C805B7AA
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4A33A Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4A362
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,?,00000001,00000000,00000000,?,00000000,?,000002C0,000002C0,?,00000000,00000000), ref: 00F4A4B6
                                                                                                Strings
                                                                                                • Failed to open registry key. Key = '%ls', xrefs: 00F4A3B7
                                                                                                • Registry key not found. Key = '%ls', xrefs: 00F4A3A3
                                                                                                • Failed to format key string., xrefs: 00F4A36D
                                                                                                • Failed to format value string., xrefs: 00F4A3EE
                                                                                                • Failed to set variable., xrefs: 00F4A479
                                                                                                • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00F4A451
                                                                                                • c:\agent\_work\138\s\src\burn\engine\search.cpp, xrefs: 00F4A43A
                                                                                                • Failed to query registry key value., xrefs: 00F4A444
                                                                                                • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00F4A48E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpen@16
                                                                                                • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$c:\agent\_work\138\s\src\burn\engine\search.cpp
                                                                                                • API String ID: 1561904661-903180124
                                                                                                • Opcode ID: 67e664fc5e530fb39caf9d126afad3e5e586d40a5722e4da6e43ae86aecdb72e
                                                                                                • Instruction ID: 54031a0eae33ca86ee84e091a4ab5595efb3bcfd7330f7a17f78d29470ef6307
                                                                                                • Opcode Fuzzy Hash: 67e664fc5e530fb39caf9d126afad3e5e586d40a5722e4da6e43ae86aecdb72e
                                                                                                • Instruction Fuzzy Hash: 1C41D573D80124BADF12ABA4CC0AEEE7E68EF44710F114165BC14B61A1E775CE10B792
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F469EE Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 137libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00F46A3E
                                                                                                • GetLastError.KERNEL32 ref: 00F46A48
                                                                                                • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00F46A8B
                                                                                                • GetLastError.KERNEL32 ref: 00F46A95
                                                                                                • FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00F46BBE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$c:\agent\_work\138\s\src\burn\engine\variable.cpp$ntdll
                                                                                                • API String ID: 3057421322-3435586203
                                                                                                • Opcode ID: d61b0bc39259f1942e9995aef916b4bb3f66fd82f5549f882f704c5dad8f306d
                                                                                                • Instruction ID: e3daf00b27e6e6abbb1bea261282c42a16b0f728bbffce158267a9a92bd7bb52
                                                                                                • Opcode Fuzzy Hash: d61b0bc39259f1942e9995aef916b4bb3f66fd82f5549f882f704c5dad8f306d
                                                                                                • Instruction Fuzzy Hash: 8341B772D402389BDB21AB65CC09BEA7AB4EF49721F004195ED48F6181E774CE44EFD6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44971 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 129memorysynchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00F454DE,?,?,?,?), ref: 00F449A2
                                                                                                • GetLastError.KERNEL32(?,?,?,00F454DE,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F449B3
                                                                                                • ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F44AF0
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00F454DE,?,?,?,?,?,?,?,?,?,?,?), ref: 00F44AF9
                                                                                                Strings
                                                                                                • Failed to pump messages from parent process., xrefs: 00F44AC4
                                                                                                • Failed to connect to unelevated process., xrefs: 00F44998
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engine.cpp, xrefs: 00F449D7, 00F44A20
                                                                                                • comres.dll, xrefs: 00F44A5F
                                                                                                • Failed to allocate thread local storage for logging., xrefs: 00F449E1
                                                                                                • Failed to set elevated pipe into thread local storage for logging., xrefs: 00F44A2A
                                                                                                • Failed to create the message window., xrefs: 00F44A4E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocCloseErrorHandleLastMutexRelease
                                                                                                • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$c:\agent\_work\138\s\src\burn\engine\engine.cpp$comres.dll
                                                                                                • API String ID: 687263955-3592602874
                                                                                                • Opcode ID: fa02167980c997b8947bfd73e89af85ac2bd6741649ad287b14e2939ebc6358b
                                                                                                • Instruction ID: b6d47206386538d92bb4c6713d5f80d25223bf255f72ded27dafd0fb3970019f
                                                                                                • Opcode Fuzzy Hash: fa02167980c997b8947bfd73e89af85ac2bd6741649ad287b14e2939ebc6358b
                                                                                                • Instruction Fuzzy Hash: D8419273A40615BBD715AFE0CC4AFDBBA6CBF04710F000226BE15B6141EB68B954B7E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53BC4 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 129COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00F53C18
                                                                                                • GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00F53C22
                                                                                                • GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00F53C8B
                                                                                                • ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00F53C92
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00F53D1C
                                                                                                Strings
                                                                                                • Failed to get temp folder., xrefs: 00F53C50
                                                                                                • Failed to get length of session id string., xrefs: 00F53CE7
                                                                                                • %u\, xrefs: 00F53CAC
                                                                                                • crypt32.dll, xrefs: 00F53BD7
                                                                                                • Failed to format session id as a string., xrefs: 00F53CC0
                                                                                                • c:\agent\_work\138\s\src\burn\engine\logging.cpp, xrefs: 00F53C46
                                                                                                • Failed to get length of temp folder., xrefs: 00F53C7C
                                                                                                • Failed to copy temp folder., xrefs: 00F53D45
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
                                                                                                • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$c:\agent\_work\138\s\src\burn\engine\logging.cpp$crypt32.dll
                                                                                                • API String ID: 2407829081-1565659654
                                                                                                • Opcode ID: fa50b98505ed41d85464487b5ad52c8c589d23f1e4fab4c60be1ca1acbf01e12
                                                                                                • Instruction ID: 46305b14993133363d70e10e6f866597b9f5ab6a4fec561f6ed98e55a03c1b9b
                                                                                                • Opcode Fuzzy Hash: fa50b98505ed41d85464487b5ad52c8c589d23f1e4fab4c60be1ca1acbf01e12
                                                                                                • Instruction Fuzzy Hash: 2341B472D8123DABCB219B549C4DFDA77B8AB10751F110191FD09B7240D6749F88ABD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48091 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 215COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00F480AE
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F482D6
                                                                                                Strings
                                                                                                • Failed to write variable value type., xrefs: 00F482B6
                                                                                                • Failed to write variable value as string., xrefs: 00F4829A
                                                                                                • Failed to write variable value as number., xrefs: 00F48280
                                                                                                • Failed to write included flag., xrefs: 00F482C4
                                                                                                • Failed to get numeric., xrefs: 00F482A8
                                                                                                • Failed to get version., xrefs: 00F48287
                                                                                                • Unsupported variable type., xrefs: 00F48293
                                                                                                • feclient.dll, xrefs: 00F48189, 00F481DF, 00F48220
                                                                                                • Failed to write variable name., xrefs: 00F482BD
                                                                                                • Failed to write literal flag., xrefs: 00F482AF
                                                                                                • Failed to write variable count., xrefs: 00F480C9
                                                                                                • Failed to get string., xrefs: 00F482A1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
                                                                                                • API String ID: 3168844106-2118673349
                                                                                                • Opcode ID: a79968899185c23533dc81fba159a753fe0912ec8d9542fa2697d638295c5404
                                                                                                • Instruction ID: a95a9506e6b662aea3c3bf668a99bed95e00ab8f31b5d515f2cc8307408e9c6b
                                                                                                • Opcode Fuzzy Hash: a79968899185c23533dc81fba159a753fe0912ec8d9542fa2697d638295c5404
                                                                                                • Instruction Fuzzy Hash: B8719732D00A19AFDB129E64CD45BAE7FA4BF047A0F114152FD01A7190DB74DE16BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F59799 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00F5A82B,?,00000000,00000000,00000000,?), ref: 00F597B4
                                                                                                • GetLastError.KERNEL32(?,00F5A82B,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F597C4
                                                                                                  • Part of subcall function 00F8454C: Sleep.KERNEL32(?,00000000,?,00F585D8,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00F44E38), ref: 00F84563
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00F598D0
                                                                                                Strings
                                                                                                • Failed to open payload in working path: %ls, xrefs: 00F597F3
                                                                                                • Failed to copy %ls to %ls, xrefs: 00F598BE
                                                                                                • %ls payload from working path '%ls' to path '%ls', xrefs: 00F5987B
                                                                                                • Moving, xrefs: 00F59866
                                                                                                • Failed to verify payload hash: %ls, xrefs: 00F5985C
                                                                                                • Failed to move %ls to %ls, xrefs: 00F598A8
                                                                                                • Copying, xrefs: 00F5986F, 00F5987A
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F597E8
                                                                                                • Failed to verify payload signature: %ls, xrefs: 00F5981F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 1275171361-267695647
                                                                                                • Opcode ID: c08d492c85db447c9c6d64a5c28a07a1e64e2329958d809145356c915a45425a
                                                                                                • Instruction ID: 3426d5840d54025a3a2faef6792b9a42c1bb640a2598fe9103a97d562c5c27c1
                                                                                                • Opcode Fuzzy Hash: c08d492c85db447c9c6d64a5c28a07a1e64e2329958d809145356c915a45425a
                                                                                                • Instruction Fuzzy Hash: 0A312632E49724FBDA262A559C46F6B3A1CDF42B62F420125FE007B281D291DC04B6E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4666B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000), ref: 00F466A7
                                                                                                  • Part of subcall function 00F80F42: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00F45F1B,00000000), ref: 00F80F57
                                                                                                  • Part of subcall function 00F80F42: GetProcAddress.KERNEL32(00000000), ref: 00F80F5E
                                                                                                  • Part of subcall function 00F80F42: GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80F79
                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F466D3
                                                                                                • GetLastError.KERNEL32 ref: 00F466E1
                                                                                                • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 00F46719
                                                                                                • GetLastError.KERNEL32 ref: 00F46723
                                                                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F46766
                                                                                                • GetLastError.KERNEL32 ref: 00F46770
                                                                                                Strings
                                                                                                • Failed to set system folder variant value., xrefs: 00F467CF
                                                                                                • Failed to backslash terminate system folder., xrefs: 00F467B3
                                                                                                • Failed to get 64-bit system folder., xrefs: 00F4670F
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46705, 00F46747
                                                                                                • Failed to get 32-bit system folder., xrefs: 00F46751
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                                                                                                • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 325818893-2244462321
                                                                                                • Opcode ID: 1cc4dc5c26c4e6d8275a624c7edf05e6fd904e27091b41be6b3150e2a6719998
                                                                                                • Instruction ID: 20b2b1cc4627223f7a8fb4102e34695180ff20cdd32936151812cfa935187961
                                                                                                • Opcode Fuzzy Hash: 1cc4dc5c26c4e6d8275a624c7edf05e6fd904e27091b41be6b3150e2a6719998
                                                                                                • Instruction Fuzzy Hash: D031D276E4133997DB20A7508C4DBEA7A68AF01728F014161AD04FA181EB789D44ABE2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5400F Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 225sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F53B19: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00F54029,feclient.dll,?,00000000,?,?,?,00F44B92), ref: 00F53BBA
                                                                                                • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00F44B92,?,?,00F8B478,?,00000001,00000000,00000000), ref: 00F540C0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseSleep
                                                                                                • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                                                                • API String ID: 2834455192-2673269691
                                                                                                • Opcode ID: c66299cf624522dd281134519d99d839434e42a7879d0cc78518429683a28b34
                                                                                                • Instruction ID: 3f0e5a61e4ab3155b7a6b6cecf341bb5d4709552cd8873745d5e3a85383ff3f3
                                                                                                • Opcode Fuzzy Hash: c66299cf624522dd281134519d99d839434e42a7879d0cc78518429683a28b34
                                                                                                • Instruction Fuzzy Hash: B6610371A00625AAEF169F64CC45B7A7BA8EF10319F144125FE01DB180EB74FDD8B7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F78CD4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___free_lconv_mon.LIBCMT ref: 00F78D18
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F78858
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F7886A
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F7887C
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F7888E
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788A0
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788B2
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788C4
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788D6
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788E8
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F788FA
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F7890C
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F7891E
                                                                                                  • Part of subcall function 00F7883B: _free.LIBCMT ref: 00F78930
                                                                                                • _free.LIBCMT ref: 00F78D0D
                                                                                                  • Part of subcall function 00F7604F: HeapFree.KERNEL32(00000000,00000000,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?), ref: 00F76065
                                                                                                  • Part of subcall function 00F7604F: GetLastError.KERNEL32(?,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?,?), ref: 00F76077
                                                                                                • _free.LIBCMT ref: 00F78D2F
                                                                                                • _free.LIBCMT ref: 00F78D44
                                                                                                • _free.LIBCMT ref: 00F78D4F
                                                                                                • _free.LIBCMT ref: 00F78D71
                                                                                                • _free.LIBCMT ref: 00F78D84
                                                                                                • _free.LIBCMT ref: 00F78D92
                                                                                                • _free.LIBCMT ref: 00F78D9D
                                                                                                • _free.LIBCMT ref: 00F78DD5
                                                                                                • _free.LIBCMT ref: 00F78DDC
                                                                                                • _free.LIBCMT ref: 00F78DF9
                                                                                                • _free.LIBCMT ref: 00F78E11
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                • String ID:
                                                                                                • API String ID: 161543041-0
                                                                                                • Opcode ID: 42e7b8fde91debb3e864b616064e2e3529481c47a675734fe907532c6319bce4
                                                                                                • Instruction ID: b5920a459c323cc093653e2d0e0cd7286e44174768ad6b9b4858b5312246a182
                                                                                                • Opcode Fuzzy Hash: 42e7b8fde91debb3e864b616064e2e3529481c47a675734fe907532c6319bce4
                                                                                                • Instruction Fuzzy Hash: BB319F31A406019FEB31AA78DC09B5677E8EF517A0F24C42BE45CD7192DF39AC81EB12
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F52D02 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,00707063,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00F52D70
                                                                                                Strings
                                                                                                • Failed to add dependent bundle provider key to ignore dependents., xrefs: 00F52EDA
                                                                                                • wininet.dll, xrefs: 00F52FBD
                                                                                                • Failed to add registration action for dependent related bundle., xrefs: 00F53072
                                                                                                • crypt32.dll, xrefs: 00F52DBB, 00F52EB5, 00F52FAA, 00F5301F
                                                                                                • Failed to add registration action for self dependent., xrefs: 00F5303D
                                                                                                • Failed to allocate registration action., xrefs: 00F52DD9
                                                                                                • Failed to check for remaining dependents during planning., xrefs: 00F52F16
                                                                                                • Failed to add self-dependent to ignore dependents., xrefs: 00F52DF4
                                                                                                • Failed to add dependents ignored from command-line., xrefs: 00F52E25
                                                                                                • Failed to create the string dictionary., xrefs: 00F52DA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
                                                                                                • API String ID: 1825529933-1705955799
                                                                                                • Opcode ID: 2a911281d86d131caeaff2056ec0f245e7ff89fe58f95de9d3a39cd3ab26571a
                                                                                                • Instruction ID: bc74ccb83f1fe12ba4713797050a0a7a4a4386ade5adc5c349a111cb7b20f26c
                                                                                                • Opcode Fuzzy Hash: 2a911281d86d131caeaff2056ec0f245e7ff89fe58f95de9d3a39cd3ab26571a
                                                                                                • Instruction Fuzzy Hash: C0B1AD31E00626EBCF659F18CC41BAE7BB5BF05762F008269FE04AA251C774DA54EBD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5F858 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 186COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F5F894
                                                                                                • UuidCreate.RPCRT4(?), ref: 00F5F977
                                                                                                • StringFromGUID2.OLE32(?,?,00000027), ref: 00F5F998
                                                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 00F5FA41
                                                                                                Strings
                                                                                                • Failed to set update bundle., xrefs: 00F5FA1B
                                                                                                • Failed to convert bundle update guid into string., xrefs: 00F5F9B7
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5F9AD
                                                                                                • Failed to create bundle update guid., xrefs: 00F5F984
                                                                                                • update\%ls, xrefs: 00F5F8F0
                                                                                                • Failed to default local update source, xrefs: 00F5F904
                                                                                                • Failed to recreate command-line for update bundle., xrefs: 00F5F95F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$CreateEnterFromLeaveStringUuid
                                                                                                • String ID: Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp$update\%ls
                                                                                                • API String ID: 171215650-4014518301
                                                                                                • Opcode ID: a7406411fc51d0c31810aa0e3a57b1f67a0661a3a3d50ffebb14720acfc252c5
                                                                                                • Instruction ID: 3226237556938ed24bd5dc375871307fbb419366f24c12b40049368d4e914656
                                                                                                • Opcode Fuzzy Hash: a7406411fc51d0c31810aa0e3a57b1f67a0661a3a3d50ffebb14720acfc252c5
                                                                                                • Instruction Fuzzy Hash: 8C517D31E00619ABDF218FA4CC45FAE7BB5EF08721F1541B9FE08AB251D7349848EB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44B65 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 143windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsWindow.USER32(?), ref: 00F44CE4
                                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F44CF5
                                                                                                Strings
                                                                                                • Failed to set registration variables., xrefs: 00F44C5E
                                                                                                • Failed to query registration., xrefs: 00F44C2E
                                                                                                • Failed while running , xrefs: 00F44CAA
                                                                                                • Failed to check global conditions, xrefs: 00F44BC9
                                                                                                • WixBundleLayoutDirectory, xrefs: 00F44C75
                                                                                                • Failed to set action variables., xrefs: 00F44C44
                                                                                                • Failed to set layout directory variable to value provided from command-line., xrefs: 00F44C86
                                                                                                • Failed to create the message window., xrefs: 00F44C18
                                                                                                • Failed to open log., xrefs: 00F44B98
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePostWindow
                                                                                                • String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                                                                                • API String ID: 3618638489-3051724725
                                                                                                • Opcode ID: 9d2e82a2688e4d76f7178c4e522064caa885f1b40d50b33e598983ac2922712a
                                                                                                • Instruction ID: 8064bc06e6e17bd76a1904fcef17632acb1283d970cf8306230ae138d1d37c5b
                                                                                                • Opcode Fuzzy Hash: 9d2e82a2688e4d76f7178c4e522064caa885f1b40d50b33e598983ac2922712a
                                                                                                • Instruction Fuzzy Hash: 6341E532A0161ABBCB166A60CC85FFABE5CBF00751F180215BE04B6191EB74FD54B7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EFAD Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00F5EFCA
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F5F0F7
                                                                                                Strings
                                                                                                • Engine is active, cannot change engine state., xrefs: 00F5EFE5
                                                                                                • Failed to copy the id., xrefs: 00F5F05C
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5F0D8
                                                                                                • UX requested unknown approved exe with id: %ls, xrefs: 00F5F02A
                                                                                                • Failed to post launch approved exe message., xrefs: 00F5F0E2
                                                                                                • Failed to copy the arguments., xrefs: 00F5F089
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                • String ID: Engine is active, cannot change engine state.$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 1367039788-1363755703
                                                                                                • Opcode ID: 112beb19aa4c09df22ec24e2c7818a372859e057569dbdb42fd8315311ee95f5
                                                                                                • Instruction ID: 8357015b3f28f55ea643d470f8fc1ab55b5ef95e5e018ac38f4abaf44cb928e7
                                                                                                • Opcode Fuzzy Hash: 112beb19aa4c09df22ec24e2c7818a372859e057569dbdb42fd8315311ee95f5
                                                                                                • Instruction Fuzzy Hash: 6831DB32A00325AFDB119F64DC49E6A7B98AF00731B158161FE04EB2D2EB75DD08B7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F59684 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00F5A7BE,?,00000000,00000000,00000000,?), ref: 00F5969F
                                                                                                • GetLastError.KERNEL32(?,00F5A7BE,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F596AD
                                                                                                  • Part of subcall function 00F8454C: Sleep.KERNEL32(?,00000000,?,00F585D8,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00F44E38), ref: 00F84563
                                                                                                • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00F5978B
                                                                                                Strings
                                                                                                • Failed to open container in working path: %ls, xrefs: 00F596DC
                                                                                                • Failed to copy %ls to %ls, xrefs: 00F59779
                                                                                                • Moving, xrefs: 00F59721
                                                                                                • Failed to move %ls to %ls, xrefs: 00F59763
                                                                                                • Failed to verify container hash: %ls, xrefs: 00F5970E
                                                                                                • %ls container from working path '%ls' to path '%ls', xrefs: 00F59736
                                                                                                • Copying, xrefs: 00F5972A, 00F59735
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F596D1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 1275171361-282647985
                                                                                                • Opcode ID: efc5f3c2fb0f74b8808ee32f5ec6a2b99420362d62bfb9cb27dacd2a05be0c78
                                                                                                • Instruction ID: cdbc91b19f082c7fef6d24cee73cd37555611b0d7e4e06f1abae0cd18eb3fa27
                                                                                                • Opcode Fuzzy Hash: efc5f3c2fb0f74b8808ee32f5ec6a2b99420362d62bfb9cb27dacd2a05be0c78
                                                                                                • Instruction Fuzzy Hash: B7212632A58725BBEB223A299C46FAB3A1CDF45B61F120011FE11BA2C1D695DC04B6E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4703B Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 226COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00F47068
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F47274
                                                                                                Strings
                                                                                                • Failed to read variable name., xrefs: 00F4725D
                                                                                                • Failed to read variable value type., xrefs: 00F47256
                                                                                                • Failed to set variable., xrefs: 00F47248
                                                                                                • Failed to read variable included flag., xrefs: 00F47264
                                                                                                • Failed to read variable value as string., xrefs: 00F47241
                                                                                                • Unsupported variable type., xrefs: 00F4723A
                                                                                                • Failed to read variable literal flag., xrefs: 00F4724F
                                                                                                • Failed to read variable value as number., xrefs: 00F4722E
                                                                                                • Failed to set variable value., xrefs: 00F47227
                                                                                                • Failed to read variable count., xrefs: 00F47088
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
                                                                                                • API String ID: 3168844106-528957463
                                                                                                • Opcode ID: 86b77e41d8e396ceba9443ccab012303c097ecffa320af26097d985e2eba3366
                                                                                                • Instruction ID: a57f41cd3b63995f18f2f86ea3f2b112adda833487d891f51dd5550f998e2112
                                                                                                • Opcode Fuzzy Hash: 86b77e41d8e396ceba9443ccab012303c097ecffa320af26097d985e2eba3366
                                                                                                • Instruction Fuzzy Hash: AD716072C0922EABDF11AEA4CD45EAF7FB9EF44710F104126BD00A6290D774DE14BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8491A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00F84997
                                                                                                • GetLastError.KERNEL32 ref: 00F849AD
                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00F849FD
                                                                                                • GetLastError.KERNEL32 ref: 00F84A07
                                                                                                • SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 00F84A5B
                                                                                                • GetLastError.KERNEL32 ref: 00F84A66
                                                                                                • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00F84B55
                                                                                                • CloseHandle.KERNEL32(?), ref: 00F84BC8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 3286166115-3168567549
                                                                                                • Opcode ID: 942c574fa878c883e1e3ba12bdcb4563b34ac0f739ab5bc5b5dd2bcf4f54d5d9
                                                                                                • Instruction ID: c2194ef714f1f9a1ea39da9da86e0e2f863cf28af86ba11e1cbad291d83c933a
                                                                                                • Opcode Fuzzy Hash: 942c574fa878c883e1e3ba12bdcb4563b34ac0f739ab5bc5b5dd2bcf4f54d5d9
                                                                                                • Instruction Fuzzy Hash: ED810532E80227EBDB31AE588C45BEB7698EB40770F114269FD55EF280D678ED00B794
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4319C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 209COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 00F431E7
                                                                                                • GetLastError.KERNEL32 ref: 00F431ED
                                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00F43247
                                                                                                • GetLastError.KERNEL32 ref: 00F4324D
                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F43301
                                                                                                • GetLastError.KERNEL32 ref: 00F4330B
                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F43361
                                                                                                • GetLastError.KERNEL32 ref: 00F4336B
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp, xrefs: 00F43211
                                                                                                • @, xrefs: 00F431C1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                                                                                                • String ID: @$c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp
                                                                                                • API String ID: 1547313835-3477864740
                                                                                                • Opcode ID: 1bd670ba03c675c953771b8c70e098eded52aaa651e0d88e8f99b1dbb8987da0
                                                                                                • Instruction ID: c91d2866781496a32294a46479328e32a7b7437834e7b25910666a78950b6e9e
                                                                                                • Opcode Fuzzy Hash: 1bd670ba03c675c953771b8c70e098eded52aaa651e0d88e8f99b1dbb8987da0
                                                                                                • Instruction Fuzzy Hash: 97617473D00629ABDB219FE58C85BEEBE68AF00760F114165EE11BB151E775DF00BBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F87144 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,00F876B6,?,?), ref: 00F8719A
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87205
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8727D
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F872BC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$Free$Compare
                                                                                                • String ID: `<u$label$scheme$term
                                                                                                • API String ID: 1324494773-4028212031
                                                                                                • Opcode ID: b838e5d23e1042ab9dd4b5941349b22a2cf1cd0a3bf37a38e84b0c2ac9f9d53f
                                                                                                • Instruction ID: 6628e12b91ce19c71966d5369a32aae34f71e62e5d0d023360591fff446f6a67
                                                                                                • Opcode Fuzzy Hash: b838e5d23e1042ab9dd4b5941349b22a2cf1cd0a3bf37a38e84b0c2ac9f9d53f
                                                                                                • Instruction Fuzzy Hash: 01511932D05219EBCB15FBA4CC49FEEBBB9AF05721F244295F511AA1A0D734DE40EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54E07 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • UuidCreate.RPCRT4(?), ref: 00F54E3A
                                                                                                • StringFromGUID2.OLE32(?,?,00000027), ref: 00F54E69
                                                                                                • UuidCreate.RPCRT4(?), ref: 00F54EB4
                                                                                                • StringFromGUID2.OLE32(?,?,00000027), ref: 00F54EE0
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pipe.cpp, xrefs: 00F54E7A, 00F54EC7
                                                                                                • Failed to allocate pipe secret., xrefs: 00F54F09
                                                                                                • BurnPipe.%s, xrefs: 00F54E95
                                                                                                • Failed to create pipe guid., xrefs: 00F54E47
                                                                                                • Failed to allocate pipe name., xrefs: 00F54EA9
                                                                                                • Failed to convert pipe guid into string., xrefs: 00F54E86
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFromStringUuid
                                                                                                • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp
                                                                                                • API String ID: 4041566446-1585371156
                                                                                                • Opcode ID: 88d2f526fc9946c01a057571808f44cc00b66e12396f3eb3d15669b1759e4f10
                                                                                                • Instruction ID: ce7f22622fe62142b78d2b7f17ce22aaf1740428debaa54be4d71c8f7f44b5b4
                                                                                                • Opcode Fuzzy Hash: 88d2f526fc9946c01a057571808f44cc00b66e12396f3eb3d15669b1759e4f10
                                                                                                • Instruction Fuzzy Hash: 27418272D00308EBDB11DBE4DC06FDEBBF8AB54715F114126EA05FB140D674AA49EB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E9E2 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00F45506,?,?), ref: 00F5EA02
                                                                                                • GetLastError.KERNEL32(?,00F45506,?,?), ref: 00F5EA0F
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00F5E720,?,00000000,00000000), ref: 00F5EA68
                                                                                                • GetLastError.KERNEL32(?,00F45506,?,?), ref: 00F5EA75
                                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00F45506,?,?), ref: 00F5EAB0
                                                                                                • CloseHandle.KERNEL32(00000000,?,00F45506,?,?), ref: 00F5EACF
                                                                                                • CloseHandle.KERNEL32(?,?,00F45506,?,?), ref: 00F5EADC
                                                                                                Strings
                                                                                                • Failed to create the UI thread., xrefs: 00F5EAA0
                                                                                                • c:\agent\_work\138\s\src\burn\engine\uithread.cpp, xrefs: 00F5EA30, 00F5EA96
                                                                                                • Failed to create initialization event., xrefs: 00F5EA3A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                • String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\138\s\src\burn\engine\uithread.cpp
                                                                                                • API String ID: 2351989216-616715975
                                                                                                • Opcode ID: 421069e8fa45c8b557f116635486af63398e9c76c52db2767f5572f20d9bc60e
                                                                                                • Instruction ID: ae4b87a29969bf4ad1b4b285a3a4ed7548165f860c606fed12e638ac883ce848
                                                                                                • Opcode Fuzzy Hash: 421069e8fa45c8b557f116635486af63398e9c76c52db2767f5572f20d9bc60e
                                                                                                • Instruction Fuzzy Hash: 8F318676D01229BBD711DBA98D45AEEBAB8FF04761F114125FE04F7240E7349F04ABA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E5B5 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00F45506,?,?), ref: 00F5E5D6
                                                                                                • GetLastError.KERNEL32(?,?,00F45506,?,?), ref: 00F5E5E3
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00F5E33A,00000000,00000000,00000000), ref: 00F5E642
                                                                                                • GetLastError.KERNEL32(?,?,00F45506,?,?), ref: 00F5E64F
                                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00F45506,?,?), ref: 00F5E68A
                                                                                                • CloseHandle.KERNEL32(?,?,?,00F45506,?,?), ref: 00F5E69E
                                                                                                • CloseHandle.KERNEL32(?,?,?,00F45506,?,?), ref: 00F5E6AB
                                                                                                Strings
                                                                                                • Failed to create modal event., xrefs: 00F5E60E
                                                                                                • c:\agent\_work\138\s\src\burn\engine\splashscreen.cpp, xrefs: 00F5E604, 00F5E670
                                                                                                • Failed to create UI thread., xrefs: 00F5E67A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                                                                                • String ID: Failed to create UI thread.$Failed to create modal event.$c:\agent\_work\138\s\src\burn\engine\splashscreen.cpp
                                                                                                • API String ID: 2351989216-1941576802
                                                                                                • Opcode ID: c4d9d9ac8ed4382ef350cc6e96b25b5c48bb3a1393bc84bb6b639fe5cfa53a78
                                                                                                • Instruction ID: c9cc072957a86730d67ce5e891365a107df4a6d0c9d660df416e645607880c13
                                                                                                • Opcode Fuzzy Hash: c4d9d9ac8ed4382ef350cc6e96b25b5c48bb3a1393bc84bb6b639fe5cfa53a78
                                                                                                • Instruction Fuzzy Hash: 7931AF76D10229BBDB219F99CC05AEFBBB8AF54761F004126FE10F6250E7348A04AB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6139A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,74DF2F60,?,?), ref: 00F613BE
                                                                                                • GetLastError.KERNEL32 ref: 00F613D1
                                                                                                • GetExitCodeThread.KERNEL32(00F8B478,00000000), ref: 00F61413
                                                                                                • GetLastError.KERNEL32 ref: 00F61421
                                                                                                • ResetEvent.KERNEL32(00F8B450), ref: 00F6145C
                                                                                                • GetLastError.KERNEL32 ref: 00F61466
                                                                                                Strings
                                                                                                • Failed to reset operation complete event., xrefs: 00F61497
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F613F8, 00F61448, 00F6148D
                                                                                                • Failed to get extraction thread exit code., xrefs: 00F61452
                                                                                                • Failed to wait for operation complete event., xrefs: 00F61402
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2979751695-2767648441
                                                                                                • Opcode ID: 03e68535ed61dff45fbd0d55663d797c2fa1a10a52801a07c54e5d09c029c69b
                                                                                                • Instruction ID: 7f779d1e5d23160dd08c4e61e0760533d6599a0073115886dc440a9711153bf2
                                                                                                • Opcode Fuzzy Hash: 03e68535ed61dff45fbd0d55663d797c2fa1a10a52801a07c54e5d09c029c69b
                                                                                                • Instruction Fuzzy Hash: B3317171A40316EBEB00DB658D06BBE7BE8BB04711F244159F845EB1A1EB75DA00BBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F614B4 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(00F8B468,?,00000000,?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000,?), ref: 00F614D1
                                                                                                • GetLastError.KERNEL32(?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000,?,00F45501,FFF9E89D,00F45501), ref: 00F614DB
                                                                                                • WaitForSingleObject.KERNEL32(00F8B478,000000FF,?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000,?,00F45501), ref: 00F61515
                                                                                                • GetLastError.KERNEL32(?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000,?,00F45501,FFF9E89D,00F45501), ref: 00F6151F
                                                                                                • CloseHandle.KERNEL32(00000000,00F45501,?,00000000,?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000), ref: 00F6156A
                                                                                                • CloseHandle.KERNEL32(00000000,00F45501,?,00000000,?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000), ref: 00F61579
                                                                                                • CloseHandle.KERNEL32(00000000,00F45501,?,00000000,?,00F4C289,?,00F45435,00000000,?,00F57846,?,00F456E5,00F454F1,00F454F1,00000000), ref: 00F61588
                                                                                                Strings
                                                                                                • Failed to set begin operation event., xrefs: 00F61509
                                                                                                • Failed to wait for thread to terminate., xrefs: 00F6154D
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F614FF, 00F61543
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                                                                                • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 1206859064-76747171
                                                                                                • Opcode ID: a15d8d3eec254ba390eb3c6c7da65ffe1e3e40dc0885a252a415ad41deb12f21
                                                                                                • Instruction ID: c5575d5ca67cee313207341510dfa3914ae28985411c27a162aba8dee0d8b3aa
                                                                                                • Opcode Fuzzy Hash: a15d8d3eec254ba390eb3c6c7da65ffe1e3e40dc0885a252a415ad41deb12f21
                                                                                                • Instruction Fuzzy Hash: 24212733900636BBD7215B25DC09B56FAA0BF04731F090225F90A669A0E778EC60FBD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80F42 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 73libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00F45F1B,00000000), ref: 00F80F57
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00F80F5E
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80F79
                                                                                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,?,00F45F1B,00000000), ref: 00F80FBB
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00F80FC2
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80FD9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorHandleLastModuleProc
                                                                                                • String ID: IsWow64Process$IsWow64Process2$c:\agent\_work\138\s\src\libs\dutil\procutil.cpp$kernel32
                                                                                                • API String ID: 4275029093-515427556
                                                                                                • Opcode ID: 9173b65a9f1af811f344da689d23ff858ec93bba21c7c17777b4a37611a3a892
                                                                                                • Instruction ID: 73a4092b3515097c67b68f5594e5c7ef57286a8180cc3279ef5edb014c9022ef
                                                                                                • Opcode Fuzzy Hash: 9173b65a9f1af811f344da689d23ff858ec93bba21c7c17777b4a37611a3a892
                                                                                                • Instruction Fuzzy Hash: A5119377E41336AB97706B958C09AEB7E68EF00761B458014BE15EA290EF60CD04F7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54264 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F8093D: EnterCriticalSection.KERNEL32(00FAC6EC,00000000,?,?,?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?), ref: 00F8094D
                                                                                                  • Part of subcall function 00F8093D: LeaveCriticalSection.KERNEL32(00FAC6EC,?,?,00FAC6E4,?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?), ref: 00F80A94
                                                                                                • OpenEventLogW.ADVAPI32(00000000,Application), ref: 00F5428A
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F54296
                                                                                                • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00F93CC4,00000000), ref: 00F542E3
                                                                                                • CloseEventLog.ADVAPI32(00000000), ref: 00F542EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                • String ID: Application$Failed to open Application event log$Setup$_Failed$c:\agent\_work\138\s\src\burn\engine\logging.cpp$txt
                                                                                                • API String ID: 1844635321-3521639449
                                                                                                • Opcode ID: 6e0ad072e217c22d98b2efa91077e5c6cbf703d5eefeed5666da65f7d04752d2
                                                                                                • Instruction ID: cf5ed5df924d1a4acea8c322fb2b5dc900dc3a58fba92862e2218c7d140dd8bc
                                                                                                • Opcode Fuzzy Hash: 6e0ad072e217c22d98b2efa91077e5c6cbf703d5eefeed5666da65f7d04752d2
                                                                                                • Instruction Fuzzy Hash: 4FF08133A816727A7A2232626C0ADBB6C6CCAC6F76B410018FD10F5181DB44DD49B5F6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F593D4 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 232COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00F59487
                                                                                                • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 00F594AF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast
                                                                                                • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 1452528299-4273620891
                                                                                                • Opcode ID: a0518cb83a112bd8fa07d6c364835640a3cceddfa866d88cc0d4ade8fcaeda94
                                                                                                • Instruction ID: bafa262fbb0430257cdc2e7f9d1d17f4b40cc1ce7dcd264b2b7eb8f3a41edf30
                                                                                                • Opcode Fuzzy Hash: a0518cb83a112bd8fa07d6c364835640a3cceddfa866d88cc0d4ade8fcaeda94
                                                                                                • Instruction Fuzzy Hash: F3818672D04229EBDB15DF94CC41BEEBBB4AF04721F154126EE04BB280E7759D09EBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E4DC Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00F5E4E7
                                                                                                • DefWindowProcW.USER32(?,00000082,?,?), ref: 00F5E525
                                                                                                • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F5E532
                                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 00F5E541
                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00F5E54F
                                                                                                • CreateCompatibleDC.GDI32(?), ref: 00F5E55B
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00F5E56C
                                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00F5E58E
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00F5E596
                                                                                                • DeleteDC.GDI32(00000000), ref: 00F5E599
                                                                                                • PostQuitMessage.USER32(00000000), ref: 00F5E5A7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                                                                                                • String ID:
                                                                                                • API String ID: 409979828-0
                                                                                                • Opcode ID: 5444f6c8171e9287cae38c4238353e498a2afd1c0d8b78b6958df2913c4c3130
                                                                                                • Instruction ID: 935e512c2459ca9bdc895b395b1c2479143c7c3552bd698829b64bf641a5153a
                                                                                                • Opcode Fuzzy Hash: 5444f6c8171e9287cae38c4238353e498a2afd1c0d8b78b6958df2913c4c3130
                                                                                                • Instruction Fuzzy Hash: 2F217A32204218BFCB195F68DC1CEBB3F69EF49326B194518FA16961B1E7318910FB60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A113 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to get current process directory., xrefs: 00F5A1D6
                                                                                                • Failed to combine layout source with source., xrefs: 00F5A28A
                                                                                                • Failed to copy source path., xrefs: 00F5A304
                                                                                                • WixBundleLayoutDirectory, xrefs: 00F5A250
                                                                                                • Failed to combine last source with source., xrefs: 00F5A1F5
                                                                                                • WixBundleLastUsedSource, xrefs: 00F5A17C
                                                                                                • Failed to get bundle layout directory property., xrefs: 00F5A26B
                                                                                                • WixBundleOriginalSource, xrefs: 00F5A197
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirstlstrlen
                                                                                                • String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
                                                                                                • API String ID: 2767606509-3003062821
                                                                                                • Opcode ID: 2b845cf77c791e58d1c602efac65ef02211967ee49325a5e37ef8b48f1550143
                                                                                                • Instruction ID: 548305d7ac6434fb13d42acf54e8bb22f4df2b3a348fe6bc4cc9d0d4596b02dc
                                                                                                • Opcode Fuzzy Hash: 2b845cf77c791e58d1c602efac65ef02211967ee49325a5e37ef8b48f1550143
                                                                                                • Instruction Fuzzy Hash: D6816C71D0021AABDF11DFA8DC41AEEBBB5AF08721F140229FE10F7250D7359D54ABA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F42EE7 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 202sleepfiletimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00F42F87
                                                                                                • GetLastError.KERNEL32 ref: 00F42F91
                                                                                                • GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00F43031
                                                                                                • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00F430BE
                                                                                                • GetLastError.KERNEL32 ref: 00F430CB
                                                                                                • Sleep.KERNEL32(00000064), ref: 00F430DF
                                                                                                • CloseHandle.KERNEL32(?), ref: 00F43147
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp, xrefs: 00F42FB5
                                                                                                • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00F4308E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
                                                                                                • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp
                                                                                                • API String ID: 3480017824-473390516
                                                                                                • Opcode ID: 4c48a4a2daf98cf27748f5f9c874bbc1444099fc7d1e3434d68effb62d67ea9d
                                                                                                • Instruction ID: 375d927f9ffc948ce5deec3418e38928cd6d512767726b2359960cab3a9f899a
                                                                                                • Opcode Fuzzy Hash: 4c48a4a2daf98cf27748f5f9c874bbc1444099fc7d1e3434d68effb62d67ea9d
                                                                                                • Instruction Fuzzy Hash: 17716672D01239ABDB309F68DC49BEABBB8AB08720F5101A5FD14E7191D7749E84EF50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4CC73 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 143COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00F45435,00000000,00F45501,00F454BD,WixBundleUILevel,840F01E8,?,00000001), ref: 00F4CCCA
                                                                                                Strings
                                                                                                • Failed to concat file paths., xrefs: 00F4CDAA
                                                                                                • Failed to ensure directory exists, xrefs: 00F4CD9C
                                                                                                • Failed to get directory portion of local file path, xrefs: 00F4CDA3
                                                                                                • Failed to get next stream., xrefs: 00F4CDB1
                                                                                                • Failed to extract file., xrefs: 00F4CD95
                                                                                                • Failed to find embedded payload: %ls, xrefs: 00F4CCF6
                                                                                                • c:\agent\_work\138\s\src\burn\engine\payload.cpp, xrefs: 00F4CDCB
                                                                                                • Payload was not found in container: %ls, xrefs: 00F4CDD7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$c:\agent\_work\138\s\src\burn\engine\payload.cpp
                                                                                                • API String ID: 1825529933-3713461909
                                                                                                • Opcode ID: df5312348fd3d3f7939b71a4fdad913d1dab32f18bef558c67edd4f11a6372b8
                                                                                                • Instruction ID: d3fecda7730d963bfa17992413bee42cb8993ef7e41e88195468a1b4d3e9a992
                                                                                                • Opcode Fuzzy Hash: df5312348fd3d3f7939b71a4fdad913d1dab32f18bef558c67edd4f11a6372b8
                                                                                                • Instruction Fuzzy Hash: 6341DF31D02215EFCFA59F94CC81AAEBF75AF40720B10917AEC25AB251D6719D40FBD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4481A Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00F4483F
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00F44845
                                                                                                • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F448D3
                                                                                                Strings
                                                                                                • wininet.dll, xrefs: 00F44872
                                                                                                • Unexpected return value from message pump., xrefs: 00F44929
                                                                                                • Failed to load UX., xrefs: 00F44888
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engine.cpp, xrefs: 00F4491F
                                                                                                • Failed to start bootstrapper application., xrefs: 00F448A1
                                                                                                • Failed to create engine for UX., xrefs: 00F4485F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$CurrentPeekThread
                                                                                                • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\138\s\src\burn\engine\engine.cpp$wininet.dll
                                                                                                • API String ID: 673430819-242469113
                                                                                                • Opcode ID: 6098f8eb73ecd583b1d877685378d0f6d04a145aa109abb7797adfa38c3d705c
                                                                                                • Instruction ID: b7f92e75b2963989534fd8f3419319b76988876555140a9339264e7fb247ef30
                                                                                                • Opcode Fuzzy Hash: 6098f8eb73ecd583b1d877685378d0f6d04a145aa109abb7797adfa38c3d705c
                                                                                                • Instruction Fuzzy Hash: 5A418072A00615BFEB14ABA4CC85FBABBACAF04724F100125F905F7291DB34FD44A7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F69AC7 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00F6AE4C,?,00000001,00000000), ref: 00F69B52
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00F6AE4C,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00F69B5C
                                                                                                • CopyFileExW.KERNEL32(00000000,00000000,00F699A0,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00F69BAA
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00F6AE4C,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00F69BD9
                                                                                                Strings
                                                                                                • BA aborted copy of payload from: '%ls' to: %ls., xrefs: 00F69BD2
                                                                                                • copy, xrefs: 00F69B20
                                                                                                • c:\agent\_work\138\s\src\burn\engine\apply.cpp, xrefs: 00F69B80, 00F69BC4, 00F69BFD
                                                                                                • Failed to clear readonly bit on payload destination path: %ls, xrefs: 00F69B8B
                                                                                                • Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 00F69C0B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLast$AttributesCopy
                                                                                                • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\138\s\src\burn\engine\apply.cpp$copy
                                                                                                • API String ID: 1969131206-384873077
                                                                                                • Opcode ID: e1c0870bd21165665943863f1fc0d60327a90eaedf0d744b323a5b06607c88f0
                                                                                                • Instruction ID: 2c2159e592fd23b3ac06feaaab50d4fad86949c313b54126fb13f8a3f0ea4e3a
                                                                                                • Opcode Fuzzy Hash: e1c0870bd21165665943863f1fc0d60327a90eaedf0d744b323a5b06607c88f0
                                                                                                • Instruction Fuzzy Hash: 11313C33B05226B7DB205B559C85EAB776CEF81B60B148028BD05EB151E6B4CE00F7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58E98 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00F58FE3
                                                                                                Strings
                                                                                                • Failed to create ACL to secure cache path: %ls, xrefs: 00F58F97
                                                                                                • Failed to allocate access for Everyone group to path: %ls, xrefs: 00F58F2D
                                                                                                • Failed to secure cache path: %ls, xrefs: 00F58FC6
                                                                                                • Failed to allocate access for Administrators group to path: %ls, xrefs: 00F58EEB
                                                                                                • Failed to allocate access for Users group to path: %ls, xrefs: 00F58F4E
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F58F8C
                                                                                                • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00F58F0C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeLocal
                                                                                                • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 2826327444-1071548903
                                                                                                • Opcode ID: 2a031c12be4bf1594f57b1d5f93c282f098acf66b12843780422a5242580b4bf
                                                                                                • Instruction ID: 63396345c055e63de0dfbca80f50ff1f4786c7ea3bb8d6dd1bed08597f743eb2
                                                                                                • Opcode Fuzzy Hash: 2a031c12be4bf1594f57b1d5f93c282f098acf66b12843780422a5242580b4bf
                                                                                                • Instruction Fuzzy Hash: 9031F932E4432977EB219650CC06FAE76A9AB44B92F510061BF04FA1C1DF749D4AB7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8701F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 00F8707E
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00F8709B
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F870D9
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8711D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$CompareFree
                                                                                                • String ID: `<u$email$name$uri
                                                                                                • API String ID: 3589242889-1197142144
                                                                                                • Opcode ID: 473a10be37df6d6efe0f866dcb4ae249bfbbf38cae6bace552b260414e56741a
                                                                                                • Instruction ID: 933361e2123709b4cbd3b8bec17173425d7a90225ec608ab0cd7861b7064ed95
                                                                                                • Opcode Fuzzy Hash: 473a10be37df6d6efe0f866dcb4ae249bfbbf38cae6bace552b260414e56741a
                                                                                                • Instruction Fuzzy Hash: 75411B76E08319BBCF11AB94CC49FEDB775AB05721F344294E921AA1E0C774DA44EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F4E6 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4F51F
                                                                                                  • Part of subcall function 00F4419A: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?), ref: 00F441A8
                                                                                                  • Part of subcall function 00F4419A: GetLastError.KERNEL32(?,00F5A0C3,00000000,00000000,?,00000000,00F45435,00000000,?,?,00F4D652,?,00000000,00000000), ref: 00F441B6
                                                                                                • lstrlenA.KERNEL32(002E0032,00000000,00000094,00000000,00000094,crypt32.dll,crypt32.dll,00F50545,swidtag,00000094,00F8B4F0,00330074,00F50545,00000000,crypt32.dll,00000000), ref: 00F4F572
                                                                                                  • Part of subcall function 00F851E2: CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00F50545,00000000,?,00F4F589,00F8B4F0,00000080,002E0032,00000000), ref: 00F851FA
                                                                                                  • Part of subcall function 00F851E2: GetLastError.KERNEL32(?,00F4F589,00F8B4F0,00000080,002E0032,00000000,?,00F50545,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00F85207
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                                                                                                • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$crypt32.dll$swidtag
                                                                                                • API String ID: 904508749-2959304021
                                                                                                • Opcode ID: 5dde4a9332cb2a6980f801a038bf8836e60ce9bf16338c8493cba21ff30bdaa2
                                                                                                • Instruction ID: 57ca5945aeb9809b1a6e4dcd72078cc1e40900b8dc7c5fe31463296245ebed93
                                                                                                • Opcode Fuzzy Hash: 5dde4a9332cb2a6980f801a038bf8836e60ce9bf16338c8493cba21ff30bdaa2
                                                                                                • Instruction Fuzzy Hash: 04319E32D01229BBDF12AFA4CC01B9DBFB4AF04720F148176FD18AA190E7759A54BB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E223 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadBitmapW.USER32(?,00000001), ref: 00F5E259
                                                                                                • GetLastError.KERNEL32 ref: 00F5E265
                                                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00F5E2AC
                                                                                                • GetCursorPos.USER32(?), ref: 00F5E2CD
                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00F5E2DF
                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00F5E2F5
                                                                                                Strings
                                                                                                • Failed to load splash screen bitmap., xrefs: 00F5E293
                                                                                                • (, xrefs: 00F5E2EC
                                                                                                • c:\agent\_work\138\s\src\burn\engine\splashscreen.cpp, xrefs: 00F5E289
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                                                                                                • String ID: ($Failed to load splash screen bitmap.$c:\agent\_work\138\s\src\burn\engine\splashscreen.cpp
                                                                                                • API String ID: 2342928100-1828971274
                                                                                                • Opcode ID: e02dafd30028b1d21f7c97a09cb854dab1f9766c9a99e577d9027e37de4d8a15
                                                                                                • Instruction ID: 6e1476b9f5331756aa51d9cb48f99a0cc29880e8a03e96f9ffd3ac58a51f35a5
                                                                                                • Opcode Fuzzy Hash: e02dafd30028b1d21f7c97a09cb854dab1f9766c9a99e577d9027e37de4d8a15
                                                                                                • Instruction Fuzzy Hash: 22314172E002199FDB14CFB8DD45A9EBBB4FF08711F548119E904EB285EB70E904DBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55143 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcessId.KERNEL32(?,00000000,?,?,00F8B4F0), ref: 00F5514C
                                                                                                • GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00F551EA
                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00F55203
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Process$CloseCurrentHandle
                                                                                                • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                                                                                • API String ID: 2815245435-1352204306
                                                                                                • Opcode ID: 521c27471a688188f2328488e8aaf9721e7e26182d6d48e2c5c5d69e961b9f87
                                                                                                • Instruction ID: 25753a7f36098a2f826f70f36c3abf39c103ac2bde0342d1005ede5944b3405c
                                                                                                • Opcode Fuzzy Hash: 521c27471a688188f2328488e8aaf9721e7e26182d6d48e2c5c5d69e961b9f87
                                                                                                • Instruction Fuzzy Hash: BF218675D00A1DFFDF01AFA4CC909EEBFB8EF04351B00806AFA14A2211D735AE15AB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F46927 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00F46951
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00F46958
                                                                                                • GetLastError.KERNEL32 ref: 00F46962
                                                                                                Strings
                                                                                                • Failed to find DllGetVersion entry point in msi.dll., xrefs: 00F46990
                                                                                                • Failed to get msi.dll version info., xrefs: 00F469AA
                                                                                                • msi, xrefs: 00F46948
                                                                                                • DllGetVersion, xrefs: 00F46943
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46986
                                                                                                • Failed to set variant value., xrefs: 00F469CE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorHandleLastModuleProc
                                                                                                • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp$msi
                                                                                                • API String ID: 4275029093-3800379381
                                                                                                • Opcode ID: 1efeffa9c336d9cc684197b4a291fd9e00bfbcfbf9cd182a8b6efb10bee68336
                                                                                                • Instruction ID: 6103c66b196e3c9cec8b7302c4b51fc92afe7ff894482906027f1f04ea717a5e
                                                                                                • Opcode Fuzzy Hash: 1efeffa9c336d9cc684197b4a291fd9e00bfbcfbf9cd182a8b6efb10bee68336
                                                                                                • Instruction Fuzzy Hash: 1411D672E00339B6D71067699C06ABFBBA8AF05B21B110425FD05F6281DAB4DD04B7E6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D764 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00F44882,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F45506,?), ref: 00F4D775
                                                                                                • GetLastError.KERNEL32(?,00F44882,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F45506,?,?), ref: 00F4D782
                                                                                                • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00F4D7BA
                                                                                                • GetLastError.KERNEL32(?,00F44882,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00F45506,?,?), ref: 00F4D7C6
                                                                                                Strings
                                                                                                • Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00F4D7F1
                                                                                                • BootstrapperApplicationCreate, xrefs: 00F4D7B4
                                                                                                • Failed to load UX DLL., xrefs: 00F4D7AD
                                                                                                • c:\agent\_work\138\s\src\burn\engine\userexperience.cpp, xrefs: 00F4D7A3, 00F4D7E7
                                                                                                • Failed to create UX., xrefs: 00F4D80A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\138\s\src\burn\engine\userexperience.cpp
                                                                                                • API String ID: 1866314245-3647149291
                                                                                                • Opcode ID: 8e9d7432002b2c16a40d33979f10e51be137cc068d8fb2a1a94420ecae4c245a
                                                                                                • Instruction ID: 0fe9e8694977e86c5043fa740467cf8fb5eaf5a3e284e822bc1edf04b2c4b031
                                                                                                • Opcode Fuzzy Hash: 8e9d7432002b2c16a40d33979f10e51be137cc068d8fb2a1a94420ecae4c245a
                                                                                                • Instruction Fuzzy Hash: D511E737A80736ABEB2157945C09B6B7F946F00B71F018126BE14FB2C1EA24DC007BD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41173 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52libraryloadermemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F41184
                                                                                                • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F4118F
                                                                                                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F4119D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F411B8
                                                                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F411C0
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00F4111A,cabinet.dll,00000009,?,?,00000000), ref: 00F411D5
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorLastProc$HandleHeapInformationModule
                                                                                                • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                • API String ID: 3104334766-1824683568
                                                                                                • Opcode ID: fa2008526c1dc24e2adaa93b0d44276cec80d557dfbb91b7d72cc9594db0bf96
                                                                                                • Instruction ID: a7af1abc4359985390c6b3f4061aca14a562a083283d8a835b3e71fbf28656ca
                                                                                                • Opcode Fuzzy Hash: fa2008526c1dc24e2adaa93b0d44276cec80d557dfbb91b7d72cc9594db0bf96
                                                                                                • Instruction Fuzzy Hash: D601213170021ABA9B206BA69C49DAF7F5CFF817617044011FE15A6151E770DA45ABB1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5F58A Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 154COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F5F59F
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F5F71A
                                                                                                Strings
                                                                                                • Failed to set download user., xrefs: 00F5F6A2
                                                                                                • Failed to set download URL., xrefs: 00F5F679
                                                                                                • Engine is active, cannot change engine state., xrefs: 00F5F5B9
                                                                                                • UX requested unknown container with id: %ls, xrefs: 00F5F644
                                                                                                • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00F5F60A
                                                                                                • UX did not provide container or payload id., xrefs: 00F5F709
                                                                                                • UX requested unknown payload with id: %ls, xrefs: 00F5F5F4
                                                                                                • Failed to set download password., xrefs: 00F5F6C8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                • API String ID: 3168844106-2615595102
                                                                                                • Opcode ID: a7353289042b5e4e37ab0c29640b0459f3fd6208fff227d3f682ce82d9ad50b0
                                                                                                • Instruction ID: 702c9db814b493f851f7975427ead6cea66c95e6906a90e5ddef5d5dacc4fb42
                                                                                                • Opcode Fuzzy Hash: a7353289042b5e4e37ab0c29640b0459f3fd6208fff227d3f682ce82d9ad50b0
                                                                                                • Instruction Fuzzy Hash: 3E41E432A00212EBDB119F64DC46F6A77A8AF04722B1541B6FD04E7290EB74DD4CB7E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F75A73 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00F75A89
                                                                                                  • Part of subcall function 00F7604F: HeapFree.KERNEL32(00000000,00000000,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?), ref: 00F76065
                                                                                                  • Part of subcall function 00F7604F: GetLastError.KERNEL32(?,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?,?), ref: 00F76077
                                                                                                • _free.LIBCMT ref: 00F75A95
                                                                                                • _free.LIBCMT ref: 00F75AA0
                                                                                                • _free.LIBCMT ref: 00F75AAB
                                                                                                • _free.LIBCMT ref: 00F75AB6
                                                                                                • _free.LIBCMT ref: 00F75AC1
                                                                                                • _free.LIBCMT ref: 00F75ACC
                                                                                                • _free.LIBCMT ref: 00F75AD7
                                                                                                • _free.LIBCMT ref: 00F75AE2
                                                                                                • _free.LIBCMT ref: 00F75AF0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 0d34acd222275e85beff29540f3fe8e26910509d4aad3b2da5abce6e9a0bb426
                                                                                                • Instruction ID: c35764d60d7f2bb784815e6dccd5e92fba2fded36c77c7dc18c2820bed4d47f9
                                                                                                • Opcode Fuzzy Hash: 0d34acd222275e85beff29540f3fe8e26910509d4aad3b2da5abce6e9a0bb426
                                                                                                • Instruction Fuzzy Hash: 8B21C776900508AFCB11EF94CC91CDD7FB9AF48300F0481A6F509DB122DB3AEA849B81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F85E6C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195filememoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00F85EA9
                                                                                                • GetLastError.KERNEL32 ref: 00F85EB7
                                                                                                • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00F85EF8
                                                                                                • GetLastError.KERNEL32 ref: 00F85F05
                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F86078
                                                                                                • CloseHandle.KERNEL32(?), ref: 00F86087
                                                                                                Strings
                                                                                                • GET, xrefs: 00F85FAC
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp, xrefs: 00F85EDB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                • String ID: GET$c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp
                                                                                                • API String ID: 2028584396-1175425030
                                                                                                • Opcode ID: df4e9dbbd29ae8bcdd818211d91591ad9b834e5e4a486c51751570e126fa6aa3
                                                                                                • Instruction ID: 06b6f38da154f43cd33073192fcc98b5a1aacfb0df1a412a63c65704545270c2
                                                                                                • Opcode Fuzzy Hash: df4e9dbbd29ae8bcdd818211d91591ad9b834e5e4a486c51751570e126fa6aa3
                                                                                                • Instruction Fuzzy Hash: DB617876E0021AABDF21EFA4CC45BEE7BB8AF08764F110119FE15E7280D774D900AB94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F50CD4 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F510A0: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00F50CF3,?,00000000,?,00000000,00000000), ref: 00F510CF
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00F50E77
                                                                                                • GetLastError.KERNEL32 ref: 00F50E84
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\plan.cpp, xrefs: 00F50EA8
                                                                                                • Failed to append package start action., xrefs: 00F50D19
                                                                                                • Failed to create syncpoint event., xrefs: 00F50EB2
                                                                                                • Failed to append cache action., xrefs: 00F50DCE
                                                                                                • Failed to append rollback cache action., xrefs: 00F50D53
                                                                                                • Failed to append payload cache action., xrefs: 00F50E2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareCreateErrorEventLastString
                                                                                                • String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$c:\agent\_work\138\s\src\burn\engine\plan.cpp
                                                                                                • API String ID: 801187047-4180891441
                                                                                                • Opcode ID: 510e8d1ea2397bb093332f6fe2972d66fbf8fb01688aad230fe89ec2d0a86fa6
                                                                                                • Instruction ID: be2915289aa2d9eb3e7f8167a9068d73365322624b93f9416a9637edf85f1de0
                                                                                                • Opcode Fuzzy Hash: 510e8d1ea2397bb093332f6fe2972d66fbf8fb01688aad230fe89ec2d0a86fa6
                                                                                                • Instruction Fuzzy Hash: 3B619076900609EFDB05DF54C881A9ABBF9FF84311B21845AEE059B351EF30EE45EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F872F1 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 158COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,74DEDFD0,000000FF,type,000000FF,?,74DEDFD0,74DEDFD0,74DEDFD0), ref: 00F87347
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87392
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8740E
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8745A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$Free$Compare
                                                                                                • String ID: `<u$type$url
                                                                                                • API String ID: 1324494773-1686489133
                                                                                                • Opcode ID: 9fd1446e34d87c12dd8aa54a883a3c2b4211aaec34abfeb38892f4be94443f1f
                                                                                                • Instruction ID: 03fa0a685ceb90dfcaa2a83e72160308fbe7482dc9633deb6e45fa2ca36b7937
                                                                                                • Opcode Fuzzy Hash: 9fd1446e34d87c12dd8aa54a883a3c2b4211aaec34abfeb38892f4be94443f1f
                                                                                                • Instruction Fuzzy Hash: A6513C35D05219EBCB15EBA4CC84FEEBBB8AF04725F2441A9E911AB1A1D734DE04EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49F7A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 146COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49FA0
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49FC5
                                                                                                Strings
                                                                                                • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00F4A0B9
                                                                                                • Failed to set variable., xrefs: 00F4A0A9
                                                                                                • Failed to get component path: %d, xrefs: 00F4A029
                                                                                                • Failed to format product code string., xrefs: 00F49FD0
                                                                                                • Failed to format component id string., xrefs: 00F49FAB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open@16
                                                                                                • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                                                                                                • API String ID: 3613110473-1671347822
                                                                                                • Opcode ID: 14590e0420ab58d1decc1722e761ced0d26a5c0fe868dba9e3b8b64b491f9abe
                                                                                                • Instruction ID: db01d38f69c8f2577088c4a1cb08983c2f34ffa723045dedb77ca2c75a220353
                                                                                                • Opcode Fuzzy Hash: 14590e0420ab58d1decc1722e761ced0d26a5c0fe868dba9e3b8b64b491f9abe
                                                                                                • Instruction Fuzzy Hash: FC410333E80215BEDB21AA6C8C46BBEBE68EF15320F244616FD11E6091E731D944F753
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F549A6 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ReadFile.KERNEL32(00000000,00000001,00000008,?,00000000,?,00000000,00000000,00000001,00000000,?,?,?,00000000,crypt32.dll,00000000), ref: 00F549D1
                                                                                                • GetLastError.KERNEL32 ref: 00F549DE
                                                                                                • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00F54A89
                                                                                                • GetLastError.KERNEL32 ref: 00F54A93
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastRead
                                                                                                • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp
                                                                                                • API String ID: 1948546556-2975516947
                                                                                                • Opcode ID: ba8e8e3fc95cee5634cb9387cb3944b4857f470f5dc0120a2449a2e2dcb730a5
                                                                                                • Instruction ID: 550a2b6f92ae8b1a178e07729413ff9a63ef312984fbc853fe1429d7140bbd0e
                                                                                                • Opcode Fuzzy Hash: ba8e8e3fc95cee5634cb9387cb3944b4857f470f5dc0120a2449a2e2dcb730a5
                                                                                                • Instruction Fuzzy Hash: 13311C33D80229BBD750DE94CC05FAAFA64AF0076AF008125FD40A6180D778FD84BBD8
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F55455 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00F45506,00000000,00000000,?,00000000), ref: 00F554FE
                                                                                                • GetLastError.KERNEL32(?,?,?,00F44CE1,?,?,00000000,?,?,?,?,?,?,00F8B490,?,?), ref: 00F55509
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pipe.cpp, xrefs: 00F5552D
                                                                                                • Failed to wait for child process exit., xrefs: 00F55537
                                                                                                • Failed to write exit code to message buffer., xrefs: 00F55479
                                                                                                • Failed to post terminate message to child process cache thread., xrefs: 00F554CD
                                                                                                • Failed to post terminate message to child process., xrefs: 00F554E9
                                                                                                • Failed to write restart to message buffer., xrefs: 00F554A1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastObjectSingleWait
                                                                                                • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp
                                                                                                • API String ID: 1211598281-48580095
                                                                                                • Opcode ID: 40605679865da7cb676808366a9da09718721d23d5965fbed668c436a0143d0c
                                                                                                • Instruction ID: c00aad49cf5202c255d38eca4ded1a22fbfbfaca9950328c677e5c977e4eb27c
                                                                                                • Opcode Fuzzy Hash: 40605679865da7cb676808366a9da09718721d23d5965fbed668c436a0143d0c
                                                                                                • Instruction Fuzzy Hash: A4210A33940A29FBDB129A90DC11E9E7A69AF00B76F114211FE10BA190E734EE58B7D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F59072 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00F59EE1,00000003,000007D0,00000003,?,000007D0), ref: 00F5908C
                                                                                                • GetLastError.KERNEL32(?,00F59EE1,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 00F59099
                                                                                                • CloseHandle.KERNEL32(00000000,?,00F59EE1,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00F59161
                                                                                                Strings
                                                                                                • Failed to verify catalog signature of payload: %ls, xrefs: 00F59128
                                                                                                • Failed to verify signature of payload: %ls, xrefs: 00F59109
                                                                                                • Failed to open payload at path: %ls, xrefs: 00F590DD
                                                                                                • Failed to verify hash of payload: %ls, xrefs: 00F5914C
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F590D0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorFileHandleLast
                                                                                                • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 2528220319-2587096086
                                                                                                • Opcode ID: ba275c06305f7c41f1b0a6bb9d3e716b534c2594c5928401caa00131e438dc8d
                                                                                                • Instruction ID: ba5bd309f26fd46b826ab3b23ebf876bec495525691cdb0a93929845ed982757
                                                                                                • Opcode Fuzzy Hash: ba275c06305f7c41f1b0a6bb9d3e716b534c2594c5928401caa00131e438dc8d
                                                                                                • Instruction Fuzzy Hash: AB21E732948B36F7DB262664CC4DBAB7B18BF00772F114211FE14652E093A59C68BBD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F46BD7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00F46C22
                                                                                                • GetLastError.KERNEL32 ref: 00F46C2C
                                                                                                • GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00F46C70
                                                                                                • GetLastError.KERNEL32 ref: 00F46C7A
                                                                                                Strings
                                                                                                • Failed to get windows directory., xrefs: 00F46C5A
                                                                                                • Failed to get volume path name., xrefs: 00F46CA8
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F46C50, 00F46C9E
                                                                                                • Failed to set variant value., xrefs: 00F46CC4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$DirectoryNamePathVolumeWindows
                                                                                                • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 124030351-3909613369
                                                                                                • Opcode ID: f4464446128b72731e2df5063d10c66ac390de25e437d28713772470cb60de24
                                                                                                • Instruction ID: 4f8802be9cee285105d389e8664fb50fc6bc99022d8a8726c70aa84dccd43600
                                                                                                • Opcode Fuzzy Hash: f4464446128b72731e2df5063d10c66ac390de25e437d28713772470cb60de24
                                                                                                • Instruction Fuzzy Hash: 9A210873E4123863D720A6549C4AFDB7B6C9F01B21F114165BE44F7281EA78ED04A7E6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49D1E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49D37
                                                                                                • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00F4A95B,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00F49D4F
                                                                                                • GetLastError.KERNEL32(?,00F4A95B,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00F49D5C
                                                                                                Strings
                                                                                                • Failed to set variable., xrefs: 00F49DE5
                                                                                                • Failed get to file attributes. '%ls', xrefs: 00F49D99
                                                                                                • File search: %ls, did not find path: %ls, xrefs: 00F49DAE
                                                                                                • c:\agent\_work\138\s\src\burn\engine\search.cpp, xrefs: 00F49D8C
                                                                                                • Failed to format variable string., xrefs: 00F49D42
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileLastOpen@16
                                                                                                • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$c:\agent\_work\138\s\src\burn\engine\search.cpp
                                                                                                • API String ID: 1811509786-3251416904
                                                                                                • Opcode ID: cd3e2d8162909f23f3d2bf8890cf9a78623d0a6839ee0fe75ccee0b718bdb61f
                                                                                                • Instruction ID: 84ef9204f80bf0e0e5ecb77f093f86ae61a2f112d273264951dfa57ffd0a2559
                                                                                                • Opcode Fuzzy Hash: cd3e2d8162909f23f3d2bf8890cf9a78623d0a6839ee0fe75ccee0b718bdb61f
                                                                                                • Instruction Fuzzy Hash: 8B21F233F44221BBDB217A648C07BAFBE34EF00720F114225FD41A6190EBA19D10B7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5AD19 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • TlsSetValue.KERNEL32(?,?), ref: 00F5AD30
                                                                                                • GetLastError.KERNEL32 ref: 00F5AD3A
                                                                                                • CoInitializeEx.OLE32(00000000,00000000), ref: 00F5AD79
                                                                                                • CoUninitialize.OLE32(?,00F5C6D1,?,?), ref: 00F5ADB6
                                                                                                Strings
                                                                                                • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00F5AD68
                                                                                                • Failed to initialize COM., xrefs: 00F5AD85
                                                                                                • Failed to pump messages in child process., xrefs: 00F5ADA4
                                                                                                • c:\agent\_work\138\s\src\burn\engine\elevation.cpp, xrefs: 00F5AD5E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorInitializeLastUninitializeValue
                                                                                                • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$c:\agent\_work\138\s\src\burn\engine\elevation.cpp
                                                                                                • API String ID: 876858697-4171771178
                                                                                                • Opcode ID: 2864d79faade269fdd1a3ecb9a58768db0feb737f8188e0ec5760afb53bf0b8e
                                                                                                • Instruction ID: c83918befa1499fef634d7d78eb84b162626373ed4fb116db3be67d4f0c80390
                                                                                                • Opcode Fuzzy Hash: 2864d79faade269fdd1a3ecb9a58768db0feb737f8188e0ec5760afb53bf0b8e
                                                                                                • Instruction Fuzzy Hash: 9511E333941639BB9A1137449C0A9DBBE78AF01B737010216FE04B7651EB609D14BBD6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F45D4F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00F45DD5
                                                                                                  • Part of subcall function 00F81571: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F815E7
                                                                                                  • Part of subcall function 00F81571: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00F8161F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue$Close
                                                                                                • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                • API String ID: 1979452859-3209209246
                                                                                                • Opcode ID: b734a3bdaf41466ab6b9460244fc81418f8e7d68dfbe8b667554516258ff17ae
                                                                                                • Instruction ID: 47618ded50d42715835d25010cd33545ab475f9cc46e17f4aac27bb22b58a5e5
                                                                                                • Opcode Fuzzy Hash: b734a3bdaf41466ab6b9460244fc81418f8e7d68dfbe8b667554516258ff17ae
                                                                                                • Instruction Fuzzy Hash: 0E01D232E04628B7CB127645EC0AEDE7E789F41B70F204125FC00A62929774CE01F391
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6A0B6 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 173COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000000,00000000,?), ref: 00F6A183
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 00F6A18D
                                                                                                Strings
                                                                                                • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00F6A26A
                                                                                                • c:\agent\_work\138\s\src\burn\engine\apply.cpp, xrefs: 00F6A1B1
                                                                                                • :, xrefs: 00F6A206
                                                                                                • Failed to clear readonly bit on payload destination path: %ls, xrefs: 00F6A1BC
                                                                                                • download, xrefs: 00F6A14D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileLast
                                                                                                • String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\138\s\src\burn\engine\apply.cpp$download
                                                                                                • API String ID: 1799206407-3795046138
                                                                                                • Opcode ID: a65e51d98ddd886f57ec01129268b41a5fda477d4474bf32fb9a3b0e758b3116
                                                                                                • Instruction ID: 8ae749564dba4613db2abbd47dd1e89c18105b89c7fac62b510bfa4fb877af3f
                                                                                                • Opcode Fuzzy Hash: a65e51d98ddd886f57ec01129268b41a5fda477d4474bf32fb9a3b0e758b3116
                                                                                                • Instruction Fuzzy Hash: 4351A072E40219ABDF10DFA8C841AAEB7B4FF05720F108059E905FB250E775DA40EF92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F888A5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,00F68EAF,000002C0,00000100), ref: 00F888D3
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00F68EAF,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00F888EE
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\apuputil.cpp, xrefs: 00F88989
                                                                                                • application, xrefs: 00F888E0
                                                                                                • type, xrefs: 00F88915
                                                                                                • http://appsyndication.org/2006/appsyn, xrefs: 00F888C6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareHeapString$AllocateProcess
                                                                                                • String ID: application$c:\agent\_work\138\s\src\libs\dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                • API String ID: 2664528157-2726911551
                                                                                                • Opcode ID: c14ce06262fd6ae68ca1ed8625dc632d03eb476b30f15fc7aa6265665dc736bf
                                                                                                • Instruction ID: e9ec3cedca578054d65c519d55b607fbdb6b552b2ba684aa9cd8226e66500938
                                                                                                • Opcode Fuzzy Hash: c14ce06262fd6ae68ca1ed8625dc632d03eb476b30f15fc7aa6265665dc736bf
                                                                                                • Instruction Fuzzy Hash: D651B331A40701FBDB24AE54CC81FAA77A5AB00BB0F608519F965AB2D1DB78ED41EB11
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F868BB Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32 ref: 00F86917
                                                                                                • DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00F86A0E
                                                                                                • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00F86A1D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteErrorFileHandleLast
                                                                                                • String ID: Burn$DownloadTimeout$WiX\Burn$c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp
                                                                                                • API String ID: 3522763407-4112428647
                                                                                                • Opcode ID: b764bc2e5bb56c35a8c16bdf674b847fd67bf2e5b087c5810a54f1d1abdb51f6
                                                                                                • Instruction ID: 46a21523ecf8274c7a67515b0c873599346dfaab68290c5a4fea68c409e855c2
                                                                                                • Opcode Fuzzy Hash: b764bc2e5bb56c35a8c16bdf674b847fd67bf2e5b087c5810a54f1d1abdb51f6
                                                                                                • Instruction Fuzzy Hash: 62510976D00219BBDF11EFA4CC45EEEBFB9EB09710F048165FA14F6190E7349A11ABA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5925F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _memcmp.LIBVCRUNTIME ref: 00F592ED
                                                                                                  • Part of subcall function 00F85AE9: GetLastError.KERNEL32(?,?,00F59312,?,00000003,00F45501,?), ref: 00F85B08
                                                                                                • _memcmp.LIBVCRUNTIME ref: 00F59327
                                                                                                • GetLastError.KERNEL32 ref: 00F5939F
                                                                                                Strings
                                                                                                • Failed to read certificate thumbprint., xrefs: 00F59393
                                                                                                • Failed to find expected public key in certificate chain., xrefs: 00F59362
                                                                                                • Failed to get certificate public key identifier., xrefs: 00F593CD
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F593C3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_memcmp
                                                                                                • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 3428363238-3530351678
                                                                                                • Opcode ID: 89dc8520f64928377194e205555e43294858e70bf5feef790b3b2bacb40eb435
                                                                                                • Instruction ID: 9884ba246a265fb758fcba34ae881557613d53408c2fae0fadd9f8a4ec026f34
                                                                                                • Opcode Fuzzy Hash: 89dc8520f64928377194e205555e43294858e70bf5feef790b3b2bacb40eb435
                                                                                                • Instruction Fuzzy Hash: 1E416E72E04615EBDB14DBA9CC41AAEB7BDAF08721F014025EE04E7291D774ED04ABA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F50626 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00F50757
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00F50766
                                                                                                  • Part of subcall function 00F810B8: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00F5069E,?,00000000,00020006), ref: 00F810DD
                                                                                                Strings
                                                                                                • Failed to update resume mode., xrefs: 00F5073B
                                                                                                • Failed to open registration key., xrefs: 00F5079C
                                                                                                • Failed to write volatile reboot required registry key., xrefs: 00F506A2
                                                                                                • %ls.RebootRequired, xrefs: 00F50674
                                                                                                • Failed to delete registration key: %ls, xrefs: 00F50705
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$Create
                                                                                                • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                                                                                                • API String ID: 359002179-2517785395
                                                                                                • Opcode ID: a7c6248826d9d6a9618b53258aa8128e52fe8a040bf926776e1ed4bc07600b94
                                                                                                • Instruction ID: 5ce2e28d09d5e2569e11a04b660fbad8aa0dd922ce8fefd20683ef96cd9fe11f
                                                                                                • Opcode Fuzzy Hash: a7c6248826d9d6a9618b53258aa8128e52fe8a040bf926776e1ed4bc07600b94
                                                                                                • Instruction Fuzzy Hash: C841A931900619FBDF22AF60DC46EAF7BB9BF84312F104029FE0561061DB35AA59FB51
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F8A1 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00F4F9D1
                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00F4F9DE
                                                                                                Strings
                                                                                                • Failed to open registration key., xrefs: 00F4F93A
                                                                                                • Failed to format pending restart registry key to read., xrefs: 00F4F8D5
                                                                                                • Failed to read Resume value., xrefs: 00F4F967
                                                                                                • Resume, xrefs: 00F4F945
                                                                                                • %ls.RebootRequired, xrefs: 00F4F8BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close
                                                                                                • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                                                                                • API String ID: 3535843008-3890505273
                                                                                                • Opcode ID: 90b1eacdf8f0f57e77bcb8414d5e2ed0957bd2eec27b900065e9a84f70ac444a
                                                                                                • Instruction ID: 5e934cb29c04548a7ee924dc71f04b9f94e057191a615fb920b475c181865547
                                                                                                • Opcode Fuzzy Hash: 90b1eacdf8f0f57e77bcb8414d5e2ed0957bd2eec27b900065e9a84f70ac444a
                                                                                                • Instruction Fuzzy Hash: 3B41F832D04119BBDB119F98CC81BADBFB4FB04324F258176ED19AB250D3759E44AB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6383B Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F638A2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open@16
                                                                                                • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.$feclient.dll
                                                                                                • API String ID: 3613110473-656185529
                                                                                                • Opcode ID: 8b1e3b92dd5d75d75cf926fdb7d6b1f3929f2b3f83566eb60f6dd4102d139b37
                                                                                                • Instruction ID: 01ee07346572858db33588a4d410cc21cc7a22010ea4827c2f8e952e843142ae
                                                                                                • Opcode Fuzzy Hash: 8b1e3b92dd5d75d75cf926fdb7d6b1f3929f2b3f83566eb60f6dd4102d139b37
                                                                                                • Instruction Fuzzy Hash: 58317072D05229BBEF15AEA4CD41AAEBB69EF00714F10416AF80167291D7B5AF10FF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5A9E4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                                                                                                • API String ID: 0-660234312
                                                                                                • Opcode ID: d99100fcd8b0cc24ceb15f5eb1b7cb198054b6afcbd64e710370acac96261f5e
                                                                                                • Instruction ID: 0deadaa8f8e82d2d96bfcb7e54085ea74bb08a4676541181bca0c8f3e8b1aec3
                                                                                                • Opcode Fuzzy Hash: d99100fcd8b0cc24ceb15f5eb1b7cb198054b6afcbd64e710370acac96261f5e
                                                                                                • Instruction Fuzzy Hash: B831B232900129FBCF229AA4CD41FAEBAA9DB00721F214321FE20FA1D0DA749D54E691
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D684 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoCreateInstance.OLE32(00FA1228,00000000,00000017,00FA1238,?,?,00000000,00000000,?,?,?,?,?,00F6DCAA,00000000,00000000), ref: 00F6D6BC
                                                                                                Strings
                                                                                                • Failed to create BITS job., xrefs: 00F6D6F6
                                                                                                • Failed to set notification flags for BITS job., xrefs: 00F6D70E
                                                                                                • WixBurn, xrefs: 00F6D6E7
                                                                                                • Failed to create IBackgroundCopyManager., xrefs: 00F6D6C8
                                                                                                • Failed to set progress timeout., xrefs: 00F6D726
                                                                                                • Failed to set BITS job to foreground., xrefs: 00F6D73D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateInstance
                                                                                                • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                                                                                • API String ID: 542301482-468763447
                                                                                                • Opcode ID: e66f98b3b5048ce809af14d41b93754ea319f3b3a86fb8064e182644b43b4eba
                                                                                                • Instruction ID: 22757f45dcc19ee4347183fa191a4afe7cf3ddc564033ad94bc3269bd8776dbb
                                                                                                • Opcode Fuzzy Hash: e66f98b3b5048ce809af14d41b93754ea319f3b3a86fb8064e182644b43b4eba
                                                                                                • Instruction Fuzzy Hash: 09319271F40219AFDB15CB68C845EBFBBF4AF89710B014159E905EB390DB71EC05AB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F861B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00F86202
                                                                                                • GetLastError.KERNEL32 ref: 00F8620F
                                                                                                • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00F86256
                                                                                                • GetLastError.KERNEL32 ref: 00F8628A
                                                                                                • CloseHandle.KERNEL32(00000000,c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp,000000C8,00000000), ref: 00F862BE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                • String ID: %ls.R$c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp
                                                                                                • API String ID: 3160720760-1562451261
                                                                                                • Opcode ID: 952205e89001ccbc22870cfc71d2f2582e705353e5e53604d28707edb495c34a
                                                                                                • Instruction ID: 711a2c6a9c4c2ff15b47886faabed47538fbb92c8c25ded4881aacfa535b6e86
                                                                                                • Opcode Fuzzy Hash: 952205e89001ccbc22870cfc71d2f2582e705353e5e53604d28707edb495c34a
                                                                                                • Instruction Fuzzy Hash: DA31B472A41324ABEF219B98CC45BEE7AA4AF45731F114295FE15EF2C0D7749C00BBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4C996 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F4CE0A: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,00F4E4DA,000000FF,00000000,00000000,00F4E4DA,?,?,00F4DC82,?,?,?,?), ref: 00F4CE35
                                                                                                • CreateFileW.KERNEL32(E900F8BA,80000000,00000005,00000000,00000003,08000000,00000000,00F4543D,?,00000000,840F01E8,E0680A79,00000001,00F45435,00000000,00F45501), ref: 00F4CA06
                                                                                                • GetLastError.KERNEL32(?,?,?,00F57802,00F456E5,00F454F1,00F454F1,00000000,?,00F45501,FFF9E89D,00F45501,00F45535,00F454BD,?,00F454BD), ref: 00F4CA4B
                                                                                                Strings
                                                                                                • Failed to find payload for catalog file., xrefs: 00F4CA90
                                                                                                • c:\agent\_work\138\s\src\burn\engine\catalog.cpp, xrefs: 00F4CA6C
                                                                                                • Failed to open catalog in working path: %ls, xrefs: 00F4CA79
                                                                                                • Failed to get catalog local file path, xrefs: 00F4CA89
                                                                                                • Failed to verify catalog signature: %ls, xrefs: 00F4CA44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareCreateErrorFileLastString
                                                                                                • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$c:\agent\_work\138\s\src\burn\engine\catalog.cpp
                                                                                                • API String ID: 1774366664-1365303238
                                                                                                • Opcode ID: c01412fcefef7e30105fe7edcd4d763e357bc326b7382ce2dd0255c6d21fb8dd
                                                                                                • Instruction ID: a2862d5f289258753acf21b9fc9e387b465584a4c6523caee4428d476d05e001
                                                                                                • Opcode Fuzzy Hash: c01412fcefef7e30105fe7edcd4d763e357bc326b7382ce2dd0255c6d21fb8dd
                                                                                                • Instruction Fuzzy Hash: 0F31D332A0262ABFC711DB64CC56F99BFA4AF04760F118625FD04EB280E774EA50B7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80D4F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00F80DBF
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00F80DC9
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00F80E12
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00F80E1F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                • String ID: "%ls" %ls$D$c:\agent\_work\138\s\src\libs\dutil\procutil.cpp
                                                                                                • API String ID: 161867955-337939606
                                                                                                • Opcode ID: 0eaabfa9a3d6af8ebdefe72c36374ed0c1f934b9a4afd959bed4dd036c7e7303
                                                                                                • Instruction ID: ce6f7c237e1acf4ae47a44ca34087af3e6887eec752ec710b5d90aba8976392d
                                                                                                • Opcode Fuzzy Hash: 0eaabfa9a3d6af8ebdefe72c36374ed0c1f934b9a4afd959bed4dd036c7e7303
                                                                                                • Instruction Fuzzy Hash: 93213CB2D0021EABDB11AFE4CD419EFBBB8EF04714F504426EA01B7250D7709E44EBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D129 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,00000000,?,?,?,00F6D425,?), ref: 00F6D148
                                                                                                • ReleaseMutex.KERNEL32(?,?,?,00F6D425,?), ref: 00F6D15C
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F6D1A1
                                                                                                • ReleaseMutex.KERNEL32(?), ref: 00F6D1B4
                                                                                                • SetEvent.KERNEL32(?), ref: 00F6D1BD
                                                                                                Strings
                                                                                                • Failed to get message from netfx chainer., xrefs: 00F6D1DE
                                                                                                • Failed to send files in use message from netfx chainer., xrefs: 00F6D201
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                                                                                                • API String ID: 2608678126-3424578679
                                                                                                • Opcode ID: c05fdfed97020511bb6a42e3d3ee268ee2a463b85cf72ab1a1fb35ae2950ef3c
                                                                                                • Instruction ID: fedea484d864f0252995a5ecf97406312b11a3c32b90ef03460933c2f77490f7
                                                                                                • Opcode Fuzzy Hash: c05fdfed97020511bb6a42e3d3ee268ee2a463b85cf72ab1a1fb35ae2950ef3c
                                                                                                • Instruction Fuzzy Hash: 4B31E532A0051ABFDB019F54DC98EFEBBB9BF05324F108265F510A62A1C774D950AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49C4D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49C66
                                                                                                • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00F4A971,00000100,000002C0,000002C0,00000100), ref: 00F49C86
                                                                                                • GetLastError.KERNEL32(?,00F4A971,00000100,000002C0,000002C0,00000100), ref: 00F49C91
                                                                                                Strings
                                                                                                • Failed to format variable string., xrefs: 00F49C71
                                                                                                • Failed while searching directory search: %ls, for path: %ls, xrefs: 00F49CE7
                                                                                                • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00F49CFD
                                                                                                • Failed to set directory search path variable., xrefs: 00F49CC2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileLastOpen@16
                                                                                                • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                • API String ID: 1811509786-2966038646
                                                                                                • Opcode ID: 223dc272a3ac80885512270a15b16b7ef838c5e1e43c4ec33a3da4c6ad4dce0b
                                                                                                • Instruction ID: b0b9ad080969b33db22268ebdad0f36ae5827dd8def1f281f7412a4b288daf38
                                                                                                • Opcode Fuzzy Hash: 223dc272a3ac80885512270a15b16b7ef838c5e1e43c4ec33a3da4c6ad4dce0b
                                                                                                • Instruction Fuzzy Hash: 26112B33E48126F7CB1236949D46BDF7E659F01730F214111FD00761A1D7A69E10B7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49E02 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49E1B
                                                                                                • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00F4A949,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00F49E3B
                                                                                                • GetLastError.KERNEL32(?,00F4A949,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00F49E46
                                                                                                Strings
                                                                                                • File search: %ls, did not find path: %ls, xrefs: 00F49EAA
                                                                                                • Failed to format variable string., xrefs: 00F49E26
                                                                                                • Failed to set variable to file search path., xrefs: 00F49E9E
                                                                                                • Failed while searching file search: %ls, for path: %ls, xrefs: 00F49E74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileLastOpen@16
                                                                                                • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                                                                                                • API String ID: 1811509786-3425311760
                                                                                                • Opcode ID: 84f6f0ecc251717d99810d83a090440e80a0bae164b8a068d92a25048dbdd86b
                                                                                                • Instruction ID: 0e38a5c7b1c30bc757a53dd165c47fd1adb1a36f8765a1636520ba19795ad709
                                                                                                • Opcode Fuzzy Hash: 84f6f0ecc251717d99810d83a090440e80a0bae164b8a068d92a25048dbdd86b
                                                                                                • Instruction Fuzzy Hash: 4E119033E44125FADB22A6949C06BAFBE25AF10730F250211FD14A61A19BB69E10B7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5CECF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE), ref: 00F5CEE1
                                                                                                • GetLastError.KERNEL32(?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE,?,?,?), ref: 00F5CEEB
                                                                                                • GetExitCodeThread.KERNEL32(?,?,?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE,?), ref: 00F5CF27
                                                                                                • GetLastError.KERNEL32(?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE,?,?,?), ref: 00F5CF31
                                                                                                Strings
                                                                                                • Failed to wait for cache thread to terminate., xrefs: 00F5CF19
                                                                                                • Failed to get cache thread exit code., xrefs: 00F5CF5F
                                                                                                • c:\agent\_work\138\s\src\burn\engine\elevation.cpp, xrefs: 00F5CF0F, 00F5CF55
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\138\s\src\burn\engine\elevation.cpp
                                                                                                • API String ID: 3686190907-884696695
                                                                                                • Opcode ID: e9c95ec2246fe7e9cdb1812067f3207baae79a6578a1b9ee5b2f35d541915490
                                                                                                • Instruction ID: b4f1bf23763a1192fb106b998239d947aab824eebee29de1ee6526f0e740e518
                                                                                                • Opcode Fuzzy Hash: e9c95ec2246fe7e9cdb1812067f3207baae79a6578a1b9ee5b2f35d541915490
                                                                                                • Instruction Fuzzy Hash: 8901F573D50735ABA62167945C0AA9FBD98AF00BB2B024111BE46FB180F724DD04B6F9
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5699E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00F56ED9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00F569AB
                                                                                                • GetLastError.KERNEL32(?,00F56ED9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00F569B5
                                                                                                • GetExitCodeThread.KERNEL32(00000001,00000000,?,00F56ED9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00F569F4
                                                                                                • GetLastError.KERNEL32(?,00F56ED9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00F569FE
                                                                                                Strings
                                                                                                • Failed to wait for cache thread to terminate., xrefs: 00F569E6
                                                                                                • Failed to get cache thread exit code., xrefs: 00F56A2F
                                                                                                • c:\agent\_work\138\s\src\burn\engine\core.cpp, xrefs: 00F569DC, 00F56A25
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                                                                                • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\138\s\src\burn\engine\core.cpp
                                                                                                • API String ID: 3686190907-1666294930
                                                                                                • Opcode ID: cde8a5916a1abd98f1ffea084730ed092ac68b2d5791c3a481c57b2fd07ae028
                                                                                                • Instruction ID: 668035784e2dfb69572cd3d1ade5d0454abee7ef148a12efa2030c083f65c118
                                                                                                • Opcode Fuzzy Hash: cde8a5916a1abd98f1ffea084730ed092ac68b2d5791c3a481c57b2fd07ae028
                                                                                                • Instruction Fuzzy Hash: D611847074030AFBEB009F619D06BBE7AA4AF00715F508165BA14FB1A0EB79CE04BB65
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5AB80 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 131COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(00F45501,000000FF,00F454BD,00F57802,00F45435,00000000,?), ref: 00F5AC71
                                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00F45501,000000FF,00F454BD,00F57802,00F45435,00000000,?), ref: 00F5ACB5
                                                                                                  • Part of subcall function 00F5925F: _memcmp.LIBVCRUNTIME ref: 00F592ED
                                                                                                  • Part of subcall function 00F5925F: _memcmp.LIBVCRUNTIME ref: 00F59327
                                                                                                Strings
                                                                                                • Failed to verify expected payload against actual certificate chain., xrefs: 00F5ACF9
                                                                                                • Failed to get provider state from authenticode certificate., xrefs: 00F5AC9F
                                                                                                • Failed authenticode verification of payload: %ls, xrefs: 00F5AC52
                                                                                                • 0, xrefs: 00F5ABED
                                                                                                • Failed to get signer chain from authenticode certificate., xrefs: 00F5ACE3
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F5AC47, 00F5AC95, 00F5ACD9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_memcmp
                                                                                                • String ID: 0$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 3428363238-2467084736
                                                                                                • Opcode ID: 0af8adf47c1c60d04383c710649f5dd7fced3d3d04884b1fb2f3f484e84183a0
                                                                                                • Instruction ID: 1f906c340dea286fd7783b67ea72d9f938e5cc9efa1bd023faa25a5bfe363b4d
                                                                                                • Opcode Fuzzy Hash: 0af8adf47c1c60d04383c710649f5dd7fced3d3d04884b1fb2f3f484e84183a0
                                                                                                • Instruction Fuzzy Hash: 0241B772D00329ABDB11DF95CC05A9EBAB4AF04321F11422AFD15B7280E774DD08ABE6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5F728 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 117COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F5F73D
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F5F84A
                                                                                                Strings
                                                                                                • UX denied while trying to set source on embedded payload: %ls, xrefs: 00F5F7BF
                                                                                                • Engine is active, cannot change engine state., xrefs: 00F5F757
                                                                                                • UX requested unknown container with id: %ls, xrefs: 00F5F809
                                                                                                • Failed to set source path for payload., xrefs: 00F5F7D9
                                                                                                • UX requested unknown payload with id: %ls, xrefs: 00F5F7A9
                                                                                                • Failed to set source path for container., xrefs: 00F5F82F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                                                                                • API String ID: 3168844106-4121889706
                                                                                                • Opcode ID: 11e864f8454d56fccbebecd7ca7add1f69b80d90919367f6ba0ef113df0ef148
                                                                                                • Instruction ID: 7ce9351e36995c6bb2b3a944f20c828855dc665f484cce063ce07cdf11b410ef
                                                                                                • Opcode Fuzzy Hash: 11e864f8454d56fccbebecd7ca7add1f69b80d90919367f6ba0ef113df0ef148
                                                                                                • Instruction Fuzzy Hash: BA310632E40611ABCB119B98DC49E9A7BAC9F4472271941A6FD04E7281DB74EE0CB7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F472B1 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00000000), ref: 00F472C4
                                                                                                Strings
                                                                                                • Failed to copy string., xrefs: 00F47378
                                                                                                • Failed to append escape sequence., xrefs: 00F47357
                                                                                                • [\%c], xrefs: 00F47323
                                                                                                • Failed to allocate buffer for escaped string., xrefs: 00F472DB
                                                                                                • Failed to format escape sequence., xrefs: 00F4735E
                                                                                                • Failed to append characters., xrefs: 00F47350
                                                                                                • []{}, xrefs: 00F472EE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen
                                                                                                • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                                                                                                • API String ID: 1659193697-3250950999
                                                                                                • Opcode ID: 270082a200df5f1af09f49512bfda2e8040b560a20724a87ebf198dc6f44cf08
                                                                                                • Instruction ID: c83216e6b8e9ba46d1def94d3403c4475d65c948727beb0244deab0684d4aa9f
                                                                                                • Opcode Fuzzy Hash: 270082a200df5f1af09f49512bfda2e8040b560a20724a87ebf198dc6f44cf08
                                                                                                • Instruction Fuzzy Hash: FD21D233908715BADB217AA49C46FFE7FA89F00720F200126FD01B6180DB799E05B791
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F65A68 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 206COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,00F8B4F0,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,00F6665C,?,00000001,?,00000000), ref: 00F65AD1
                                                                                                Strings
                                                                                                • Failed to plan action for target product., xrefs: 00F65B7C
                                                                                                • Failed to insert execute action., xrefs: 00F65B26
                                                                                                • feclient.dll, xrefs: 00F65AC7, 00F65BEF
                                                                                                • Failed to copy target product code., xrefs: 00F65C02
                                                                                                • Failed grow array of ordered patches., xrefs: 00F65B6A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
                                                                                                • API String ID: 1825529933-3477540455
                                                                                                • Opcode ID: 9720a59f8879acf118cea8ec794df56da83d8aca924885ce4d0ff32b0c042620
                                                                                                • Instruction ID: de219749a3337f46df4e43c06fb11b982720e81c3b3b238877a3fce6ef268dfb
                                                                                                • Opcode Fuzzy Hash: 9720a59f8879acf118cea8ec794df56da83d8aca924885ce4d0ff32b0c042620
                                                                                                • Instruction Fuzzy Hash: 7D8112B6A0070A9FCB14CF58C880AAA77A5FF48724F158669ED15AB352D734EC11DF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F690BC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00F570FA,000000B8,0000001C,00000100), ref: 00F690E7
                                                                                                • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00F8B4A8,000000FF,?,?,?,00F570FA,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 00F69171
                                                                                                Strings
                                                                                                • comres.dll, xrefs: 00F691F3
                                                                                                • BA aborted detect forward compatible bundle., xrefs: 00F691DB
                                                                                                • Failed to initialize update bundle., xrefs: 00F69214
                                                                                                • c:\agent\_work\138\s\src\burn\engine\detect.cpp, xrefs: 00F691D1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$c:\agent\_work\138\s\src\burn\engine\detect.cpp$comres.dll
                                                                                                • API String ID: 1825529933-2620696206
                                                                                                • Opcode ID: 90df5d6a462ca218e67968706bd64cf5da6af449bb72a868122c7ab5354dc484
                                                                                                • Instruction ID: 87718597ab9b6ece9df412867b360fedcd62c19439bc0ee8461655cc152a1088
                                                                                                • Opcode Fuzzy Hash: 90df5d6a462ca218e67968706bd64cf5da6af449bb72a868122c7ab5354dc484
                                                                                                • Instruction Fuzzy Hash: EA51C231A04206FBDF159F64CC85FAAB76AFF06320F204654F9149A195C7B1EC60FB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5D3C1 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 122COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000001,00F8B4F0,?,00000001,000000FF,?,?,00000000,00000000,00000001,00000000,?,00F574BE), ref: 00F5D4F7
                                                                                                Strings
                                                                                                • UX aborted elevation requirement., xrefs: 00F5D3FF
                                                                                                • Failed to create pipe name and client token., xrefs: 00F5D42B
                                                                                                • Failed to connect to elevated child process., xrefs: 00F5D4E0
                                                                                                • Failed to elevate., xrefs: 00F5D4D9
                                                                                                • Failed to create pipe and cache pipe., xrefs: 00F5D447
                                                                                                • c:\agent\_work\138\s\src\burn\engine\elevation.cpp, xrefs: 00F5D3F5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle
                                                                                                • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\138\s\src\burn\engine\elevation.cpp
                                                                                                • API String ID: 2962429428-1175272905
                                                                                                • Opcode ID: bf5634921c46b3393e8b62f5da6845d9ffff16777db2468198bf6d57a255dfd5
                                                                                                • Instruction ID: 484706403bb13a7c9cbed8da6020064c0b9b34b28ca9379ffeac55cb17ab22bf
                                                                                                • Opcode Fuzzy Hash: bf5634921c46b3393e8b62f5da6845d9ffff16777db2468198bf6d57a255dfd5
                                                                                                • Instruction Fuzzy Hash: 35314833A46725BBEB31B6608C46FAA765CAB00735F104115FF04BA1C1EA79BD08B2D6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80714 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 00F80758
                                                                                                • GetComputerNameW.KERNEL32(?,?), ref: 00F807B0
                                                                                                Strings
                                                                                                • Executable: %ls v%d.%d.%d.%d, xrefs: 00F8080C
                                                                                                • === Logging started: %ls ===, xrefs: 00F807DB
                                                                                                • Computer : %ls, xrefs: 00F8081E
                                                                                                • --- logging level: %hs ---, xrefs: 00F80870
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Name$ComputerFileModule
                                                                                                • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                                                                                                • API String ID: 2577110986-3153207428
                                                                                                • Opcode ID: 37b012579fed02cc0371cf085ac686861932a6167d14e0b8e5e9098048f035c5
                                                                                                • Instruction ID: 9c4b0108408419464eea4fe678c60fded39b4bac4ea712987d63693c7f6c2edf
                                                                                                • Opcode Fuzzy Hash: 37b012579fed02cc0371cf085ac686861932a6167d14e0b8e5e9098048f035c5
                                                                                                • Instruction Fuzzy Hash: 9D41A3F2D0011C9BCB60AB65CC49AEA77BCEB45310F4140A9F505E3142DB34AEC9AFA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F89891 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000001,00000001,crypt32.dll,00000000,00000001,00F8B4F0,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00F89969
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,crypt32.dll,00000000,00000001,00F8B4F0,00000000,00000001,00000000,00020019), ref: 00F899A4
                                                                                                • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00F899C0
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00F899CD
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00F899DA
                                                                                                  • Part of subcall function 00F81499: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00F89956,00000001), ref: 00F814B1
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$InfoOpenQuery
                                                                                                • String ID: crypt32.dll
                                                                                                • API String ID: 796878624-1661610138
                                                                                                • Opcode ID: 0267d925e8caa24018785535cb8565a0efcd7082f4d102386fe35f292b710506
                                                                                                • Instruction ID: 7beb1cf3fc2d9936bd303242353a361416184c2b5133c9df08b9ee82a22c3058
                                                                                                • Opcode Fuzzy Hash: 0267d925e8caa24018785535cb8565a0efcd7082f4d102386fe35f292b710506
                                                                                                • Instruction Fuzzy Hash: 77410572C0122DFFCF22BF959D819EDFB79AF04750F1A426AE90076121D3754E51AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8093D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00FAC6EC,00000000,?,?,?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?), ref: 00F8094D
                                                                                                • CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00FAC6E4,?,00F5427F,00000000,Setup), ref: 00F809F1
                                                                                                • GetLastError.KERNEL32(?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?,?,?), ref: 00F80A01
                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?), ref: 00F80A3B
                                                                                                  • Part of subcall function 00F42EE7: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00F43031
                                                                                                • LeaveCriticalSection.KERNEL32(00FAC6EC,?,?,00FAC6E4,?,00F5427F,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00F45572,?), ref: 00F80A94
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\logutil.cpp, xrefs: 00F80A20
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\logutil.cpp
                                                                                                • API String ID: 4111229724-1566132964
                                                                                                • Opcode ID: f72c83b8c8446d4322d78aedfeb003c144df45f7d3fa4008f779eedd8f696f16
                                                                                                • Instruction ID: 31b942b38ea70061efdf51baaa22b6e1f9b4a40e99083255fcc786f16f47ae38
                                                                                                • Opcode Fuzzy Hash: f72c83b8c8446d4322d78aedfeb003c144df45f7d3fa4008f779eedd8f696f16
                                                                                                • Instruction Fuzzy Hash: 7A319571A0132AEFDB61EFA4DC45EFA3A68AB01754B444126FD04E62A1DF38CD44B7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F81A42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116stringregistryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 00F81A7E
                                                                                                • lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00F81AE0
                                                                                                • lstrlenW.KERNEL32(?), ref: 00F81AEC
                                                                                                • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00F81B2F
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F81B57
                                                                                                • BundleUpgradeCode, xrefs: 00F81A4B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$Value
                                                                                                • String ID: BundleUpgradeCode$c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 198323757-4149154654
                                                                                                • Opcode ID: 3e33d7d464f4ef58b2dd1893cb4c678e1630871e1ac223f961f1340f56208542
                                                                                                • Instruction ID: 202571261314d89c68cfe4b5f50b9603d939c103135ae49bc38633cee6996187
                                                                                                • Opcode Fuzzy Hash: 3e33d7d464f4ef58b2dd1893cb4c678e1630871e1ac223f961f1340f56208542
                                                                                                • Instruction Fuzzy Hash: 42316472D0062AABCB11AF98CC859EEBBBDBF84750F050255FD01BB150D734DD12ABA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5D1EB Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateThread.KERNEL32(00000000,00000000,00F5AD19,00000001,00000000,00000000), ref: 00F5D277
                                                                                                • GetLastError.KERNEL32(?,?,?,00F454DE,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F5D283
                                                                                                  • Part of subcall function 00F5CECF: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE), ref: 00F5CEE1
                                                                                                  • Part of subcall function 00F5CECF: GetLastError.KERNEL32(?,?,00F5D2F3,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE,?,?,?), ref: 00F5CEEB
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,?,00F5C779,?,?,?,?,?,00F454DE,?,?,?,?), ref: 00F5D304
                                                                                                Strings
                                                                                                • Failed to pump messages in child process., xrefs: 00F5D2DB
                                                                                                • c:\agent\_work\138\s\src\burn\engine\elevation.cpp, xrefs: 00F5D2A7
                                                                                                • Failed to create elevated cache thread., xrefs: 00F5D2B1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                                                                                                • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$c:\agent\_work\138\s\src\burn\engine\elevation.cpp
                                                                                                • API String ID: 3606931770-2430441278
                                                                                                • Opcode ID: 5c07265526840d74b105f53078ef55c313240ab68cfd3c237d8ee142572b4574
                                                                                                • Instruction ID: fa0a4480d4ac84fad28b964dd7210a4de04df8544753760a1820e48d5d6668df
                                                                                                • Opcode Fuzzy Hash: 5c07265526840d74b105f53078ef55c313240ab68cfd3c237d8ee142572b4574
                                                                                                • Instruction Fuzzy Hash: 6741E1B6D01219AF8B51DFA8D8819EEBBF4BF08321F10412AFD08E7340E73499419F94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F473DE Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00F459A1,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00F473F0
                                                                                                • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00F459A1,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00F474CF
                                                                                                Strings
                                                                                                • *****, xrefs: 00F4748B, 00F47498
                                                                                                • Failed to get unformatted string., xrefs: 00F47460
                                                                                                • Failed to format value '%ls' of variable: %ls, xrefs: 00F47499
                                                                                                • Failed to get value as string for variable: %ls, xrefs: 00F474BE
                                                                                                • Failed to get variable: %ls, xrefs: 00F47431
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                                                                • API String ID: 3168844106-2873099529
                                                                                                • Opcode ID: 5cef09c0c534801fdcb195a76dc168081cc933cf96dbde8110134c26f90c0a3c
                                                                                                • Instruction ID: a3b6e91bfdec88acc249ded201068b164290918025880f72238e519d3d834150
                                                                                                • Opcode Fuzzy Hash: 5cef09c0c534801fdcb195a76dc168081cc933cf96dbde8110134c26f90c0a3c
                                                                                                • Instruction Fuzzy Hash: E4318F3290462AFBDF11BA90CC09BAE7F65EF10325F214125FD046A5A0D735AA54B7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7901D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: api-ms-$ext-ms-
                                                                                                • API String ID: 0-537541572
                                                                                                • Opcode ID: c43896bda005c818b940f57f995d40ca9a10128b911de6b7ad4363268cf68557
                                                                                                • Instruction ID: 645dcdb5f7314a6e60397f5e625e916416c99e41f482d3b298603e42ea05d3b0
                                                                                                • Opcode Fuzzy Hash: c43896bda005c818b940f57f995d40ca9a10128b911de6b7ad4363268cf68557
                                                                                                • Instruction Fuzzy Hash: 3021D872E19224ABCB318B349C44F6A77589F02770F258112EC1DA7291D7B1ED00B6D2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58DCA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,?,?,00000000,00000000,?,?,?), ref: 00F58E15
                                                                                                • GetLastError.KERNEL32 ref: 00F58E1F
                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00F58E7F
                                                                                                Strings
                                                                                                • Failed to initialize ACL., xrefs: 00F58E4D
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F58E43
                                                                                                • Failed to allocate administrator SID., xrefs: 00F58DFB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileInitializeLast
                                                                                                • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 669721577-337914901
                                                                                                • Opcode ID: 022caa956b4bf19c6fec1597e478080f6b5fde1e86e06b56426956630af10650
                                                                                                • Instruction ID: ad49f4fb795cf2cc82924f919ed524951836813ec4b5d6862704e177448dc383
                                                                                                • Opcode Fuzzy Hash: 022caa956b4bf19c6fec1597e478080f6b5fde1e86e06b56426956630af10650
                                                                                                • Instruction Fuzzy Hash: 0A21BB73E40314B7DB215AD59C8AFAFB779AB40BA1F114125BE04B7180EE749E05B7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4429E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00F5409C,00000001,feclient.dll,?,00000000,?,?,?,00F44B92), ref: 00F442D9
                                                                                                • GetLastError.KERNEL32(?,?,00F5409C,00000001,feclient.dll,?,00000000,?,?,?,00F44B92,?,?,00F8B478,?,00000001), ref: 00F442E5
                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00F5409C,00000001,feclient.dll,?,00000000,?,?,?,00F44B92,?), ref: 00F44320
                                                                                                • GetLastError.KERNEL32(?,?,00F5409C,00000001,feclient.dll,?,00000000,?,?,?,00F44B92,?,?,00F8B478,?,00000001), ref: 00F4432A
                                                                                                Strings
                                                                                                • crypt32.dll, xrefs: 00F442A2
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp, xrefs: 00F4434E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectoryErrorLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp$crypt32.dll
                                                                                                • API String ID: 152501406-1703428526
                                                                                                • Opcode ID: ad5ca545e5f7347552ed96c43ebe0a679c20e3976acd67acb51bd560ae1aab69
                                                                                                • Instruction ID: 5298e817fe74d951d88084e4beb3bbe2d248f7d01e835b830a7f4c6b55d271a9
                                                                                                • Opcode Fuzzy Hash: ad5ca545e5f7347552ed96c43ebe0a679c20e3976acd67acb51bd560ae1aab69
                                                                                                • Instruction Fuzzy Hash: 5F11B477D01736A7A7215A984C44BBFBE689F40B617160135BE00FB240E774ED00B7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60A4B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F60AE8
                                                                                                • Failed to write during cabinet extraction., xrefs: 00F60AF2
                                                                                                • Unexpected call to CabWrite()., xrefs: 00F60A7E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 1970631241-3024265679
                                                                                                • Opcode ID: 38359f38b004df95f9c42e24edb5a9eef16c07247c666928a4bb1a89ef00fa8b
                                                                                                • Instruction ID: 2b971057ffc8b1ccbc30cd66f084caec2677dbe7bf1808b5ae17123b90f267c9
                                                                                                • Opcode Fuzzy Hash: 38359f38b004df95f9c42e24edb5a9eef16c07247c666928a4bb1a89ef00fa8b
                                                                                                • Instruction Fuzzy Hash: 9121F077640205EBCB00DFACDD84D9A3BA9EF88764B214159FA04DB296EB75DD00EB60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49B90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49BA9
                                                                                                • GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00F4A97A,00000100,000002C0,000002C0,00000100), ref: 00F49BBE
                                                                                                • GetLastError.KERNEL32(?,00F4A97A,00000100,000002C0,000002C0,00000100), ref: 00F49BCB
                                                                                                Strings
                                                                                                • Failed to set variable., xrefs: 00F49C30
                                                                                                • Failed to format variable string., xrefs: 00F49BB4
                                                                                                • Failed while searching directory search: %ls, for path: %ls, xrefs: 00F49C0B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesErrorFileLastOpen@16
                                                                                                • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                                                                                                • API String ID: 1811509786-402580132
                                                                                                • Opcode ID: 9117fabd225cee58e1532d3059f23098313c68ed1756355c391b775f10273715
                                                                                                • Instruction ID: 6f24c0c3ee12405dfd03150caf560575588e9e03ca9da82d47530a28cf821235
                                                                                                • Opcode Fuzzy Hash: 9117fabd225cee58e1532d3059f23098313c68ed1756355c391b775f10273715
                                                                                                • Instruction Fuzzy Hash: 3911E433F08526BACB216A64DC46FAF7E59EF40330F214215FD01E6190E7A59E10B7D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60B12 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00F60B7F
                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F60B91
                                                                                                • SetFileTime.KERNEL32(?,?,?,?), ref: 00F60BA4
                                                                                                • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00F60774,?,?), ref: 00F60BB3
                                                                                                Strings
                                                                                                • Invalid operation for this state., xrefs: 00F60B58
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F60B4E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$File$CloseDateHandleLocal
                                                                                                • String ID: Invalid operation for this state.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 609741386-470522311
                                                                                                • Opcode ID: fa96597d168e1c8aa04690959e75e2510d86768372a0ea35de1edb37466e9e6a
                                                                                                • Instruction ID: 022b8cac7f385cd1dd1dc683a20974c4538e8c977ad15b0aba5a7091e7d39ca9
                                                                                                • Opcode Fuzzy Hash: fa96597d168e1c8aa04690959e75e2510d86768372a0ea35de1edb37466e9e6a
                                                                                                • Instruction Fuzzy Hash: E721A27280021EAB8B109F68DD089FF7BACFE457247608256F861D65D0EB74E911EB94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F789DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F789A2: _free.LIBCMT ref: 00F789C7
                                                                                                • _free.LIBCMT ref: 00F78A28
                                                                                                  • Part of subcall function 00F7604F: HeapFree.KERNEL32(00000000,00000000,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?), ref: 00F76065
                                                                                                  • Part of subcall function 00F7604F: GetLastError.KERNEL32(?,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?,?), ref: 00F76077
                                                                                                • _free.LIBCMT ref: 00F78A33
                                                                                                • _free.LIBCMT ref: 00F78A3E
                                                                                                • _free.LIBCMT ref: 00F78A92
                                                                                                • _free.LIBCMT ref: 00F78A9D
                                                                                                • _free.LIBCMT ref: 00F78AA8
                                                                                                • _free.LIBCMT ref: 00F78AB3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 168201354b2e5533fa0f7f046aa2c7ffc8fc0175796946e774c258da5b176dd2
                                                                                                • Instruction ID: 199a424bab6c37a46844e31070857624f338a9a952112a5a6e55b05ba75654b9
                                                                                                • Opcode Fuzzy Hash: 168201354b2e5533fa0f7f046aa2c7ffc8fc0175796946e774c258da5b176dd2
                                                                                                • Instruction Fuzzy Hash: F0114F71581B04AAD530BBB1CC0BFDB7BAC5F41B40F448C16B39EB6053DA6DB506A653
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F546BB Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • _memcpy_s.LIBCMT ref: 00F5470C
                                                                                                • _memcpy_s.LIBCMT ref: 00F5471F
                                                                                                • _memcpy_s.LIBCMT ref: 00F5473A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memcpy_s$Heap$AllocateProcess
                                                                                                • String ID: Failed to allocate memory for message.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp$crypt32.dll
                                                                                                • API String ID: 886498622-4121836808
                                                                                                • Opcode ID: 6bada08ab2fad0623e8c73053727fd8c9585893c0617addbaade3d2012080049
                                                                                                • Instruction ID: 4ee16a02db475b8bf52491611d6f951fae709f96e23b9149bafafcb82434b023
                                                                                                • Opcode Fuzzy Hash: 6bada08ab2fad0623e8c73053727fd8c9585893c0617addbaade3d2012080049
                                                                                                • Instruction Fuzzy Hash: 6C11BFB250021AABDB00EE90DC81DEB77ACEF04710B004116FE01DB141EB74E65897E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F840E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseErrorExecuteHandleLastShell
                                                                                                • String ID: <$PDu$c:\agent\_work\138\s\src\libs\dutil\shelutil.cpp
                                                                                                • API String ID: 3023784893-2423443864
                                                                                                • Opcode ID: 19f239d806aadbb864ae3d5024c88b8725610d769c7c8b272e207b96bfc49973
                                                                                                • Instruction ID: cd5b1056650866c8709e36dabcc3f5595ad3dbd769ac4b1d42bbfadcfcc48df7
                                                                                                • Opcode Fuzzy Hash: 19f239d806aadbb864ae3d5024c88b8725610d769c7c8b272e207b96bfc49973
                                                                                                • Instruction Fuzzy Hash: 8C21E7B5E0122AEBCB11DFA8C944ADEBBF8AB08750F10401AF915E7340E7749A409F94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49AFF Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F49B76
                                                                                                Strings
                                                                                                • Failed to copy condition string from BSTR, xrefs: 00F49B60
                                                                                                • Failed to get Condition inner text., xrefs: 00F49B46
                                                                                                • Failed to select condition node., xrefs: 00F49B2D
                                                                                                • Condition, xrefs: 00F49B11
                                                                                                • `<u, xrefs: 00F49B76
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString
                                                                                                • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
                                                                                                • API String ID: 3341692771-266405526
                                                                                                • Opcode ID: 4491128b87f616601765131ecc6581d5cb909bc54421c0a0baa04a3c9dae9370
                                                                                                • Instruction ID: 7e9139b967a3861876b904976a6e3de1134e64679c9df7434c6dd4539488fe9a
                                                                                                • Opcode Fuzzy Hash: 4491128b87f616601765131ecc6581d5cb909bc54421c0a0baa04a3c9dae9370
                                                                                                • Instruction Fuzzy Hash: C5117032A04228BBDB16A690EC05FEE7F68DF40720F104165FC01A6290D7B5AF50B785
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80E3A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00F462F5,00000000), ref: 00F80E4C
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00F80E53
                                                                                                • GetLastError.KERNEL32(?,?,?,00F462F5,00000000), ref: 00F80E72
                                                                                                Strings
                                                                                                • IsWow64Process2, xrefs: 00F80E3F
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\procutil.cpp, xrefs: 00F80E93
                                                                                                • kernel32, xrefs: 00F80E46
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorHandleLastModuleProc
                                                                                                • String ID: IsWow64Process2$c:\agent\_work\138\s\src\libs\dutil\procutil.cpp$kernel32
                                                                                                • API String ID: 4275029093-2089608604
                                                                                                • Opcode ID: 1f9ca06a1a538428ba6412e8e899bd75deeeb1eb00b74fed9cc0446c99d2d526
                                                                                                • Instruction ID: 96cb777ac67faa0220d390fa9260e50abb8d0e27830c753c318bc8c7c7ce6cd2
                                                                                                • Opcode Fuzzy Hash: 1f9ca06a1a538428ba6412e8e899bd75deeeb1eb00b74fed9cc0446c99d2d526
                                                                                                • Instruction Fuzzy Hash: 2CF0F673E0133AA787202BE68C0DAEF7E18DF00BA0B414400BC44BA180EB64CE04A7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7C6A2 Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetConsoleCP.KERNEL32(00F75C49,00000000,00000000), ref: 00F7C6EA
                                                                                                • __fassign.LIBCMT ref: 00F7C8C9
                                                                                                • __fassign.LIBCMT ref: 00F7C8E6
                                                                                                • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F7C92E
                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F7C96E
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F7CA1A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                • String ID:
                                                                                                • API String ID: 4031098158-0
                                                                                                • Opcode ID: cdd8be9b105d7c043ae508c30c5dee7c296c0663f7b8f856e1d916041bd65e20
                                                                                                • Instruction ID: 5591a021f24d10f7fd496ecf49eea816d609e2235121b48255539e3952b915fb
                                                                                                • Opcode Fuzzy Hash: cdd8be9b105d7c043ae508c30c5dee7c296c0663f7b8f856e1d916041bd65e20
                                                                                                • Instruction Fuzzy Hash: EBD19C71D0025C9FDB15CFA8D8809EDBBB5FF49310F28816EE859BB242D730A946DB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F58C8C Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 121sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00F58CF8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Sleep
                                                                                                • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                                                                                                • API String ID: 3472027048-398165853
                                                                                                • Opcode ID: 1caf8ccd1da4b924831f8d4692a0c7d6324044dc07cc44ffea77626c2e66b2fd
                                                                                                • Instruction ID: 2619bf8fbf7ed813990b91ae3884d14296157d6f8060d4f481d2df6daf27c9df
                                                                                                • Opcode Fuzzy Hash: 1caf8ccd1da4b924831f8d4692a0c7d6324044dc07cc44ffea77626c2e66b2fd
                                                                                                • Instruction Fuzzy Hash: D831E872A00215BBEF11A6548C46FBE76BC9F117A2F110425FE04F6181DE799D0676A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5E8BB Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DefWindowProcW.USER32(?,00000082,?,?), ref: 00F5E8EA
                                                                                                • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F5E8F9
                                                                                                • SetWindowLongW.USER32(?,000000EB,?), ref: 00F5E90D
                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00F5E91D
                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00F5E937
                                                                                                • PostQuitMessage.USER32(00000000), ref: 00F5E996
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Long$Proc$MessagePostQuit
                                                                                                • String ID:
                                                                                                • API String ID: 3812958022-0
                                                                                                • Opcode ID: e532a29b901d4d443f758bfb1df01980ecc62fc46ab9de88253b21030a945b2a
                                                                                                • Instruction ID: 9a519b55e8fc0774a7560de41c2f1c0fdb185b8b61ac1e526a21f85f716328c9
                                                                                                • Opcode Fuzzy Hash: e532a29b901d4d443f758bfb1df01980ecc62fc46ab9de88253b21030a945b2a
                                                                                                • Instruction Fuzzy Hash: D421BD36504209BFDF159F68DC49EAA3F75EF05322F144218FE0A9A2A1C731DE14EBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5C779 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • Unexpected elevated message sent to child process, msg: %u, xrefs: 00F5C974
                                                                                                • Failed to save state., xrefs: 00F5C841
                                                                                                • c:\agent\_work\138\s\src\burn\engine\elevation.cpp, xrefs: 00F5C968
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandleMutexRelease
                                                                                                • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$c:\agent\_work\138\s\src\burn\engine\elevation.cpp
                                                                                                • API String ID: 4207627910-1950014664
                                                                                                • Opcode ID: 958098ece151e4f975080fd74f165ce898c881da70fbea8ab793619b3f31fd11
                                                                                                • Instruction ID: 193d731acea17c12a2ff20505c9c862d20c79908e2f9a11fd5825eeb37796e53
                                                                                                • Opcode Fuzzy Hash: 958098ece151e4f975080fd74f165ce898c881da70fbea8ab793619b3f31fd11
                                                                                                • Instruction Fuzzy Hash: BC61D47A100605EFCB229F84CD41D65BFB2FF083157158459FBAA4A632C732E924FB80
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F87EFB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F88058
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F88063
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F8806E
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp, xrefs: 00F87F2E
                                                                                                • `<u, xrefs: 00F8804D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString$Heap$AllocateProcess
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp
                                                                                                • API String ID: 2724874077-1514053268
                                                                                                • Opcode ID: 4911c9fb6f1c9b2550ec6fd574d7ae34379beeafc1a5eca850a4031c78ed8ca5
                                                                                                • Instruction ID: 2c532767202ffb405be6988ec50f548799bab02e8ec85e1a159d275496cf0372
                                                                                                • Opcode Fuzzy Hash: 4911c9fb6f1c9b2550ec6fd574d7ae34379beeafc1a5eca850a4031c78ed8ca5
                                                                                                • Instruction Fuzzy Hash: 77517131E0122AEFCB11EBA5CC44FEEBBB8AF00754F514158E901AB150DB75EE05EBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F816C7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147registrystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00F816EF
                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00F570CF,00000100,000000B0,00000088,00000410,000002C0), ref: 00F81726
                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00F81818
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F81769
                                                                                                • BundleUpgradeCode, xrefs: 00F816CE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue$lstrlen
                                                                                                • String ID: BundleUpgradeCode$c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 3790715954-4149154654
                                                                                                • Opcode ID: 85b4e1e01d8689ee6bfd93f8f9c34dc5f97c9d55104d0c9fa526d4d9b9fb35f0
                                                                                                • Instruction ID: 43f9c6ac5cbe8ef9e183aa87744c5a38417d3ef69c3aad0823280cbe2af6bfdf
                                                                                                • Opcode Fuzzy Hash: 85b4e1e01d8689ee6bfd93f8f9c34dc5f97c9d55104d0c9fa526d4d9b9fb35f0
                                                                                                • Instruction Fuzzy Hash: CC419436E0021AABDB25AF95C885AEE77BDFF04720F15426DFC01AB210D7349D02EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8675D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F84D47: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00F58758,00000000,00000000,00000000,00000000,00000000), ref: 00F84D5F
                                                                                                  • Part of subcall function 00F84D47: GetLastError.KERNEL32(?,?,?,00F58758,00000000,00000000,00000000,00000000,00000000), ref: 00F84D69
                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00F86017,?,?,?,?,?,?,?,00010000,?), ref: 00F867C6
                                                                                                • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00F86017,?,?,?,?), ref: 00F86818
                                                                                                • GetLastError.KERNEL32(?,00F86017,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00F8685E
                                                                                                • GetLastError.KERNEL32(?,00F86017,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00F86884
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp, xrefs: 00F868A8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLast$Write$Pointer
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp
                                                                                                • API String ID: 133221148-3549464317
                                                                                                • Opcode ID: 59e266733b4a97511e6435bfd22db7af9d196da51d5870dfa3f3bd945d522b4a
                                                                                                • Instruction ID: 0640f24fe95eaffa13b3b5aff744062296beb9c25d95a255366f921d3dfa6e59
                                                                                                • Opcode Fuzzy Hash: 59e266733b4a97511e6435bfd22db7af9d196da51d5870dfa3f3bd945d522b4a
                                                                                                • Instruction Fuzzy Hash: 86418C7290021AAFEB21AF94CC49BEA7B68FF04764F150125FD08EA190D774DD60EBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F42559 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00F80406,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00F80406,00F61188,?,00000000), ref: 00F4259F
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00F80406,00F61188,?,00000000,0000FDE9,?,00F61188), ref: 00F425AB
                                                                                                  • Part of subcall function 00F43C9A: GetProcessHeap.KERNEL32(00000000,000001C7,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA2
                                                                                                  • Part of subcall function 00F43C9A: HeapSize.KERNEL32(00000000,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA9
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\strutil.cpp, xrefs: 00F425CF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\strutil.cpp
                                                                                                • API String ID: 3662877508-1498286024
                                                                                                • Opcode ID: 8586e1be81bc0a398f5949a991326d324676280c6a297de5edfdec82489aa255
                                                                                                • Instruction ID: 8489814e4e3d57f9c7e0bc7c0a51f5f5777852dfc932ba6565ea90ecb7790756
                                                                                                • Opcode Fuzzy Hash: 8586e1be81bc0a398f5949a991326d324676280c6a297de5edfdec82489aa255
                                                                                                • Instruction Fuzzy Hash: 4331097220030AAFEB509E658CD0AB63E9DEF54378B954239FD119B2A0EB71CC00B760
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8462D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00F8477B,00000003,00000001,00000001,000007D0,00000003,00000000,?,00F5A040,00000001), ref: 00F8464B
                                                                                                • GetLastError.KERNEL32(00000002,?,00F8477B,00000003,00000001,00000001,000007D0,00000003,00000000,?,00F5A040,00000001,000007D0,00000001,00000001,00000003), ref: 00F8465A
                                                                                                • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,00F8477B,00000003,00000001,00000001,000007D0,00000003,00000000,?,00F5A040,00000001), ref: 00F846F3
                                                                                                • GetLastError.KERNEL32(?,00F8477B,00000003,00000001,00000001,000007D0,00000003,00000000,?,00F5A040,00000001,000007D0,00000001,00000001,00000003,000007D0), ref: 00F846FD
                                                                                                  • Part of subcall function 00F8488B: FindFirstFileW.KERNEL32(00F6907E,?,00000100,00000000,00000000), ref: 00F848C6
                                                                                                  • Part of subcall function 00F8488B: FindClose.KERNEL32(00000000), ref: 00F848D2
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F8471C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorFindLastMove$CloseFirst
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 3479031965-3168567549
                                                                                                • Opcode ID: b80856a7719c1d98eaa90349187c29bcc2f7c390957579a88d1fb4514dc7d1a9
                                                                                                • Instruction ID: c050be43290a36c8a66c0d95604399c02ad098385e1427ca1b562e518b3c90ba
                                                                                                • Opcode Fuzzy Hash: b80856a7719c1d98eaa90349187c29bcc2f7c390957579a88d1fb4514dc7d1a9
                                                                                                • Instruction Fuzzy Hash: EA31E237A002279BDB213E549C44BFFB695AF527B1F164126FC04AB250E770AC41B7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6AB54 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 00F6ABC3
                                                                                                Strings
                                                                                                • Failed to open container: %ls., xrefs: 00F6AB95
                                                                                                • Failed to extract all payloads from container: %ls, xrefs: 00F6AC07
                                                                                                • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00F6AC58
                                                                                                • Failed to extract payload: %ls from container: %ls, xrefs: 00F6AC4C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                                                                                                • API String ID: 1825529933-3891707333
                                                                                                • Opcode ID: 45b7361c872c65f9cf63787b04ce41d1fa7c2220aaca27268a472b9018ecff3a
                                                                                                • Instruction ID: 9dc79bb4b93c403bd7426e2bc44dee4303388cbd59957ff2792a827314762f12
                                                                                                • Opcode Fuzzy Hash: 45b7361c872c65f9cf63787b04ce41d1fa7c2220aaca27268a472b9018ecff3a
                                                                                                • Instruction Fuzzy Hash: 6431A232D00119ABCF11AAE4CC46E9E7B69AF04320F104511FE11B7191E779EA65FB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F87DF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87EDB
                                                                                                • SysFreeString.OLEAUT32(?), ref: 00F87EE6
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F87EF1
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp, xrefs: 00F87E25
                                                                                                • `<u, xrefs: 00F87ED0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString$Heap$AllocateProcess
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp
                                                                                                • API String ID: 2724874077-1514053268
                                                                                                • Opcode ID: d62fe7c183fd1f99cdf6026743d7b9492601243d3622bea62b8b38613d977bbc
                                                                                                • Instruction ID: d24ec3d83ecadf7df75726e1956ebc1fedea516f59ebbd3f03ab9deed555a49f
                                                                                                • Opcode Fuzzy Hash: d62fe7c183fd1f99cdf6026743d7b9492601243d3622bea62b8b38613d977bbc
                                                                                                • Instruction Fuzzy Hash: 14317236D05229ABDB21BAA5CC45FDEBB78AF40B20F2141A5F900BB150D774DE04ABA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4F0A4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00F506D8,00000001,00000001,00000001,00F506D8,00000000), ref: 00F4F11C
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00F506D8,00000001,00000001,00000001,00F506D8,00000000,00000001,00000000,?,00F506D8,00000001), ref: 00F4F139
                                                                                                Strings
                                                                                                • Failed to remove update registration key: %ls, xrefs: 00F4F164
                                                                                                • PackageVersion, xrefs: 00F4F0FD
                                                                                                • Failed to format key for update registration., xrefs: 00F4F0D2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCompareString
                                                                                                • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                                                                                                • API String ID: 446873843-3222553582
                                                                                                • Opcode ID: dae14d23a2725d07e7dc3d2f8eccc15a45c18eb13a189636ee9f5f8137735487
                                                                                                • Instruction ID: 5cfc192a2bafaf6a15cce938b19c0bcee1c0150aeb993ecd2a0bc07bf78357e2
                                                                                                • Opcode Fuzzy Hash: dae14d23a2725d07e7dc3d2f8eccc15a45c18eb13a189636ee9f5f8137735487
                                                                                                • Instruction Fuzzy Hash: 8521A232D01129FBCB11ABA4CC05BEFBEB8EF85724F104275BC19A2191E7359A45EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8478A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F8488B: FindFirstFileW.KERNEL32(00F6907E,?,00000100,00000000,00000000), ref: 00F848C6
                                                                                                  • Part of subcall function 00F8488B: FindClose.KERNEL32(00000000), ref: 00F848D2
                                                                                                • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00F8487D
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                  • Part of subcall function 00F816C7: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00F816EF
                                                                                                  • Part of subcall function 00F816C7: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00F570CF,00000100,000000B0,00000088,00000410,000002C0), ref: 00F81726
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseFindQueryValue$FileFirstOpen
                                                                                                • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                                                                                                • API String ID: 3397690329-3978359083
                                                                                                • Opcode ID: 419e0a2b1499ebc2c9c51c3f772e3677a918b5c6f2510cb40416df51d1eec097
                                                                                                • Instruction ID: 883af58da37e7e3256e114019d337aae6931cdda86e2ec7344748df145a66af9
                                                                                                • Opcode Fuzzy Hash: 419e0a2b1499ebc2c9c51c3f772e3677a918b5c6f2510cb40416df51d1eec097
                                                                                                • Instruction Fuzzy Hash: 3E31C031E0025AEBDF21BF91CC459FEBBB9EF40B20F58807AE510A6051E334EA40EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8445C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CopyFileW.KERNEL32(00000000,00F44E38,00000000,?,?,00000000,?,00F84577,00000000,00F44E38,00000000,00000000,?,00F585D8,?,?), ref: 00F84476
                                                                                                • GetLastError.KERNEL32(?,00F84577,00000000,00F44E38,00000000,00000000,?,00F585D8,?,?,00000001,00000003,000007D0,?,?,?), ref: 00F84484
                                                                                                • CopyFileW.KERNEL32(00000000,00F44E38,00000000,00F44E38,00000000,?,00F84577,00000000,00F44E38,00000000,00000000,?,00F585D8,?,?,00000001), ref: 00F844F6
                                                                                                • GetLastError.KERNEL32(?,00F84577,00000000,00F44E38,00000000,00000000,?,00F585D8,?,?,00000001,00000003,000007D0,?,?,?), ref: 00F84500
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F8451F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CopyErrorFileLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 374144340-3168567549
                                                                                                • Opcode ID: cb317fb2dceb1253e598c283e251518cf10fe6b947b3940a3396ca4f5d591a14
                                                                                                • Instruction ID: 5db60f66b4256af82576439c44a07b68dbe20836e0c529db64b928c8f5ff62bf
                                                                                                • Opcode Fuzzy Hash: cb317fb2dceb1253e598c283e251518cf10fe6b947b3940a3396ca4f5d591a14
                                                                                                • Instruction Fuzzy Hash: F721A176B003339BAF216AA59C41BFF7698EF55BB0B194026ED04DF264D660ED01B3E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4EFBC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F4EFF7
                                                                                                  • Part of subcall function 00F8459D: SetFileAttributesW.KERNEL32(00F6907E,00000080,00000000,00F6907E,000000FF,00000000,?,?,00F6907E), ref: 00F845CC
                                                                                                  • Part of subcall function 00F8459D: GetLastError.KERNEL32(?,?,00F6907E), ref: 00F845D6
                                                                                                  • Part of subcall function 00F43D32: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,00F4F042,00000001,00000000,00000095,00000001,00F506E7,00000095,00000000,swidtag,00000001), ref: 00F43D4F
                                                                                                Strings
                                                                                                • Failed to allocate regid file path., xrefs: 00F4F056
                                                                                                • Failed to allocate regid folder path., xrefs: 00F4F05D
                                                                                                • Failed to format tag folder path., xrefs: 00F4F064
                                                                                                • swidtag, xrefs: 00F4F006
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesDirectoryErrorFileLastOpen@16Remove
                                                                                                • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
                                                                                                • API String ID: 1428973842-4170906717
                                                                                                • Opcode ID: 06b715ba9253cdc23f1925d1c580267078202abc20c0361ed13e7b926dd10a42
                                                                                                • Instruction ID: 1c8304d8ccd797de9a9a92813e7aa67787dc21f23ccad805376bf57d148c9783
                                                                                                • Opcode Fuzzy Hash: 06b715ba9253cdc23f1925d1c580267078202abc20c0361ed13e7b926dd10a42
                                                                                                • Instruction Fuzzy Hash: DF216F31D00218BBDF15EFA8CC41A9DBFB5AF84710F10C0B6F918A6162D7359A44BB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F68C03 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00F68C87
                                                                                                • RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,00F4F86F,00000001,00000100,000001B4,00000000), ref: 00F68CD5
                                                                                                Strings
                                                                                                • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00F68C24
                                                                                                • Failed to open uninstall registry key., xrefs: 00F68C4A
                                                                                                • Failed to enumerate uninstall key for related bundles., xrefs: 00F68CE4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCompareOpenString
                                                                                                • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                • API String ID: 2817536665-2531018330
                                                                                                • Opcode ID: f7642f713182b4c9c5c9bc9c4df7ae5ef2d42aba25e5d1e43dbf7e7c08b24053
                                                                                                • Instruction ID: 1b72b92a02ee05b48eba3425cefae9c75d0512c9f13e02742a900f4d05254ed4
                                                                                                • Opcode Fuzzy Hash: f7642f713182b4c9c5c9bc9c4df7ae5ef2d42aba25e5d1e43dbf7e7c08b24053
                                                                                                • Instruction Fuzzy Hash: 45218332901128FFDF11AB94CD45BEEBA79EB00764F244269F411B60A0DB754E92B7A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D046 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F6D0DB
                                                                                                • ReleaseMutex.KERNEL32(?), ref: 00F6D109
                                                                                                • SetEvent.KERNEL32(?), ref: 00F6D112
                                                                                                Strings
                                                                                                • Failed to allocate buffer., xrefs: 00F6D08A
                                                                                                • c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp, xrefs: 00F6D080
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                                                                                • String ID: Failed to allocate buffer.$c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp
                                                                                                • API String ID: 944053411-3611595887
                                                                                                • Opcode ID: 3ce7e02cca2388b4989fb3a55d6488306b736f5ce0c1112d296d3d2262b1afad
                                                                                                • Instruction ID: fd61d0b79bcd16867784e5214416202f45f8e1b007dea554a23a60c6afcc491a
                                                                                                • Opcode Fuzzy Hash: 3ce7e02cca2388b4989fb3a55d6488306b736f5ce0c1112d296d3d2262b1afad
                                                                                                • Instruction Fuzzy Hash: 9321E5B5A0030ABFDB109F28DC45A99BBF5FF08324F108628F964A7251C775E9509B50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F85D19 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00F6698D,00000000,?), ref: 00F85D2F
                                                                                                • GetLastError.KERNEL32(?,?,00F6698D,00000000,?,?,?,?,?,?,?,?,?,00F66D9D,?,?), ref: 00F85D3D
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00F6698D,00000000,?), ref: 00F85D77
                                                                                                • GetLastError.KERNEL32(?,?,00F6698D,00000000,?,?,?,?,?,?,?,?,?,00F66D9D,?,?), ref: 00F85D81
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\svcutil.cpp
                                                                                                • API String ID: 355237494-3858792903
                                                                                                • Opcode ID: 45a3eb973e94e1dc69fa3b75ca4fdbd06b72d23d9ac58e8bf27d4e9bcee4bd62
                                                                                                • Instruction ID: 197db1f52722fcbab8574209368fc25d13b5a30851d551b70194a7f19ddf94fc
                                                                                                • Opcode Fuzzy Hash: 45a3eb973e94e1dc69fa3b75ca4fdbd06b72d23d9ac58e8bf27d4e9bcee4bd62
                                                                                                • Instruction Fuzzy Hash: 21218E77944A39BBD7217A958C0DBEBBDA9EF41FB0F114011BD01AB250E664CE01B7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F836C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F836D7
                                                                                                • VariantInit.OLEAUT32(?), ref: 00F836E3
                                                                                                • VariantClear.OLEAUT32(?), ref: 00F83757
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F83762
                                                                                                  • Part of subcall function 00F8390F: SysAllocString.OLEAUT32(?), ref: 00F83924
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$AllocVariant$ClearFreeInit
                                                                                                • String ID: `<u
                                                                                                • API String ID: 347726874-3367579956
                                                                                                • Opcode ID: 2b1ec010df0f69f72d91a2be50488296c8593c8f33dc1ad0bc85a6f133f84f01
                                                                                                • Instruction ID: 2cffc9e0aaeb4b725df8c04d3608c340aa42b77e538120e918a88601e950e5c8
                                                                                                • Opcode Fuzzy Hash: 2b1ec010df0f69f72d91a2be50488296c8593c8f33dc1ad0bc85a6f133f84f01
                                                                                                • Instruction Fuzzy Hash: A9214CB5901219EFCB14EFA4C848EFEBBB8AF45B26F510158E9019B220D730EE05DB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F498EF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\condition.cpp, xrefs: 00F49920, 00F49961
                                                                                                • Failed to read next symbol., xrefs: 00F4999A
                                                                                                • Failed to parse condition '%ls' at position: %u, xrefs: 00F49930
                                                                                                • Failed to find variable., xrefs: 00F4996B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memcpy_s
                                                                                                • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$c:\agent\_work\138\s\src\burn\engine\condition.cpp
                                                                                                • API String ID: 2001391462-796209
                                                                                                • Opcode ID: 01399fe530c18c32db2ba66d28277e4b66b873bd472de09aa9ed74bdd91eb7b2
                                                                                                • Instruction ID: 5cc31d53420f8488ce861e94d55ebfac5b496bc70954fc0df1227da15ba41d9c
                                                                                                • Opcode Fuzzy Hash: 01399fe530c18c32db2ba66d28277e4b66b873bd472de09aa9ed74bdd91eb7b2
                                                                                                • Instruction Fuzzy Hash: 0A11C433798211B6DB153E689C4AE9B7F14EF51760F000159FD006E1D6DAE6C910B7E2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F54AEC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00F8B4F0,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,00F55412), ref: 00F54B38
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\pipe.cpp, xrefs: 00F54B70
                                                                                                • Failed to write message type to pipe., xrefs: 00F54B7A
                                                                                                • Failed to allocate message to write., xrefs: 00F54B17
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileWrite
                                                                                                • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$c:\agent\_work\138\s\src\burn\engine\pipe.cpp
                                                                                                • API String ID: 3934441357-1028276228
                                                                                                • Opcode ID: 6788bdeaf29dfd8cb25df597969c5e05a4cc88e9e6fc323680ff7e373101372c
                                                                                                • Instruction ID: 292ebdd5a1937817acca610c41fd2ce123f1cc7d809212288653f04433bfb742
                                                                                                • Opcode Fuzzy Hash: 6788bdeaf29dfd8cb25df597969c5e05a4cc88e9e6fc323680ff7e373101372c
                                                                                                • Instruction Fuzzy Hash: 6A119A72940229BADB11DF85DC09F9E7AA9EB80766F110155FE00B6190E730EE84FAA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F49ECB Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _MREFOpen@16.MSPDB140-MSVCRT ref: 00F49EED
                                                                                                Strings
                                                                                                • Failed to set variable., xrefs: 00F49F4C
                                                                                                • File search: %ls, did not find path: %ls, xrefs: 00F49F58
                                                                                                • Failed get file version., xrefs: 00F49F2D
                                                                                                • Failed to format path string., xrefs: 00F49EF8
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open@16
                                                                                                • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                                                                                                • API String ID: 3613110473-2458530209
                                                                                                • Opcode ID: ec8f4dd09639c5089309f0ae4a1bb69b0de5f1e680f5d0a42596a4db90e0381d
                                                                                                • Instruction ID: f93c79f3551206c6417879b11ecac6dfb0488d570ef615e7ed7aac36ab0c1b3b
                                                                                                • Opcode Fuzzy Hash: ec8f4dd09639c5089309f0ae4a1bb69b0de5f1e680f5d0a42596a4db90e0381d
                                                                                                • Instruction Fuzzy Hash: 5D119D32E04129BADF12BE94CC82DEEBF68EF10360B114166FC00A6251D7B59E54BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F581FD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00F58DF5,0000001A,?,?,00000000,00000000), ref: 00F58246
                                                                                                • GetLastError.KERNEL32(?,?,00F58DF5,0000001A,?,?,00000000,00000000,?,?,?), ref: 00F58250
                                                                                                Strings
                                                                                                • Failed to allocate memory for well known SID., xrefs: 00F5822E
                                                                                                • Failed to create well known SID., xrefs: 00F5827E
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00F58224, 00F58274
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                                                                                • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 2186923214-2819944635
                                                                                                • Opcode ID: 79395b5f890f2488ae39e6bd6fc1fa1f97c8ebcc2629280e21dec2907fd0a60d
                                                                                                • Instruction ID: 081a3e2e7b47aa2d7e582505c59a5f93bc499101ebcba89ec613241ef4868a07
                                                                                                • Opcode Fuzzy Hash: 79395b5f890f2488ae39e6bd6fc1fa1f97c8ebcc2629280e21dec2907fd0a60d
                                                                                                • Instruction Fuzzy Hash: 4C014837A417257BDB2066955C0AEAB7E58DF81BB1F210016BE04BB180FE68CD01B2E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6DB65 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 00F6DB93
                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F6DBBD
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00F6DD8B,00000000,?,?,?,00000000,00000000), ref: 00F6DBC5
                                                                                                Strings
                                                                                                • Failed while waiting for download., xrefs: 00F6DBF3
                                                                                                • c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp, xrefs: 00F6DBE9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessageMultipleObjectsPeekWait
                                                                                                • String ID: Failed while waiting for download.$c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp
                                                                                                • API String ID: 435350009-500302221
                                                                                                • Opcode ID: 5e34a2137cb38f21d8a4e1e288ccc08b5435c9f029fc99baadd446e585487786
                                                                                                • Instruction ID: c742d9339f217ca85e1edd245d5c7a6a850eb74037d79956a245b6ba4d404061
                                                                                                • Opcode Fuzzy Hash: 5e34a2137cb38f21d8a4e1e288ccc08b5435c9f029fc99baadd446e585487786
                                                                                                • Instruction Fuzzy Hash: 8F01E577F453397BD7205AA89C09EEF7AACEB45770F010125FA04F6185DBA49D00A2E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F45F95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetComputerNameW.KERNEL32(?,00000010), ref: 00F45FC3
                                                                                                • GetLastError.KERNEL32 ref: 00F45FCD
                                                                                                Strings
                                                                                                • Failed to get computer name., xrefs: 00F45FFB
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F45FF1
                                                                                                • Failed to set variant value., xrefs: 00F46014
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ComputerErrorLastName
                                                                                                • String ID: Failed to get computer name.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 3560734967-458607650
                                                                                                • Opcode ID: b35ff3bfcc5d33cb31bae184e9c586d1438a152d4485ed208ff467c33810d836
                                                                                                • Instruction ID: f7017fa5977342a4e07eff57ac2803658891510b0eae8d7f61defb6b7caf249f
                                                                                                • Opcode Fuzzy Hash: b35ff3bfcc5d33cb31bae184e9c586d1438a152d4485ed208ff467c33810d836
                                                                                                • Instruction Fuzzy Hash: 2801C833E4062867D711EA949C06AEEBBE8AF09720F510016FD00FB180DB74EE04A7E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F46851 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00F4688A
                                                                                                • GetLastError.KERNEL32 ref: 00F46894
                                                                                                Strings
                                                                                                • Failed to get temp path., xrefs: 00F468C2
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F468B8
                                                                                                • Failed to set variant value., xrefs: 00F468DE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastPathTemp
                                                                                                • String ID: Failed to get temp path.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 1238063741-1270281381
                                                                                                • Opcode ID: 0493ffba44c78b26373d43c61b817a44ee2dbc3c653db0222375a451e4163b50
                                                                                                • Instruction ID: 1db758bcb5b08190c36040f9846872ce5a8eff831be35937d45f6a08d11bd5ff
                                                                                                • Opcode Fuzzy Hash: 0493ffba44c78b26373d43c61b817a44ee2dbc3c653db0222375a451e4163b50
                                                                                                • Instruction Fuzzy Hash: DB01D672E4133967D710A754AC0AFAA77A85F01B10F114165FD14FB2C1EA74ED0467E6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F45EFD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00F45F0F
                                                                                                  • Part of subcall function 00F80F42: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00F45F1B,00000000), ref: 00F80F57
                                                                                                  • Part of subcall function 00F80F42: GetProcAddress.KERNEL32(00000000), ref: 00F80F5E
                                                                                                  • Part of subcall function 00F80F42: GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80F79
                                                                                                  • Part of subcall function 00F84191: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00F841BE
                                                                                                Strings
                                                                                                • Failed to get 64-bit folder., xrefs: 00F45F59
                                                                                                • Failed to get shell folder., xrefs: 00F45F43
                                                                                                • c:\agent\_work\138\s\src\burn\engine\variable.cpp, xrefs: 00F45F39
                                                                                                • Failed to set variant value., xrefs: 00F45F73
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                                                                                                • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 2084161155-466890970
                                                                                                • Opcode ID: be00623c646593fe108321a9418a68a3dea26c06d596285ea9f4fbd824cfb51d
                                                                                                • Instruction ID: 93e34959656fd59ed16981a0f2218b823775c7e368f73e930ddf38dbe752bf54
                                                                                                • Opcode Fuzzy Hash: be00623c646593fe108321a9418a68a3dea26c06d596285ea9f4fbd824cfb51d
                                                                                                • Instruction Fuzzy Hash: A6016532944619B7DF127650CC0ABDD7E699F10B61F504150FD00B5192DB78EA44B7D6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8459D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F8488B: FindFirstFileW.KERNEL32(00F6907E,?,00000100,00000000,00000000), ref: 00F848C6
                                                                                                  • Part of subcall function 00F8488B: FindClose.KERNEL32(00000000), ref: 00F848D2
                                                                                                • SetFileAttributesW.KERNEL32(00F6907E,00000080,00000000,00F6907E,000000FF,00000000,?,?,00F6907E), ref: 00F845CC
                                                                                                • GetLastError.KERNEL32(?,?,00F6907E), ref: 00F845D6
                                                                                                • DeleteFileW.KERNEL32(00F6907E,00000000,00F6907E,000000FF,00000000,?,?,00F6907E), ref: 00F845F6
                                                                                                • GetLastError.KERNEL32(?,?,00F6907E), ref: 00F84600
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F8461B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 3967264933-3168567549
                                                                                                • Opcode ID: 7af40baf100c86e48f5b94457bd8d0a8f7223e642b89fc0e3094436a32b6744a
                                                                                                • Instruction ID: 0ac77351fec3d6e4dc969b4585fb038cec6a9fa3a432db1daba3b4dc4eec7b00
                                                                                                • Opcode Fuzzy Hash: 7af40baf100c86e48f5b94457bd8d0a8f7223e642b89fc0e3094436a32b6744a
                                                                                                • Instruction Fuzzy Hash: 7F018032E0173BA7DB3167658D09AEFBD98AF117A1F054211BC45EA1D0EB20EE00B7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80EA4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00F44F98,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00F80EB0
                                                                                                • GetLastError.KERNEL32(?,00F44F98,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F80EBE
                                                                                                • GetExitCodeProcess.KERNEL32(000000FF,?), ref: 00F80F03
                                                                                                • GetLastError.KERNEL32(?,00F44F98,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00F80F0D
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\procutil.cpp, xrefs: 00F80EE2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\procutil.cpp
                                                                                                • API String ID: 590199018-1241729511
                                                                                                • Opcode ID: e2cbf63dc625167b32cd89cd29dd2adc4349a3cbf84b8ce58eb2a960b3a51543
                                                                                                • Instruction ID: 422354d938a69998ede4b2754546b59bd6cf76ebbf7f07443b2ad1d53619265b
                                                                                                • Opcode Fuzzy Hash: e2cbf63dc625167b32cd89cd29dd2adc4349a3cbf84b8ce58eb2a960b3a51543
                                                                                                • Instruction Fuzzy Hash: 0F01A13794023AABC7316E549C086EBBB54EB04770F528125FE59AF290DB348C04BBD4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D7D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F6D7EA
                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00F6D82F
                                                                                                • SetEvent.KERNEL32(?,?,?,?), ref: 00F6D843
                                                                                                Strings
                                                                                                • Failed to get state during job modification., xrefs: 00F6D803
                                                                                                • Failure while sending progress during BITS job modification., xrefs: 00F6D81E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterEventLeave
                                                                                                • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                                                                                                • API String ID: 3094578987-1258544340
                                                                                                • Opcode ID: 107322ccfe694e12cedff71200e9bf7a828ef7c32b208f5504c389468be99fa5
                                                                                                • Instruction ID: 505d77fd85bbad02cb36501bc60cac0a1bf04ade9e9e912666a51fde01723dc5
                                                                                                • Opcode Fuzzy Hash: 107322ccfe694e12cedff71200e9bf7a828ef7c32b208f5504c389468be99fa5
                                                                                                • Instruction Fuzzy Hash: 8701B172F01629BFCB12AB65D95DEAEB7ACFF09320B100159E405A7250DB74F904ABD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6D5BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,00F6DD15,?,?,?,?,?,00000000,00000000,?), ref: 00F6D5D7
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00F6DD15,?,?,?,?,?,00000000,00000000,?), ref: 00F6D5E2
                                                                                                • GetLastError.KERNEL32(?,00F6DD15,?,?,?,?,?,00000000,00000000,?), ref: 00F6D5EF
                                                                                                Strings
                                                                                                • Failed to create BITS job complete event., xrefs: 00F6D61D
                                                                                                • c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp, xrefs: 00F6D613
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateCriticalErrorEventInitializeLastSection
                                                                                                • String ID: Failed to create BITS job complete event.$c:\agent\_work\138\s\src\burn\engine\bitsengine.cpp
                                                                                                • API String ID: 3069647169-77904838
                                                                                                • Opcode ID: 5448e0f483521efce6c806ad48324b719a5d2fa62c8d9f83117519f7cd07fd66
                                                                                                • Instruction ID: a5a601c363ea141174c74ae4bb7d9fc88d8f96475895f5fbee95ec296cb1f6b4
                                                                                                • Opcode Fuzzy Hash: 5448e0f483521efce6c806ad48324b719a5d2fa62c8d9f83117519f7cd07fd66
                                                                                                • Instruction Fuzzy Hash: B10171B6A41636ABC3109B59DC09A87BF98FF45770B014116FD08D7641EB71D814ABE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6DA47 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00F6DBB3), ref: 00F6DA5B
                                                                                                • LeaveCriticalSection.KERNEL32(00000008,?,00F6DBB3), ref: 00F6DAA0
                                                                                                • SetEvent.KERNEL32(?,?,00F6DBB3), ref: 00F6DAB4
                                                                                                Strings
                                                                                                • Failed to get BITS job state., xrefs: 00F6DA74
                                                                                                • Failure while sending progress., xrefs: 00F6DA8F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterEventLeave
                                                                                                • String ID: Failed to get BITS job state.$Failure while sending progress.
                                                                                                • API String ID: 3094578987-2876445054
                                                                                                • Opcode ID: 28d790630b4eaf1a6e095aaa4f101d3457d8c20d1a8bc832083392b94cbd7ea4
                                                                                                • Instruction ID: 03ff386a54d65b1442d8ba27013c15d12311afaea12677f223abc9927ba25758
                                                                                                • Opcode Fuzzy Hash: 28d790630b4eaf1a6e095aaa4f101d3457d8c20d1a8bc832083392b94cbd7ea4
                                                                                                • Instruction Fuzzy Hash: 7201F172B09A26ABC7129B95C8499AEBBA8BF05320B000256E405D7251DB78E904A794
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F82124 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00F8214F
                                                                                                • GetLastError.KERNEL32(?,00F44A5C,00000001,?,?,00F445D9,?,?,?,?,00F454DE,?,?,?,?), ref: 00F8215E
                                                                                                Strings
                                                                                                • SRSetRestorePointW, xrefs: 00F82144
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\srputil.cpp, xrefs: 00F8217F
                                                                                                • srclient.dll, xrefs: 00F8212D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorLastProc
                                                                                                • String ID: SRSetRestorePointW$c:\agent\_work\138\s\src\libs\dutil\srputil.cpp$srclient.dll
                                                                                                • API String ID: 199729137-976246835
                                                                                                • Opcode ID: 5a05eaeb9fbe2a07ef35d988725036c34f54f3af4b8dbf88e1fbbdeeee84af31
                                                                                                • Instruction ID: 3efe47a7c2dad7de0d4401077052b82ecb49c8ef935f8650e318eb338b578b55
                                                                                                • Opcode Fuzzy Hash: 5a05eaeb9fbe2a07ef35d988725036c34f54f3af4b8dbf88e1fbbdeeee84af31
                                                                                                • Instruction Fuzzy Hash: 5C0186B3F80B3AA3D36137949C0E7DA7A549B017E1F260121BF01BA291DB65EC40B7D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F74545 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00F7453A,?,?,00F74502,00000000,80004004,?), ref: 00F7455A
                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F7456D
                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00F7453A,?,?,00F74502,00000000,80004004,?), ref: 00F74590
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                • API String ID: 4061214504-1276376045
                                                                                                • Opcode ID: 30a8c2053e2b99f7adf1ba8cd8c82a7150cdcb6049b4779389e4f757d08f1d92
                                                                                                • Instruction ID: 0f80b2b34e28df1e2f36b398ebc356afc966bdcd0fd92475d393056834bb59b5
                                                                                                • Opcode Fuzzy Hash: 30a8c2053e2b99f7adf1ba8cd8c82a7150cdcb6049b4779389e4f757d08f1d92
                                                                                                • Instruction Fuzzy Hash: 95F0823190021CFBDB119B91DC09BED7B6CEB007A2F084151FC08A5160DB708F14FB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F748C7 Relevance: 7.6, APIs: 5, Instructions: 120COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00F74935
                                                                                                • _free.LIBCMT ref: 00F74955
                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F749B6
                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F749C8
                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F749D5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: __crt_fast_encode_pointer$_free
                                                                                                • String ID:
                                                                                                • API String ID: 366466260-0
                                                                                                • Opcode ID: ef25fbddcc564bffd639017da0f967bb00900eb97e16a43a73d3a26387030460
                                                                                                • Instruction ID: 5b04457d4cf61cbfb45d1c19de034db31075f7a8051698f9af6ae20b516d1775
                                                                                                • Opcode Fuzzy Hash: ef25fbddcc564bffd639017da0f967bb00900eb97e16a43a73d3a26387030460
                                                                                                • Instruction Fuzzy Hash: AC41D336E002149FCB10DFB8C891A5EB7B6EF89714B1585AAE649EB341D731AD01EB81
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F422E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F42326
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F42332
                                                                                                  • Part of subcall function 00F43C9A: GetProcessHeap.KERNEL32(00000000,000001C7,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA2
                                                                                                  • Part of subcall function 00F43C9A: HeapSize.KERNEL32(00000000,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA9
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\strutil.cpp, xrefs: 00F42356
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\strutil.cpp
                                                                                                • API String ID: 3662877508-1498286024
                                                                                                • Opcode ID: f48437fa73bf8bd33ca86f42005753a52248347864218009961001325334750a
                                                                                                • Instruction ID: b575116f516a09dfa0e53054d5ff792817b7e91656f12211736b3b845e2651c9
                                                                                                • Opcode Fuzzy Hash: f48437fa73bf8bd33ca86f42005753a52248347864218009961001325334750a
                                                                                                • Instruction Fuzzy Hash: 9C31E733A00225ABDB608E65CC48A7E7FA5EF45774B514235FC159B2A1EB39CC40B7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F48AD7 Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00F48C96,00F497E5,?,00F497E5,?,?,00F497E5,?,?), ref: 00F48AF7
                                                                                                • lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00F48C96,00F497E5,?,00F497E5,?,?,00F497E5,?,?), ref: 00F48AFF
                                                                                                • CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00F48C96,00F497E5,?,00F497E5,?), ref: 00F48B4E
                                                                                                • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00F48C96,00F497E5,?,00F497E5,?), ref: 00F48BB0
                                                                                                • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00F48C96,00F497E5,?,00F497E5,?), ref: 00F48BDD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString$lstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 1657112622-0
                                                                                                • Opcode ID: bee1dfa00e7006bb58fc275c5755102ec8b4dcc9056bd2972dfb07d05424e462
                                                                                                • Instruction ID: 347f39c0af48716d01d6db7596328c8e31969d5dfe8eec36d6b860a962499012
                                                                                                • Opcode Fuzzy Hash: bee1dfa00e7006bb58fc275c5755102ec8b4dcc9056bd2972dfb07d05424e462
                                                                                                • Instruction Fuzzy Hash: 443133B2A01159FFCF158F58CC84AAE3F66FB893E0F148415FD199B210CA759992EB60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47565 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00F45435,WixBundleOriginalSource,?,?,00F5A611,840F01E8,WixBundleOriginalSource,?,00FABB6C,?,00000000,00F454BD,00000001,?,?,00F454BD), ref: 00F47571
                                                                                                • LeaveCriticalSection.KERNEL32(00F45435,00F45435,00000000,00000000,?,?,00F5A611,840F01E8,WixBundleOriginalSource,?,00FABB6C,?,00000000,00F454BD,00000001,?), ref: 00F475D8
                                                                                                Strings
                                                                                                • Failed to get value of variable: %ls, xrefs: 00F475AB
                                                                                                • Failed to get value as string for variable: %ls, xrefs: 00F475C7
                                                                                                • WixBundleOriginalSource, xrefs: 00F4756D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                                                                                                • API String ID: 3168844106-30613933
                                                                                                • Opcode ID: 69e6f317f1c0618c18f1802c1ee294abfe5f761b34de7e73b895b478f0f64b30
                                                                                                • Instruction ID: e9f9c23d39eb48db934315ea454f5dde35f0ae4d3b295716d188c05d6165f898
                                                                                                • Opcode Fuzzy Hash: 69e6f317f1c0618c18f1802c1ee294abfe5f761b34de7e73b895b478f0f64b30
                                                                                                • Instruction Fuzzy Hash: 92017C72908228BBCF117B54CC09BAE3F64AF14724F148020FD04AE160D73ADE10BBE1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6CF3F Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(?,00000000,?,00000000,?,00F6CF37,00000000), ref: 00F6CF5A
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00F6CF37,00000000), ref: 00F6CF66
                                                                                                • CloseHandle.KERNEL32(00F8B508,00000000,?,00000000,?,00F6CF37,00000000), ref: 00F6CF73
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00F6CF37,00000000), ref: 00F6CF80
                                                                                                • UnmapViewOfFile.KERNEL32(00F8B4D8,00000000,?,00F6CF37,00000000), ref: 00F6CF8F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandle$FileUnmapView
                                                                                                • String ID:
                                                                                                • API String ID: 260491571-0
                                                                                                • Opcode ID: 6bdd00506ee9962c7410701037bcd5d96c4e9534ceda178f5339cdaf2d792720
                                                                                                • Instruction ID: 155fdfc16ef4d5677bfdd6d0d4524d9b7e6d098207bccbb65832b3bac3675764
                                                                                                • Opcode Fuzzy Hash: 6bdd00506ee9962c7410701037bcd5d96c4e9534ceda178f5339cdaf2d792720
                                                                                                • Instruction Fuzzy Hash: 9F011D76805B15DFCB316F66DC80866FBEAEF50721315C93EE2DA52921C371A840EFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F78939 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00F78951
                                                                                                  • Part of subcall function 00F7604F: HeapFree.KERNEL32(00000000,00000000,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?), ref: 00F76065
                                                                                                  • Part of subcall function 00F7604F: GetLastError.KERNEL32(?,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?,?), ref: 00F76077
                                                                                                • _free.LIBCMT ref: 00F78963
                                                                                                • _free.LIBCMT ref: 00F78975
                                                                                                • _free.LIBCMT ref: 00F78987
                                                                                                • _free.LIBCMT ref: 00F78999
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 4ca174410572c2f5a628a93b0738bd4836557ab96c7bd3e17bb1136b5f5b8936
                                                                                                • Instruction ID: f63d582bf287425eee2b1c3b509cd2fda6abc6b96c073a1b22d3efae94c49068
                                                                                                • Opcode Fuzzy Hash: 4ca174410572c2f5a628a93b0738bd4836557ab96c7bd3e17bb1136b5f5b8936
                                                                                                • Instruction Fuzzy Hash: 5FF03672944614AFC630EB64E989C2677F9EA81F607589C07F24CD7542CF78FC81A653
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F88AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00F88BFD
                                                                                                • GetLastError.KERNEL32 ref: 00F88C07
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$ErrorFileLastSystem
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\timeutil.cpp$clbcatq.dll
                                                                                                • API String ID: 2781989572-1116151388
                                                                                                • Opcode ID: 0dafefce07f60360702b1b526068d84559dd63b3228f881e334ca83af735f9d1
                                                                                                • Instruction ID: 036b5b14a32f49943bc6b0deacd9bbecf7d388f42df626596d7b232f4a7fb2d3
                                                                                                • Opcode Fuzzy Hash: 0dafefce07f60360702b1b526068d84559dd63b3228f881e334ca83af735f9d1
                                                                                                • Instruction Fuzzy Hash: F941D6B6E002056AD724BFB88C45FFF7674AFC17A4F848019F501B7185DA74DE02A361
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F73D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: C:\Users\user\Desktop\python-3.11.4-amd64.exe
                                                                                                • API String ID: 0-2446636350
                                                                                                • Opcode ID: 2b49b8fa4300e0c5a7d42c8f6aba0fba4410d332748fc3f417f7de8c77b7b55e
                                                                                                • Instruction ID: ec87679db1647c448a5062da35498c64b75b34e4859450d478ce872c346968c2
                                                                                                • Opcode Fuzzy Hash: 2b49b8fa4300e0c5a7d42c8f6aba0fba4410d332748fc3f417f7de8c77b7b55e
                                                                                                • Instruction Fuzzy Hash: 11416471E04218BBCB21DB99DC85DAEBBB8EB89710B108067E409D7211D7705F44FB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83B3F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VariantInit.OLEAUT32(000002C0), ref: 00F83B59
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F83B69
                                                                                                • VariantClear.OLEAUT32(?), ref: 00F83C48
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00F83B81
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$AllocClearInitString
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 2213243845-3319182157
                                                                                                • Opcode ID: e1e77baa2376551c1ab80cebcf1194b13701960f3b84f9c6a8a023c1b3b4ca8d
                                                                                                • Instruction ID: 8502e7eef89e1f3b6d4cffba20aa8357162bc5fdc9cd03038a52920e3b7d53a6
                                                                                                • Opcode Fuzzy Hash: e1e77baa2376551c1ab80cebcf1194b13701960f3b84f9c6a8a023c1b3b4ca8d
                                                                                                • Instruction Fuzzy Hash: 55416471D00225ABCB11EFA5C888EEEBBF8AF46B24F0541A4EC01EB251D634DE00DB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8131B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00F68C68), ref: 00F81376
                                                                                                • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00F68C68,00000000), ref: 00F81394
                                                                                                • RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00F68C68,00000000,00000000,00000000), ref: 00F813EA
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F813BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Enum$InfoQuery
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 73471667-3069916640
                                                                                                • Opcode ID: be3cad23928fa68e0faf49580fd6f1ca55241f91f83e05aa824e5f438698152d
                                                                                                • Instruction ID: 7c21677bad5702b568768c260058cb63e4596aaca5eeffb805ee0236a02fb9f9
                                                                                                • Opcode Fuzzy Hash: be3cad23928fa68e0faf49580fd6f1ca55241f91f83e05aa824e5f438698152d
                                                                                                • Instruction Fuzzy Hash: D63182B7D01529FBEB219A948C80EEFBAACFF057A0F114265FD01A7150D7718E01BBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F89736 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F89213: lstrlenW.KERNEL32(00000100,?,?,?,00F895B3,000002C0,00000100,00000100,00000100,?,?,?,00F67BE4,?,?,000001BC), ref: 00F89238
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00F8981B
                                                                                                • RegCloseKey.ADVAPI32(00000001,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00F89835
                                                                                                  • Part of subcall function 00F810B8: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00F5069E,?,00000000,00020006), ref: 00F810DD
                                                                                                  • Part of subcall function 00F8199A: RegSetValueExW.ADVAPI32(00020006,00F90FB8,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00F4F3CC,00000000,?,00020006), ref: 00F819CD
                                                                                                  • Part of subcall function 00F8199A: RegDeleteValueW.ADVAPI32(00020006,00F90FB8,00000000,?,?,00F4F3CC,00000000,?,00020006,?,00F90FB8,00020006,00000000,?,?,?), ref: 00F819FD
                                                                                                  • Part of subcall function 00F8194C: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00F4F324,00F90FB8,Resume,00000005,?,00000000,00000000,00000000), ref: 00F81961
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$Close$CreateDeletelstrlen
                                                                                                • String ID: %ls\%ls$crypt32.dll
                                                                                                • API String ID: 3924016894-1754266218
                                                                                                • Opcode ID: c5d6680b8266ced8f16e913915f976a850ea1c12bbd1ba5053776ce0f7dede34
                                                                                                • Instruction ID: 7142575a7ef7f9fceb7e959b51e972d97f0f571b9b15b5dadb228dae9bf1c4a4
                                                                                                • Opcode Fuzzy Hash: c5d6680b8266ced8f16e913915f976a850ea1c12bbd1ba5053776ce0f7dede34
                                                                                                • Instruction Fuzzy Hash: 0331D572C0022EBB8F12AF948C418EEBBB9EB05750B59416AE910B2161D7759E51FF90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F68968 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00F68CA4,00000000,00000000), ref: 00F68A25
                                                                                                Strings
                                                                                                • Failed to ensure there is space for related bundles., xrefs: 00F689D8
                                                                                                • Failed to open uninstall key for potential related bundle: %ls, xrefs: 00F68994
                                                                                                • Failed to initialize package from related bundle id: %ls, xrefs: 00F68A0B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpen
                                                                                                • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                                                                                • API String ID: 47109696-1717420724
                                                                                                • Opcode ID: e5f299aa1e9550884070084d88d2161aa48124669b80616a4d815df576b7c1d7
                                                                                                • Instruction ID: 2eb71949fb48559e0fa4d8a863bdfaed3c67d9622e60556aa373e350aca30aa0
                                                                                                • Opcode Fuzzy Hash: e5f299aa1e9550884070084d88d2161aa48124669b80616a4d815df576b7c1d7
                                                                                                • Instruction Fuzzy Hash: 0A217F32940219FBDF129A80CD06BEE7A78EF04790F14421AFD00A6151DB799E22FB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43BDC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00F4146A,00000000,80004005,00000000,80004005,00000000,000001C7,?,00F413B0), ref: 00F43BFA
                                                                                                • HeapReAlloc.KERNEL32(00000000,?,00F4146A,00000000,80004005,00000000,80004005,00000000,000001C7,?,00F413B0,000001C7,00000100,?,80004005,00000000), ref: 00F43C01
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                  • Part of subcall function 00F43C9A: GetProcessHeap.KERNEL32(00000000,000001C7,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA2
                                                                                                  • Part of subcall function 00F43C9A: HeapSize.KERNEL32(00000000,?,00F42300,000001C7,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43CA9
                                                                                                • _memcpy_s.LIBCMT ref: 00F43C4D
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\memutil.cpp, xrefs: 00F43C8E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\memutil.cpp
                                                                                                • API String ID: 3406509257-517705587
                                                                                                • Opcode ID: 4b0b4a43e9ecb603f916e8ba72286ee33df6901c2f1fee26233225300113ac82
                                                                                                • Instruction ID: 4e737b4eb09461992bb6344f2a5a14a01d6a095865a0a0b0d38265a242424933
                                                                                                • Opcode Fuzzy Hash: 4b0b4a43e9ecb603f916e8ba72286ee33df6901c2f1fee26233225300113ac82
                                                                                                • Instruction Fuzzy Hash: 1B11B432A00529ABCB226F689C88DAE3E9ADF40734B154611FE14AB251D739CF51B7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F88D26 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32 ref: 00F88D6A
                                                                                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00F88D92
                                                                                                • GetLastError.KERNEL32 ref: 00F88D9C
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\inetutil.cpp, xrefs: 00F88DBD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastTime$FileSystem
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\inetutil.cpp
                                                                                                • API String ID: 1528435940-2698868727
                                                                                                • Opcode ID: 7bedaeacb9409c63ef73027c7943a93a6db3efcf3ac2a6a9cf9ec08d31d6756d
                                                                                                • Instruction ID: 63f322c0f132fd9dc52b6852136629e7d7a3f74cc11f9efe590aca19fa7b0152
                                                                                                • Opcode Fuzzy Hash: 7bedaeacb9409c63ef73027c7943a93a6db3efcf3ac2a6a9cf9ec08d31d6756d
                                                                                                • Instruction Fuzzy Hash: D411CB73E01239A7D721ABA9CC05BEFBBA89F157A0F410415AD05FB281DA34DD05A7E1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F80B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(00F61188,00000000,00000000,?,?,?,00F8042A,00F61188,00F61188,?,00000000,0000FDE9,?,00F61188,8007139F,Invalid operation for this state.), ref: 00F80B8E
                                                                                                • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00F8042A,00F61188,00F61188,?,00000000,0000FDE9,?,00F61188,8007139F), ref: 00F80BCA
                                                                                                • GetLastError.KERNEL32(?,?,00F8042A,00F61188,00F61188,?,00000000,0000FDE9,?,00F61188,8007139F,Invalid operation for this state.,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 00F80BD4
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\logutil.cpp, xrefs: 00F80C05
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastWritelstrlen
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\logutil.cpp
                                                                                                • API String ID: 606256338-1566132964
                                                                                                • Opcode ID: 79c0963069181af97804795625a7bc635622f443af20a125c59d8db32ea00d1e
                                                                                                • Instruction ID: 6161e458c2fced4f156e7cd6465380f943e8c3e9bf465cee846b502b3756313e
                                                                                                • Opcode Fuzzy Hash: 79c0963069181af97804795625a7bc635622f443af20a125c59d8db32ea00d1e
                                                                                                • Instruction Fuzzy Hash: 9E11E973900228AB8720AFA98C44EEFBA6CEB85B64B410325FD01D7181DB30DD40F7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41206 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00F452B7,00000000,?), ref: 00F41244
                                                                                                • GetLastError.KERNEL32(?,?,?,00F452B7,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00F4124E
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\apputil.cpp, xrefs: 00F4126F
                                                                                                • ignored , xrefs: 00F41213
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ArgvCommandErrorLastLine
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\apputil.cpp$ignored
                                                                                                • API String ID: 3459693003-3560123233
                                                                                                • Opcode ID: 0c033e939ef80baf5692c199308f6e6a4fdc0ab522c4a443e5c1e62ad7420b46
                                                                                                • Instruction ID: a08e764a5a0bf214c9b8b11de8d639f6233f945cee51bf705351e16797b7ca44
                                                                                                • Opcode Fuzzy Hash: 0c033e939ef80baf5692c199308f6e6a4fdc0ab522c4a443e5c1e62ad7420b46
                                                                                                • Instruction Fuzzy Hash: 16116D76901229AB8B11AB99CC05D9EBFB8BF40B60B014165BD04EB251E7B0DF40ABA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8023C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00F8090E,?,?,?,?,00000001), ref: 00F8025B
                                                                                                • GetLastError.KERNEL32(?,00F8090E,?,?,?,?,00000001,?,00F4568C,?,?,00000000,?,?,00F4540D,00000002), ref: 00F80267
                                                                                                • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00F8090E,?,?,?,?,00000001,?,00F4568C,?,?), ref: 00F802D0
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\logutil.cpp, xrefs: 00F80286
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\logutil.cpp
                                                                                                • API String ID: 1365068426-1566132964
                                                                                                • Opcode ID: 1aa5fea95bd607cfbf94990e57977d52e2eeda7972cd10a6ac704f26218c7bff
                                                                                                • Instruction ID: b3a220ed35ed59119ef633d40f015d23c65753a2d21dd740bd903c6a818186f0
                                                                                                • Opcode Fuzzy Hash: 1aa5fea95bd607cfbf94990e57977d52e2eeda7972cd10a6ac704f26218c7bff
                                                                                                • Instruction Fuzzy Hash: 93119132A00229EBDF21AF94CD09FEF7A69EF55760F414019FD05A61A0EB708E54F7A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6CFA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,74DF30D0,?,?,00F6D1D5,00000000,00000000,00000000,00000000), ref: 00F6CFB0
                                                                                                • ReleaseMutex.KERNEL32(?,?,00F6D1D5,00000000,00000000,00000000,00000000), ref: 00F6D037
                                                                                                  • Part of subcall function 00F43A1A: GetProcessHeap.KERNEL32(?,000001C7,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A2B
                                                                                                  • Part of subcall function 00F43A1A: RtlAllocateHeap.NTDLL(00000000,?,00F423A7,?,00000001,80004005,8007139F,?,?,00F80687,8007139F,?,00000000,00000000,8007139F), ref: 00F43A32
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp, xrefs: 00F6CFF5
                                                                                                • Failed to allocate memory for message data, xrefs: 00F6CFFF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
                                                                                                • String ID: Failed to allocate memory for message data$c:\agent\_work\138\s\src\burn\engine\netfxchainer.cpp
                                                                                                • API String ID: 2993511968-41198472
                                                                                                • Opcode ID: b786e487c45b2fa1ad45295795ee151f72c28128f78dc24ecbd9163f78d776cf
                                                                                                • Instruction ID: dcff01917194b1bc282fe72e23dc915b5287dbcd7724f976102f882d3f86359e
                                                                                                • Opcode Fuzzy Hash: b786e487c45b2fa1ad45295795ee151f72c28128f78dc24ecbd9163f78d776cf
                                                                                                • Instruction Fuzzy Hash: 3A118FB5300216FFCB159F24EC85EAABBA4FF49720F104165F9189B361C772A821DBA4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F851E2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00F50545,00000000,?,00F4F589,00F8B4F0,00000080,002E0032,00000000), ref: 00F851FA
                                                                                                • GetLastError.KERNEL32(?,00F4F589,00F8B4F0,00000080,002E0032,00000000,?,00F50545,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00F85207
                                                                                                • CloseHandle.KERNEL32(00000000,00000000,00F8B4F0,00F4F589,?,00F4F589,00F8B4F0,00000080,002E0032,00000000,?,00F50545,crypt32.dll,00000094), ref: 00F8525B
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F8522B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateErrorFileHandleLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 2528220319-3168567549
                                                                                                • Opcode ID: a999ec2822408d2cc52173b2f8dd59a4ad9e57100e69e28ec01d333163e223f0
                                                                                                • Instruction ID: fbe46c66448c125d50e22f2b1bbdd9620ebde7d19db623698b5a1ca96b804d67
                                                                                                • Opcode Fuzzy Hash: a999ec2822408d2cc52173b2f8dd59a4ad9e57100e69e28ec01d333163e223f0
                                                                                                • Instruction Fuzzy Hash: 3101D433A41A2567DB212E989C05FDB7A54AB41F70F054211FE24AB1E0DF209C0077A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F507A3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00F50813
                                                                                                Strings
                                                                                                • Failed to update resume mode., xrefs: 00F507E4
                                                                                                • Failed to open registration key., xrefs: 00F507CA
                                                                                                • Failed to update name and publisher., xrefs: 00F507FD
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpen
                                                                                                • String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
                                                                                                • API String ID: 47109696-1865096027
                                                                                                • Opcode ID: 7f087c37d3d5ee9d8f3e1b4bc2a6d2de6f21ede06f3df45d437714799702d892
                                                                                                • Instruction ID: 6a7e0a9a899593a7c396ce66c21faa03d3b8d46dc547047067a252e12d38aa1a
                                                                                                • Opcode Fuzzy Hash: 7f087c37d3d5ee9d8f3e1b4bc2a6d2de6f21ede06f3df45d437714799702d892
                                                                                                • Instruction Fuzzy Hash: CA01D433A01629F7DF129690DC02FDEBA69AF00B22F200061FA00B6190DBB5EE04B7C1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84DB2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00F68AC5,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00F84DE6
                                                                                                • GetLastError.KERNEL32(?,00F68AC5,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00F84DF3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorFileLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 1214770103-3168567549
                                                                                                • Opcode ID: b574ac96434053e14222172bd2f516cfdcabcacdcc1e0205707f63c5bda53118
                                                                                                • Instruction ID: dc3a309835477b76331fd37ed974a91c5d5535de62acb792b19fc1173c2ab960
                                                                                                • Opcode Fuzzy Hash: b574ac96434053e14222172bd2f516cfdcabcacdcc1e0205707f63c5bda53118
                                                                                                • Instruction Fuzzy Hash: CF01D133A8033AB7E23237A49C0AFFBB958BB50B70F118111FE54AA1D0D664AC0077E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F66A65 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ControlService.ADVAPI32(00F66979,00000001,?,00000001,00000000,?,?,?,?,?,?,00F66979,00000000), ref: 00F66A8D
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00F66979,00000000), ref: 00F66A97
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\msuengine.cpp, xrefs: 00F66ABB
                                                                                                • Failed to stop wusa service., xrefs: 00F66AC5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ControlErrorLastService
                                                                                                • String ID: Failed to stop wusa service.$c:\agent\_work\138\s\src\burn\engine\msuengine.cpp
                                                                                                • API String ID: 4114567744-1257665305
                                                                                                • Opcode ID: 3f108a7ad1ed089bbac7d3e3adcfeb452d21c3aca9acd89faabcf017b4c1466c
                                                                                                • Instruction ID: aebb909583d3e2a0c591366b1283a2788b338a83234c7dd8db13cac85eb8d452
                                                                                                • Opcode Fuzzy Hash: 3f108a7ad1ed089bbac7d3e3adcfeb452d21c3aca9acd89faabcf017b4c1466c
                                                                                                • Instruction Fuzzy Hash: B801FE33B0023867D7209BA5DC06AEFBBA4EF48720F014125FD05FB180EA38DD04A6E5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83D96 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F83DDB
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F83E0E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$AllocFree
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 344208780-1436017577
                                                                                                • Opcode ID: 875d1d27747318c68aa3f9d2a545552ca8758b35fd5c9e344c2ac54cb651b802
                                                                                                • Instruction ID: a78b86b158f58fbe3f28d9b7d8fc21f10cd7a44f631d68fe8770a8c8e53ab8e5
                                                                                                • Opcode Fuzzy Hash: 875d1d27747318c68aa3f9d2a545552ca8758b35fd5c9e344c2ac54cb651b802
                                                                                                • Instruction Fuzzy Hash: 2201A232640219ABD7202A558C05FFA76A8DF45B61F044039FD00EB361D774CD01B7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F83E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F83E61
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F83E94
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$AllocFree
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 344208780-1436017577
                                                                                                • Opcode ID: 196aa8c4a1d2be93d962715519a07fb425f1a3fc35239ff5918741d8ccd3037c
                                                                                                • Instruction ID: 098a8e2a54c25d5ee6149b62f4a1be86832b4fb8e808c8b008b0139c4234578b
                                                                                                • Opcode Fuzzy Hash: 196aa8c4a1d2be93d962715519a07fb425f1a3fc35239ff5918741d8ccd3037c
                                                                                                • Instruction Fuzzy Hash: 9F016D32A40256BBDB206A649C09FBB76ACEF45F61F150029FD04EB361D774CE04BBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F86CAA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(?), ref: 00F86D09
                                                                                                  • Part of subcall function 00F88AF0: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00F88BFD
                                                                                                  • Part of subcall function 00F88AF0: GetLastError.KERNEL32 ref: 00F88C07
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Time$ErrorFileFreeLastStringSystem
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp$clbcatq.dll
                                                                                                • API String ID: 211557998-3233764823
                                                                                                • Opcode ID: dd6ca88849b8553d8b75257733739167fa0fa271ab5598f3cc885761b03762a0
                                                                                                • Instruction ID: 970841bb97fc824359cc40a059466c818c96a1199003647f29beb3d9f044d269
                                                                                                • Opcode Fuzzy Hash: dd6ca88849b8553d8b75257733739167fa0fa271ab5598f3cc885761b03762a0
                                                                                                • Instruction Fuzzy Hash: 9F01AD72A00226FB8B20BF85DC819DAFBB8EB05765B60817AF944A7110D7719E00F790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EC27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00F5EC4F
                                                                                                • GetLastError.KERNEL32 ref: 00F5EC59
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5EC7D
                                                                                                • Failed to post elevate message., xrefs: 00F5EC87
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessagePostThread
                                                                                                • String ID: Failed to post elevate message.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 2609174426-2699502814
                                                                                                • Opcode ID: 12f2ab57f0ab110ce61286b3610e7fe253710f5c1b7e9052c63becd040bfbde7
                                                                                                • Instruction ID: c1b5f04c3190c32cf8801a598c2f627b9ba31d4e46f102a4f8f159b4b5d8846a
                                                                                                • Opcode Fuzzy Hash: 12f2ab57f0ab110ce61286b3610e7fe253710f5c1b7e9052c63becd040bfbde7
                                                                                                • Instruction Fuzzy Hash: 03F04033A00334ABC2241A989C0EE977B84AF00B72B114229FF18AB1D1EB25DD05F7D6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D975 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00F4D99C
                                                                                                • FreeLibrary.KERNEL32(?,?,00F4495B,00000000,?,?,00F45506,?,?), ref: 00F4D9AB
                                                                                                • GetLastError.KERNEL32(?,00F4495B,00000000,?,?,00F45506,?,?), ref: 00F4D9B5
                                                                                                Strings
                                                                                                • BootstrapperApplicationDestroy, xrefs: 00F4D994
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorFreeLastLibraryProc
                                                                                                • String ID: BootstrapperApplicationDestroy
                                                                                                • API String ID: 1144718084-3186005537
                                                                                                • Opcode ID: b5f0c410ebd232c66c00e29b63b68d05cc96bef45baca4911df9f160f43ae662
                                                                                                • Instruction ID: abaf49cbd84eeaee4218a905247f5c8e2627d69a6a9edcf942dec9d0cf1d3919
                                                                                                • Opcode Fuzzy Hash: b5f0c410ebd232c66c00e29b63b68d05cc96bef45baca4911df9f160f43ae662
                                                                                                • Instruction Fuzzy Hash: 51F01232A0062AABC7255F65D808B66FBB8FF40B727158229FC19D6550C775EC50EBD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8366A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F8367F
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F836AF
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00F83693
                                                                                                • `<u, xrefs: 00F836AF
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$AllocFree
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 344208780-1436017577
                                                                                                • Opcode ID: 1a89ee88a56a4936e8eb1d95bfebb37ac29d0d29bee0122b9cadcdd9c15af431
                                                                                                • Instruction ID: df6c8e3ca832bcb6c43ce62ae7a65c5a344a1cf99021b024c8fc6d528231a4fb
                                                                                                • Opcode Fuzzy Hash: 1a89ee88a56a4936e8eb1d95bfebb37ac29d0d29bee0122b9cadcdd9c15af431
                                                                                                • Instruction Fuzzy Hash: 2CF0B432500214F7C7212E189C08FEB77A5BB40B61F154029FC045B320E7748E10BFE6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8390F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysAllocString.OLEAUT32(?), ref: 00F83924
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F83954
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00F8393B
                                                                                                • `<u, xrefs: 00F83954
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$AllocFree
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 344208780-1436017577
                                                                                                • Opcode ID: 83e11186583f7de973d3b3b286a16495599ed5e5a0b328f4252068953a53145c
                                                                                                • Instruction ID: b10fcf79d80a37ad37ac5b1d1e24f7eafc85fffa2c2cba9492b684194a48d8cd
                                                                                                • Opcode Fuzzy Hash: 83e11186583f7de973d3b3b286a16495599ed5e5a0b328f4252068953a53145c
                                                                                                • Instruction Fuzzy Hash: 33F0B432500259EBCB226E489C08FEA7BA9AB45F71F154119FD0597220D7B4CE40FBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5F231 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00F5F246
                                                                                                • GetLastError.KERNEL32 ref: 00F5F250
                                                                                                Strings
                                                                                                • Failed to post plan message., xrefs: 00F5F27E
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5F274
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessagePostThread
                                                                                                • String ID: Failed to post plan message.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 2609174426-3584526468
                                                                                                • Opcode ID: be309bce916d21ee29e0fd10bb34bfa73ad9183ff9abd5952d1de6fd45704aa0
                                                                                                • Instruction ID: 8355a92632da4966a86db8e7745a73b522c74e589794f910457dea657542e295
                                                                                                • Opcode Fuzzy Hash: be309bce916d21ee29e0fd10bb34bfa73ad9183ff9abd5952d1de6fd45704aa0
                                                                                                • Instruction Fuzzy Hash: 33F0EC37A5533467D63026D56C0AD87BF44AF05F71F024061FE18AB191EE15DC04B6D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5F33F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00F5F354
                                                                                                • GetLastError.KERNEL32 ref: 00F5F35E
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5F382
                                                                                                • Failed to post shutdown message., xrefs: 00F5F38C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessagePostThread
                                                                                                • String ID: Failed to post shutdown message.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 2609174426-83663741
                                                                                                • Opcode ID: a51a0f741ff515be81faa2e99dabada516252645a4a0369d566b371c994f3f87
                                                                                                • Instruction ID: 192b0423c6b1fd80948b857ca67de3f06e9ae4f8290f1e7c3761f53f3e8b3765
                                                                                                • Opcode Fuzzy Hash: a51a0f741ff515be81faa2e99dabada516252645a4a0369d566b371c994f3f87
                                                                                                • Instruction Fuzzy Hash: 8AF0EC37A41335B7A6212A955C0DE8B7F48AF01BB1B014061FE08FB191FA21DC0477D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F60678 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(00F8B468,00000000,?,00F615CD,?,00000000,?,00F4C33B,?,00F4547D,?,00F5759E,?,?,00F4547D,?), ref: 00F60682
                                                                                                • GetLastError.KERNEL32(?,00F615CD,?,00000000,?,00F4C33B,?,00F4547D,?,00F5759E,?,?,00F4547D,?,00F454BD,00000001), ref: 00F6068C
                                                                                                Strings
                                                                                                • Failed to set begin operation event., xrefs: 00F606BA
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00F606B0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorEventLast
                                                                                                • String ID: Failed to set begin operation event.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 3848097054-2744104430
                                                                                                • Opcode ID: dd034d810512d0f786235c10f412567d9b13ec33f97af3d71ee016dc8d66912d
                                                                                                • Instruction ID: 4e31d5717360f508b23c46ef4dd90b4d16790c20a62863968c0177ccce63dbae
                                                                                                • Opcode Fuzzy Hash: dd034d810512d0f786235c10f412567d9b13ec33f97af3d71ee016dc8d66912d
                                                                                                • Instruction Fuzzy Hash: 3CF05533E0263167832032959C0AADB7A888F40BB07110132FD04FB281FF569C2033E9
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EBBE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00F5EBD3
                                                                                                • GetLastError.KERNEL32 ref: 00F5EBDD
                                                                                                Strings
                                                                                                • Failed to post detect message., xrefs: 00F5EC0B
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5EC01
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessagePostThread
                                                                                                • String ID: Failed to post detect message.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 2609174426-1752364159
                                                                                                • Opcode ID: 5851bb084df31d0038f015334e78b736a75ee34ba179c47d6ed1d016984b036f
                                                                                                • Instruction ID: 2dfc1deb4d3680a2d7a9a9692f35dbef906cd351e6f2bc62867cd6559e5f332b
                                                                                                • Opcode Fuzzy Hash: 5851bb084df31d0038f015334e78b736a75ee34ba179c47d6ed1d016984b036f
                                                                                                • Instruction Fuzzy Hash: B6F0EC33A4133477E62466995C0DFC7BF54AF00B71B014021FE19AB191E611DD04F6D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5EB2D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00F5EB42
                                                                                                • GetLastError.KERNEL32 ref: 00F5EB4C
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp, xrefs: 00F5EB70
                                                                                                • Failed to post apply message., xrefs: 00F5EB7A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastMessagePostThread
                                                                                                • String ID: Failed to post apply message.$c:\agent\_work\138\s\src\burn\engine\engineforapplication.cpp
                                                                                                • API String ID: 2609174426-874079251
                                                                                                • Opcode ID: 88c1b79263f766e4a958502b440493089ce7eaafd3d20f1b93d68e2c22a0b9f1
                                                                                                • Instruction ID: f008e17c5a8896d66b608060e167793817019eecb41348789a183e20e9da3c66
                                                                                                • Opcode Fuzzy Hash: 88c1b79263f766e4a958502b440493089ce7eaafd3d20f1b93d68e2c22a0b9f1
                                                                                                • Instruction Fuzzy Hash: D3F0EC33A4533577D6212695AC09E87BF54EF40F72F024011FE08BB1D1E611DD04B6D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F76782 Relevance: 6.3, APIs: 4, Instructions: 321COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _strrchr
                                                                                                • String ID:
                                                                                                • API String ID: 3213747228-0
                                                                                                • Opcode ID: 9f1acedcc75d6c98e611d18592d038f462777dbcf9999752fc6943b18af49599
                                                                                                • Instruction ID: 3cbe30d68891ae97825a734613fc07804841e6711aa94127def977e361d54977
                                                                                                • Opcode Fuzzy Hash: 9f1acedcc75d6c98e611d18592d038f462777dbcf9999752fc6943b18af49599
                                                                                                • Instruction Fuzzy Hash: 36B12632D00A469FEB15CF68C8817AEBBF5EF55310F14C1ABE958EB241D6389D01DB62
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F862CD Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 162stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp, xrefs: 00F8643B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\dlutil.cpp
                                                                                                • API String ID: 1659193697-3549464317
                                                                                                • Opcode ID: d34211116dff92fd32d27f8f5fb42aa92b1880cdf459801b9464638ebe8b66ec
                                                                                                • Instruction ID: d249c463814affaabe664225132a8a68066ed74c05e2f13f32a2a08e9d2e8d17
                                                                                                • Opcode Fuzzy Hash: d34211116dff92fd32d27f8f5fb42aa92b1880cdf459801b9464638ebe8b66ec
                                                                                                • Instruction Fuzzy Hash: 42516376E0021AABDF21AFA48C849EFBBB9AF48720F154114FD05E7250DB74DD41ABA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4501C Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(?,?,?,00000000,?,00F455CA,?,?,?,?,?,?), ref: 00F45076
                                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00F455CA,?,?,?,?,?,?), ref: 00F4508A
                                                                                                • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F455CA,?,?), ref: 00F45179
                                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00F455CA,?,?), ref: 00F45180
                                                                                                  • Part of subcall function 00F4115F: LocalFree.KERNEL32(?,?,00F45033,?,00000000,?,00F455CA,?,?,?,?,?,?), ref: 00F41169
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalDeleteFreeSection$CloseHandleLocal
                                                                                                • String ID:
                                                                                                • API String ID: 3671900028-0
                                                                                                • Opcode ID: 36dfed69db97a20bd1492379ba24e8663db36593add0685563c130c579ffbfd2
                                                                                                • Instruction ID: aadcc5975cc3b937314036a7c25762076a4896ff3f0116fcb90f028eaeb09b91
                                                                                                • Opcode Fuzzy Hash: 36dfed69db97a20bd1492379ba24e8663db36593add0685563c130c579ffbfd2
                                                                                                • Instruction Fuzzy Hash: 07411FB1900B056BCA60FBB4CC49FDB7BEC6F04750F444829BA6AD7152DB38F544A764
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F75B8D Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,00000000,?,00F713F9,00000000,80004004,00000100,?,00F71731,00000000,80004004,00000000,00000000), ref: 00F75B92
                                                                                                • _free.LIBCMT ref: 00F75BEF
                                                                                                • _free.LIBCMT ref: 00F75C25
                                                                                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00F71731,00000000,80004004,00000000,00000000), ref: 00F75C30
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_free
                                                                                                • String ID:
                                                                                                • API String ID: 2283115069-0
                                                                                                • Opcode ID: 42167da9f64d0f34bccd20f57554230e9b1700eb325eea5e4d946426baa6fb2e
                                                                                                • Instruction ID: 94ca5848a15a05dbe0e00aef005b8f93320f21b09dac70679073cdef91f74c56
                                                                                                • Opcode Fuzzy Hash: 42167da9f64d0f34bccd20f57554230e9b1700eb325eea5e4d946426baa6fb2e
                                                                                                • Instruction Fuzzy Hash: 9611CA72608A0C2ADA2137795CD5F3B355A97C1B74B24C227F53C965E3EEE48C01B213
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F75CE4 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,00000100,00000000,00F73B0A,00F43D1D,80004005,00000000,?,c:\agent\_work\138\s\src\burn\engine\cabextract.cpp,000001C7), ref: 00F75CE9
                                                                                                • _free.LIBCMT ref: 00F75D46
                                                                                                • _free.LIBCMT ref: 00F75D7C
                                                                                                • SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00F75D87
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast_free
                                                                                                • String ID:
                                                                                                • API String ID: 2283115069-0
                                                                                                • Opcode ID: 24385f977a3393161542df84a11911490bd1bdb6d0d49cd4346b266b06571840
                                                                                                • Instruction ID: 2b5995b6a58ecbac08f83d6b7c004abf1ff002a59c2a4bfa15fab6957b238920
                                                                                                • Opcode Fuzzy Hash: 24385f977a3393161542df84a11911490bd1bdb6d0d49cd4346b266b06571840
                                                                                                • Instruction Fuzzy Hash: 6911CA7260C9092AD63136655C89E2B355AD7C2B74B25C226F52C861E3EAE58C01B212
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F44D04 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F4F9F9: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00F44D23,?,?,00000001), ref: 00F4FA49
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00F44D8A
                                                                                                Strings
                                                                                                • Unable to get resume command line from the registry, xrefs: 00F44D29
                                                                                                • Failed to get current process path., xrefs: 00F44D48
                                                                                                • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00F44D74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$Handle
                                                                                                • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                                                                                                • API String ID: 187904097-642631345
                                                                                                • Opcode ID: 7c81a2f7180ea3cc18947007bea771eddae9ee014f5c6d5a37a464a4aeb00645
                                                                                                • Instruction ID: 4114153c01f7e8604d2bd9a0eaa328e4eb7ca386f99bf06aa43f98b6aa3be0df
                                                                                                • Opcode Fuzzy Hash: 7c81a2f7180ea3cc18947007bea771eddae9ee014f5c6d5a37a464a4aeb00645
                                                                                                • Instruction Fuzzy Hash: 67114F32D00618FACB12AB99DC019EEBFB8AF50750B104166FD11B6210EB35AB44BB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F474E5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F474F1
                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00F47558
                                                                                                Strings
                                                                                                • Failed to get value of variable: %ls, xrefs: 00F4752B
                                                                                                • Failed to get value as numeric for variable: %ls, xrefs: 00F47547
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                                                                                • API String ID: 3168844106-4270472870
                                                                                                • Opcode ID: 2dfa6ecce0fa31a083f042819d15a621d914fd0cd308935cc3a12fdeed75201e
                                                                                                • Instruction ID: fe18267a336636b239ccc68fb20f18e9c8404634fc035f7e2dc6ff92b8210dc6
                                                                                                • Opcode Fuzzy Hash: 2dfa6ecce0fa31a083f042819d15a621d914fd0cd308935cc3a12fdeed75201e
                                                                                                • Instruction Fuzzy Hash: 81017C76D48628BBCF127B54CC09BAE3E69AF10761F144120FD04AE161C33ADE10BBD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F47654 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00F47660
                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00F476C7
                                                                                                Strings
                                                                                                • Failed to get value of variable: %ls, xrefs: 00F4769A
                                                                                                • Failed to get value as version for variable: %ls, xrefs: 00F476B6
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                                                                                • API String ID: 3168844106-1851729331
                                                                                                • Opcode ID: 6d84b24111e169f98468470b82792cae3260051dc6b7960a0ff181a7ab8578b1
                                                                                                • Instruction ID: 0adff13f1f8299a7e92a5786f627b50a05ed0a3f242ba9531eac1989e0924ab5
                                                                                                • Opcode Fuzzy Hash: 6d84b24111e169f98468470b82792cae3260051dc6b7960a0ff181a7ab8578b1
                                                                                                • Instruction Fuzzy Hash: 74017132944A28FBCF116B48CD09A9E7F69AF10724F124050FD08AA1A1C336DE10BBE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4D552 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00F57027,000000B8,00000000,?,00000000,75C0B390), ref: 00F4D561
                                                                                                • LeaveCriticalSection.KERNEL32(000000D0,?,00F57027,000000B8,00000000,?,00000000,75C0B390), ref: 00F4D584
                                                                                                Strings
                                                                                                • Engine active cannot be changed because it was already in that state., xrefs: 00F4D5A7
                                                                                                • c:\agent\_work\138\s\src\burn\engine\userexperience.cpp, xrefs: 00F4D59D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Engine active cannot be changed because it was already in that state.$c:\agent\_work\138\s\src\burn\engine\userexperience.cpp
                                                                                                • API String ID: 3168844106-656309086
                                                                                                • Opcode ID: 7658f1a7a1deb002fb8f74175bf34b82f173b7997497ff4db693385a7d80d513
                                                                                                • Instruction ID: 5080e491b920dc81e4cc064aefe54f5fdf917d688f9f590905e0b573aa0c6f23
                                                                                                • Opcode Fuzzy Hash: 7658f1a7a1deb002fb8f74175bf34b82f173b7997497ff4db693385a7d80d513
                                                                                                • Instruction Fuzzy Hash: 6CF02233300705AF9B109EAADC88C93B7ECBF98328300003AF905CB280EF71E80597A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F475E5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00F4994D,00000000,?,00000000,00000000,00000000,?,00F4978E,00000000,?,00000000,00000000), ref: 00F475F1
                                                                                                • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00F4994D,00000000,?,00000000,00000000,00000000,?,00F4978E,00000000,?,00000000), ref: 00F47647
                                                                                                Strings
                                                                                                • Failed to get value of variable: %ls, xrefs: 00F47617
                                                                                                • Failed to copy value of variable: %ls, xrefs: 00F47636
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                                                                                • API String ID: 3168844106-2936390398
                                                                                                • Opcode ID: 0d3857bafea209403a4c123a527ed00d61ac457de565539b9527f7fd4ef53f7f
                                                                                                • Instruction ID: decc6fdb20a77a78640c7fade369b30adb836b3ae5ba2bd4d6e1e5f3c1020622
                                                                                                • Opcode Fuzzy Hash: 0d3857bafea209403a4c123a527ed00d61ac457de565539b9527f7fd4ef53f7f
                                                                                                • Instruction Fuzzy Hash: C5F03C32904628BBCF127B54CD0AADE7F6AEF10765F114150FD04AA261D736DA10B7E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F7EC86 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00F7D875,00000000,00000001,00000000,00000000,?,00F7CA79,00000000,00F75C49,00000000), ref: 00F7EC9D
                                                                                                • GetLastError.KERNEL32(?,00F7D875,00000000,00000001,00000000,00000000,?,00F7CA79,00000000,00F75C49,00000000,00000000,00000000,?,00F7CFCD,00000000), ref: 00F7ECA9
                                                                                                  • Part of subcall function 00F7EC6F: CloseHandle.KERNEL32(FFFFFFFE,00F7ECB9,?,00F7D875,00000000,00000001,00000000,00000000,?,00F7CA79,00000000,00F75C49,00000000,00000000,00000000), ref: 00F7EC7F
                                                                                                • ___initconout.LIBCMT ref: 00F7ECB9
                                                                                                  • Part of subcall function 00F7EC31: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F7EC60,00F7D862,00000000,?,00F7CA79,00000000,00F75C49,00000000,00000000), ref: 00F7EC44
                                                                                                • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00F7D875,00000000,00000001,00000000,00000000,?,00F7CA79,00000000,00F75C49,00000000,00000000), ref: 00F7ECCE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                • String ID:
                                                                                                • API String ID: 2744216297-0
                                                                                                • Opcode ID: 5c15dbafa553f77b7422a7444a8cfc41572d0a9c3665c36600960785305e4339
                                                                                                • Instruction ID: 203ab1c413cb302c475c90cbd818ef5948ec77f72e7c2973d1990c7e7b3e65b8
                                                                                                • Opcode Fuzzy Hash: 5c15dbafa553f77b7422a7444a8cfc41572d0a9c3665c36600960785305e4339
                                                                                                • Instruction Fuzzy Hash: E0F0F83A50011DBBCF232F959C08A9A3F66FB093A0B018062FA1C95121C7328860FB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F74BF0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • _free.LIBCMT ref: 00F74BF9
                                                                                                  • Part of subcall function 00F7604F: HeapFree.KERNEL32(00000000,00000000,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?), ref: 00F76065
                                                                                                  • Part of subcall function 00F7604F: GetLastError.KERNEL32(?,?,00F789CC,?,00000000,?,00000000,?,00F789F3,?,00000007,?,?,00F78E6D,?,?), ref: 00F76077
                                                                                                • _free.LIBCMT ref: 00F74C0C
                                                                                                • _free.LIBCMT ref: 00F74C1D
                                                                                                • _free.LIBCMT ref: 00F74C2E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                • String ID:
                                                                                                • API String ID: 776569668-0
                                                                                                • Opcode ID: 3da0f56d96dbb5d7c1f4ac540c9de6dbb7fbac91e520d83ccf39242c678436f3
                                                                                                • Instruction ID: 12c78d76002edf3792112f1aea3d918c940e0a39673b3170ecf2910c571560c6
                                                                                                • Opcode Fuzzy Hash: 3da0f56d96dbb5d7c1f4ac540c9de6dbb7fbac91e520d83ccf39242c678436f3
                                                                                                • Instruction Fuzzy Hash: 1EE08CF08009289F8632AF58BE215193EA5EB8BF403150007F8088223BCB3D0122BBCB
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8112A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00F812A5
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F81292
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 3535843008-3069916640
                                                                                                • Opcode ID: 02d20ef01ce7c590be5005923e726bb40dee50027cd3d58896ce30d5b46e8c35
                                                                                                • Instruction ID: 42675e3418a30b91a4f25d43af415d9b85b93be20a17ab55c0a37cfa7de1fbd2
                                                                                                • Opcode Fuzzy Hash: 02d20ef01ce7c590be5005923e726bb40dee50027cd3d58896ce30d5b46e8c35
                                                                                                • Instruction Fuzzy Hash: 9A41B336D00529ABDF21AA98CC09BFE7BADBB40760F158364E915EB160D7358D52BBC0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84BD7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000,00000101), ref: 00F84D38
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpen
                                                                                                • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                • API String ID: 47109696-3023217399
                                                                                                • Opcode ID: 7f6c5395ea0df741aa3c908bff7504de0cffa544eb16d85bf7ac7ef2380d657c
                                                                                                • Instruction ID: 710946ce58ad6dbcedc176fee0241317d1c9b2c971ac70772037433f79b4b9bb
                                                                                                • Opcode Fuzzy Hash: 7f6c5395ea0df741aa3c908bff7504de0cffa544eb16d85bf7ac7ef2380d657c
                                                                                                • Instruction Fuzzy Hash: 53418272E0021AEFCF21FF94D941AEEBBB9EF45720F254069E501A7251E734AE41EB50
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F81571 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F815E7
                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00F8161F
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F8165B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 3660427363-3069916640
                                                                                                • Opcode ID: 55b3734c25c7f014426cd9fcd3203b830283f587d5b1d03e4546d9271fa6176d
                                                                                                • Instruction ID: 7f3fbac7dfcd24acf81bf413ecf2dd253340174930ec4a12b3e8ccd979e3f212
                                                                                                • Opcode Fuzzy Hash: 55b3734c25c7f014426cd9fcd3203b830283f587d5b1d03e4546d9271fa6176d
                                                                                                • Instruction Fuzzy Hash: 53416272D0012ABBDB21AF94CC419EEBBBDBF40760F144269E951A7250E7319E12AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F709C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00F709F3
                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00F70AAC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                • String ID: csm
                                                                                                • API String ID: 3480331319-1018135373
                                                                                                • Opcode ID: 9daab565ad541f02f5e123ab0b0e282e48dfdf31019f26d8a6b9c484ee4c40a1
                                                                                                • Instruction ID: 9b5b0f6b977c0408f38b345dc8d2541a1b93afc7b91ce9b10ca57c24abd63569
                                                                                                • Opcode Fuzzy Hash: 9daab565ad541f02f5e123ab0b0e282e48dfdf31019f26d8a6b9c484ee4c40a1
                                                                                                • Instruction Fuzzy Hash: 0541D730E00318DBDB10DF58C840A9E7BB4BF45324F14C166E8199B392DF39A911DB92
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F89322 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F89213: lstrlenW.KERNEL32(00000100,?,?,?,00F895B3,000002C0,00000100,00000100,00000100,?,?,?,00F67BE4,?,?,000001BC), ref: 00F89238
                                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00F8B4F0,wininet.dll,?), ref: 00F89422
                                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00F8B4F0,wininet.dll,?), ref: 00F8942F
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                  • Part of subcall function 00F8131B: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00F68C68), ref: 00F81376
                                                                                                  • Part of subcall function 00F8131B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00F68C68,00000000), ref: 00F81394
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$EnumInfoOpenQuerylstrlen
                                                                                                • String ID: wininet.dll
                                                                                                • API String ID: 2680864210-3354682871
                                                                                                • Opcode ID: b37e13eac003a7b06577de4c92e20d73559de6fff7a207b0fea7689eae4888dc
                                                                                                • Instruction ID: aef63548af7ebc6965335013ef8163b894433a3ca714234c4bef4100f5a14705
                                                                                                • Opcode Fuzzy Hash: b37e13eac003a7b06577de4c92e20d73559de6fff7a207b0fea7689eae4888dc
                                                                                                • Instruction Fuzzy Hash: FD311732C0412ABFCF11AFE4CD808EEBB79EF04720B598179E911B6161D7759E52AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F43B16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: _memcpy_s
                                                                                                • String ID: crypt32.dll$wininet.dll
                                                                                                • API String ID: 2001391462-82500532
                                                                                                • Opcode ID: 39ffa86aa758ca96ac80bca0cde021d7e7403628b06e64b8df67a1e9bd647b60
                                                                                                • Instruction ID: e62af7706e9c816a8fe7de5c4670edaafe096cc4261f760de3c64e0f9e9d8a9c
                                                                                                • Opcode Fuzzy Hash: 39ffa86aa758ca96ac80bca0cde021d7e7403628b06e64b8df67a1e9bd647b60
                                                                                                • Instruction Fuzzy Hash: A6113071600219AFCF08DF19DDD5A9F7F69EF85394B14802AFD054B351D670EA149AE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F53B19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00F54029,feclient.dll,?,00000000,?,?,?,00F44B92), ref: 00F53BBA
                                                                                                  • Part of subcall function 00F81571: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00F815E7
                                                                                                  • Part of subcall function 00F81571: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00F8161F
                                                                                                Strings
                                                                                                • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00F53B30
                                                                                                • Logging, xrefs: 00F53B47
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                                                                                • API String ID: 1586453840-387823766
                                                                                                • Opcode ID: 705396b15e95cae269732dddbaba05e9d63b217e9a9f47fcc634e6d68340b3f3
                                                                                                • Instruction ID: c5689fbd81a3a9195c9b9d4311054cbcfcef5774b774165c86b3fe826e82eb2c
                                                                                                • Opcode Fuzzy Hash: 705396b15e95cae269732dddbaba05e9d63b217e9a9f47fcc634e6d68340b3f3
                                                                                                • Instruction Fuzzy Hash: 51110B36900219BBEF24D7588C56FFA77B8AB80BA6F900155FE01A7080D774DF46B754
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F8199A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegSetValueExW.ADVAPI32(00020006,00F90FB8,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00F4F3CC,00000000,?,00020006), ref: 00F819CD
                                                                                                • RegDeleteValueW.ADVAPI32(00020006,00F90FB8,00000000,?,?,00F4F3CC,00000000,?,00020006,?,00F90FB8,00020006,00000000,?,?,?), ref: 00F819FD
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00F81A31
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Value$Delete
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 1738766685-3069916640
                                                                                                • Opcode ID: a7bfb3c24efa320a9032048c81025fe7f896761227f16cfb5dbec74825b9af81
                                                                                                • Instruction ID: 1fbff0a0f77e5a7624a6827047f09dc7d463624da515bf8a3e783d60de82794e
                                                                                                • Opcode Fuzzy Hash: a7bfb3c24efa320a9032048c81025fe7f896761227f16cfb5dbec74825b9af81
                                                                                                • Instruction Fuzzy Hash: C311A337D0223AB7DF216A94CC05BDA7A6DBB01B70F154321FE01BA190E664CD12BBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4DE44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00F674FE,00000000,IGNOREDEPENDENCIES,00000000,?,00F8B508), ref: 00F4DE95
                                                                                                Strings
                                                                                                • IGNOREDEPENDENCIES, xrefs: 00F4DE4C
                                                                                                • Failed to copy the property value., xrefs: 00F4DEC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                                                                                                • API String ID: 1825529933-1412343224
                                                                                                • Opcode ID: ba00f6885334c3421a26535ddc08f08c8dcd570e296e45f9181b1d19eb3889c1
                                                                                                • Instruction ID: 7cd596c3af1253433dc14aa9fb68f2292336e3c91d0eef0d8934642585fb5fd3
                                                                                                • Opcode Fuzzy Hash: ba00f6885334c3421a26535ddc08f08c8dcd570e296e45f9181b1d19eb3889c1
                                                                                                • Instruction Fuzzy Hash: 5F11E932600216AFDB108F54CC84FAABBA6AF64331F254175FE189F291CB70A850E790
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F41578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LCMapStringW.KERNEL32(0000007F,00000000,00000000,00F570CF,00000000,00F570CF,00000000,00000000,00F570CF,00000000,00000000,00000000,?,00F4244B,00000000,00000000), ref: 00F415BC
                                                                                                • GetLastError.KERNEL32(?,00F4244B,00000000,00000000,00F570CF,00000200,?,00F856D5,00000000,00F570CF,00000000,00F570CF,00000000,00000000,00000000), ref: 00F415C6
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\strutil.cpp, xrefs: 00F415EA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLastString
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\strutil.cpp
                                                                                                • API String ID: 3728238275-1498286024
                                                                                                • Opcode ID: 7fb6b95ea36f142ff5342078ba94c435b6d1718450f231ca5fbf5ce7ae5b7219
                                                                                                • Instruction ID: cec9cfea03d324d764c2882596a97b3b3841a7439c13ab8640f498d56c4f4a2b
                                                                                                • Opcode Fuzzy Hash: 7fb6b95ea36f142ff5342078ba94c435b6d1718450f231ca5fbf5ce7ae5b7219
                                                                                                • Instruction Fuzzy Hash: 4801283390063A67CB219E998C44ED7BE68FF85B70B050221FE10AF250DB20DC10E7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F5582C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoInitializeEx.OLE32(00000000,00000000), ref: 00F55849
                                                                                                • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00F558A2
                                                                                                Strings
                                                                                                • Failed to initialize COM on cache thread., xrefs: 00F5585E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeUninitialize
                                                                                                • String ID: Failed to initialize COM on cache thread.
                                                                                                • API String ID: 3442037557-3629645316
                                                                                                • Opcode ID: 871ea929b53fd964d38ba95af5b0c50c8cede27546be4605d792f80006022dc9
                                                                                                • Instruction ID: 2f3e182e5e60a0740ede33f0b152e67d6c3221490f4742a5541f55e622c94e6e
                                                                                                • Opcode Fuzzy Hash: 871ea929b53fd964d38ba95af5b0c50c8cede27546be4605d792f80006022dc9
                                                                                                • Instruction Fuzzy Hash: 6C01C072600618FFCB059FA5DC84DEAFBACFF08361B104126FA09D7221DB30AD54AB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F85A5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00F58E75,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00F85A8A
                                                                                                • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00F58E75,?), ref: 00F85AA5
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\aclutil.cpp, xrefs: 00F85AC9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: InfoNamedSecuritySleep
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\aclutil.cpp
                                                                                                • API String ID: 2352087905-245660080
                                                                                                • Opcode ID: 1738dcba660d413cc990119b389768ecd3388bc46919df1e85589f0a194ede0a
                                                                                                • Instruction ID: 5069c970eba1d803378f9e9068200205374ee4b0a72eb51d44b06b8b3706ef49
                                                                                                • Opcode Fuzzy Hash: 1738dcba660d413cc990119b389768ecd3388bc46919df1e85589f0a194ede0a
                                                                                                • Instruction Fuzzy Hash: 22015E37801629ABCF22AE95CC85EDF7E75EF44B60F024215BD14A6150C239DE10BBD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84061 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00F81436: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,00FABB7C,00000000,?,00F85BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00F8144A
                                                                                                • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00F83F01,?), ref: 00F840D2
                                                                                                Strings
                                                                                                • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00F8407C
                                                                                                • EnableLUA, xrefs: 00F840A4
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpen
                                                                                                • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                                                                • API String ID: 47109696-3551287084
                                                                                                • Opcode ID: 0282d8e544f668afb5694508e4c1bebfb16395d325444e082ea42154b47a8daf
                                                                                                • Instruction ID: ce71992de1554ced8f1e41cd272ab7bb700fbec6e17ab001a63d81608e7bff22
                                                                                                • Opcode Fuzzy Hash: 0282d8e544f668afb5694508e4c1bebfb16395d325444e082ea42154b47a8daf
                                                                                                • Instruction Fuzzy Hash: FD018472D10229EBD720B6A4CC0ABDFFA68DF00725F214164A900B3051D3746E54F7D0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F4519B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00F41104,?,?,00000000), ref: 00F451BA
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00F41104,?,?,00000000), ref: 00F451EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareStringlstrlen
                                                                                                • String ID: burn.clean.room
                                                                                                • API String ID: 1433953587-3055529264
                                                                                                • Opcode ID: eb7a574efadb9a7d3c24b6a8dfd8342aa22d38fb9538896df1b314a3aeb24a55
                                                                                                • Instruction ID: b4dcb7179ef3fd40adf129ba3bc0b370edceef74dcba0f33b20f980cb00eb76b
                                                                                                • Opcode Fuzzy Hash: eb7a574efadb9a7d3c24b6a8dfd8342aa22d38fb9538896df1b314a3aeb24a55
                                                                                                • Instruction Fuzzy Hash: 950181F29016296B87205B58EC89DB7BFACEB9AFA07504117EE15C7616D3609C40B7A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F86D18 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 00F86D7D
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp, xrefs: 00F86D39
                                                                                                • `<u, xrefs: 00F86D7D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString
                                                                                                • String ID: `<u$c:\agent\_work\138\s\src\libs\dutil\atomutil.cpp
                                                                                                • API String ID: 3341692771-1514053268
                                                                                                • Opcode ID: 318d025d634b5342bec853aa6d7f4af4241cf7083291e4d79aaf757d7a6cab3f
                                                                                                • Instruction ID: c520417db9e3ca243cb3a747fcd52bcc43c4af8ff902db9de1794fbc9e3c3f7c
                                                                                                • Opcode Fuzzy Hash: 318d025d634b5342bec853aa6d7f4af4241cf7083291e4d79aaf757d7a6cab3f
                                                                                                • Instruction Fuzzy Hash: 9F018133B00624F6C7227B95DC06BEEFA799F45B60F254125F900B615197788E00F7A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F434EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00F410DD,?,00000000), ref: 00F43510
                                                                                                • GetLastError.KERNEL32(?,?,?,?,00F410DD,?,00000000), ref: 00F43527
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp, xrefs: 00F4354B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastModuleName
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\pathutil.cpp
                                                                                                • API String ID: 2776309574-537661423
                                                                                                • Opcode ID: b7754a63302dd80231115ffd004f2d4a5772f1cb756d79740779e733c676af5a
                                                                                                • Instruction ID: 215cfe1427f46a189c19983d7d6db9967f4b1e5e8f07eca6dc866cfa427ce8e7
                                                                                                • Opcode Fuzzy Hash: b7754a63302dd80231115ffd004f2d4a5772f1cb756d79740779e733c676af5a
                                                                                                • Instruction Fuzzy Hash: E0F0F673900636A7973156999C49B9BFE9C9F41B70B1A4121FE05AB151D624DD00BBE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F465CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00F465E1
                                                                                                  • Part of subcall function 00F80F42: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00F45F1B,00000000), ref: 00F80F57
                                                                                                  • Part of subcall function 00F80F42: GetProcAddress.KERNEL32(00000000), ref: 00F80F5E
                                                                                                  • Part of subcall function 00F80F42: GetLastError.KERNEL32(?,?,?,?,00F45F1B,00000000), ref: 00F80F79
                                                                                                  • Part of subcall function 00F45D4F: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00F45DD5
                                                                                                Strings
                                                                                                • Failed to get 64-bit folder., xrefs: 00F46604
                                                                                                • Failed to set variant value., xrefs: 00F4661E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                                                                                • API String ID: 3109562764-2681622189
                                                                                                • Opcode ID: 0b69bd026327ec7e2d7e017009e6556a79cfffa49e84f1f3349193a4d9f94758
                                                                                                • Instruction ID: 15a4b0793c816909a5bc40baf47c60935bea25c33d3820f9be778530441945db
                                                                                                • Opcode Fuzzy Hash: 0b69bd026327ec7e2d7e017009e6556a79cfffa49e84f1f3349193a4d9f94758
                                                                                                • Instruction Fuzzy Hash: B3016D32D00228BBCB12BB90DD06ADE7F68DF05B25F6141A5B900BA151EB79AE40B7D5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F6E0EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6EA12
                                                                                                  • Part of subcall function 00F70BE1: RaiseException.KERNEL32(?,?,?,00F6EA34,?,00000000,00000000,?,?,?,?,?,00F6EA34,?,00FA8400), ref: 00F70C41
                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6EA2F
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                • String ID: Unknown exception
                                                                                                • API String ID: 3476068407-410509341
                                                                                                • Opcode ID: 155a5dee02a773f9f09cf6b4ac0e5af278d418cc82c60fbcc5276dedfbde774b
                                                                                                • Instruction ID: 2d54b85d5fbc166b610f1f336f3b3a7ceb628924b6af9d9203025cf6531f9122
                                                                                                • Opcode Fuzzy Hash: 155a5dee02a773f9f09cf6b4ac0e5af278d418cc82c60fbcc5276dedfbde774b
                                                                                                • Instruction Fuzzy Hash: 21F0CD3ED0430DB68F10B9A8DC4699D776C5F01760B508561B818D6091EF79E91AF5D2
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F84E3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,00F4BADD,?,?,?,00000000,00000000), ref: 00F84E55
                                                                                                • GetLastError.KERNEL32(?,?,?,00F4BADD,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00F84E5F
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp, xrefs: 00F84E83
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastSize
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 464720113-3168567549
                                                                                                • Opcode ID: ce901490783cb70ca9f4dd84a13e65ca930fc9e33373db32d8b921ef292a5840
                                                                                                • Instruction ID: f0ea786baab2582d0fe267c1a5a1605f20c021eeaf6b7f5c0d0ced84b9dae8bb
                                                                                                • Opcode Fuzzy Hash: ce901490783cb70ca9f4dd84a13e65ca930fc9e33373db32d8b921ef292a5840
                                                                                                • Instruction Fuzzy Hash: 98F04FB2A0023AAB97109F85CC059AAFBA8FF44760B018116BC45A7250E770AD00EBE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F841F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00F454DE,?,00000000,00F454DE,?,?,?), ref: 00F84217
                                                                                                • CoCreateInstance.OLE32(00000000,00000000,00000001,00FA7B6C,?), ref: 00F8422F
                                                                                                Strings
                                                                                                • Microsoft.Update.AutoUpdate, xrefs: 00F84212
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateFromInstanceProg
                                                                                                • String ID: Microsoft.Update.AutoUpdate
                                                                                                • API String ID: 2151042543-675569418
                                                                                                • Opcode ID: bbbd2ad2ca1037602b4b5e06fb8d5726577389e8978aeec66ed7d9550862e01a
                                                                                                • Instruction ID: 5781d00f2a0726e441b5ef24188d5854e164d3a9f5a558ec1a16d709b789234f
                                                                                                • Opcode Fuzzy Hash: bbbd2ad2ca1037602b4b5e06fb8d5726577389e8978aeec66ed7d9550862e01a
                                                                                                • Instruction Fuzzy Hash: B0F03AB1A10209BBDB00EBA8DC05EFFB7B8AB49710F400065AA01E6191D670AA049762
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F462DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000), ref: 00F462E9
                                                                                                  • Part of subcall function 00F80E3A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,00F462F5,00000000), ref: 00F80E4C
                                                                                                  • Part of subcall function 00F80E3A: GetProcAddress.KERNEL32(00000000), ref: 00F80E53
                                                                                                  • Part of subcall function 00F80E3A: GetLastError.KERNEL32(?,?,?,00F462F5,00000000), ref: 00F80E72
                                                                                                Strings
                                                                                                • Failed to get native machine value., xrefs: 00F462FB
                                                                                                • Failed to set variant value., xrefs: 00F4631C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                • String ID: Failed to get native machine value.$Failed to set variant value.
                                                                                                • API String ID: 896058289-851826934
                                                                                                • Opcode ID: 3a763753ae4c67dd76124bfb332b1cd6eb2f5f475e425ab924256401ff1e2f1c
                                                                                                • Instruction ID: 79c7840607390bb3998382ccbe060fd5d747a6fa54455ba2e6b9693c83b2551c
                                                                                                • Opcode Fuzzy Hash: 3a763753ae4c67dd76124bfb332b1cd6eb2f5f475e425ab924256401ff1e2f1c
                                                                                                • Instruction Fuzzy Hash: 48F0A773D41574B6DB117699AD069FE7E5CCB01768B504015FD04E6280DF28DD00B3E6
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00F812D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00F812F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.2911858422.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true
                                                                                                • Associated: 00000000.00000002.2911833678.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911911205.0000000000F8B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911960773.0000000000FAB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.2911990943.0000000000FAE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_f40000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc
                                                                                                • String ID: AdvApi32.dll$RegDeleteKeyExW
                                                                                                • API String ID: 190572456-850864035
                                                                                                • Opcode ID: a66e919d22418a95c1c4ffe7e9ca40236cc7bb2bdf67eadf9ef420aa841d2e2b
                                                                                                • Instruction ID: 8d0c2e884ebc0eebb2730a16784c07cf730b8a54b830c89aaa1815f0ac524dac
                                                                                                • Opcode Fuzzy Hash: a66e919d22418a95c1c4ffe7e9ca40236cc7bb2bdf67eadf9ef420aa841d2e2b
                                                                                                • Instruction Fuzzy Hash: 65E012F1B4132D9BC7205B1CBE097953AD0F713756F050214F410E62A0D7759841BFC1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Executed Functions

                                                                                                Function 6CA9C4E0 Relevance: 58.2, APIs: 5, Strings: 28, Instructions: 456COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 940 6ca9c4e0-6ca9c508 call 6ca93b84 943 6ca9c50a-6ca9c518 call 6ca93981 940->943 944 6ca9c51d-6ca9c557 call 6ca9141f 940->944 949 6ca9ca35-6ca9ca3a 943->949 950 6ca9c559 944->950 951 6ca9c59d-6ca9c59f 944->951 954 6ca9ca3c-6ca9ca3e 949->954 955 6ca9ca42-6ca9ca47 949->955 952 6ca9c55b 950->952 951->952 953 6ca9c5a1-6ca9c5b2 951->953 956 6ca9c55e-6ca9c560 952->956 953->952 963 6ca9c5b4-6ca9c5b8 953->963 954->955 957 6ca9ca49-6ca9ca4a call 6ca93a08 955->957 958 6ca9ca4f-6ca9ca56 955->958 960 6ca9c568-6ca9c56d 956->960 961 6ca9c562-6ca9c564 956->961 957->958 964 6ca9c56f-6ca9c571 960->964 965 6ca9c575-6ca9c57a 960->965 961->960 963->952 966 6ca9c5ba-6ca9c5ce call 6ca9389b 963->966 964->965 967 6ca9c57c-6ca9c57d call 6ca93a08 965->967 968 6ca9c582-6ca9c584 965->968 966->952 980 6ca9c5d0-6ca9c5d5 966->980 967->968 970 6ca9c658-6ca9c65c 968->970 971 6ca9c58a-6ca9c598 call 6ca93981 968->971 973 6ca9c669-6ca9c674 call 6ca915aa 970->973 974 6ca9c65e-6ca9c666 call 6ca9327e 970->974 982 6ca9ca34 971->982 973->982 985 6ca9c67a-6ca9c68c call 6ca92946 973->985 974->973 980->952 984 6ca9c5d7-6ca9c5e9 call 6ca91df7 980->984 982->949 984->952 989 6ca9c5ef-6ca9c604 call 6ca93c38 984->989 985->982 992 6ca9c692-6ca9c6a4 call 6ca934e0 985->992 989->952 995 6ca9c60a-6ca9c621 call 6ca91cf8 989->995 998 6ca9c6b9-6ca9c6dc call 6ca924ff 992->998 999 6ca9c6a6-6ca9c6b4 call 6ca93981 992->999 1004 6ca9c63b-6ca9c640 995->1004 1005 6ca9c623-6ca9c635 call 6ca944d5 995->1005 1007 6ca9c6fa-6ca9c701 call 6ca91785 998->1007 1008 6ca9c6de-6ca9c6f8 call 6ca93981 998->1008 999->982 1010 6ca9c64d-6ca9c651 1004->1010 1011 6ca9c642-6ca9c64a 1004->1011 1005->952 1005->1004 1017 6ca9c706-6ca9c70a 1007->1017 1019 6ca9c772-6ca9c777 1008->1019 1010->984 1015 6ca9c653 1010->1015 1011->1010 1015->956 1020 6ca9c70c-6ca9c714 1017->1020 1021 6ca9c716-6ca9c71f 1017->1021 1022 6ca9c779-6ca9c77a call 6ca93a08 1019->1022 1023 6ca9c77f-6ca9c781 1019->1023 1024 6ca9c766-6ca9c76f call 6ca93981 1020->1024 1025 6ca9c728-6ca9c742 call 6ca930c1 1021->1025 1026 6ca9c721-6ca9c722 SetThreadLocale 1021->1026 1022->1023 1023->982 1029 6ca9c787-6ca9c7b1 call 6ca924ff 1023->1029 1024->1019 1025->1019 1035 6ca9c744-6ca9c759 call 6ca92fea 1025->1035 1026->1025 1037 6ca9c7c9-6ca9c7dc call 6ca92bf3 1029->1037 1038 6ca9c7b3-6ca9c7c7 call 6ca93981 1029->1038 1035->1019 1042 6ca9c75b-6ca9c761 1035->1042 1046 6ca9c7de-6ca9c7ef call 6ca93981 1037->1046 1047 6ca9c7f1-6ca9c801 call 6ca93c65 1037->1047 1045 6ca9c834-6ca9c839 1038->1045 1042->1024 1048 6ca9c83b-6ca9c83c call 6ca93a08 1045->1048 1049 6ca9c841-6ca9c846 1045->1049 1046->1045 1059 6ca9c803-6ca9c814 call 6ca93981 1047->1059 1060 6ca9c816-6ca9c81f call 6ca945f2 1047->1060 1048->1049 1053 6ca9c848-6ca9c849 call 6ca93a08 1049->1053 1054 6ca9c84e-6ca9c850 1049->1054 1053->1054 1054->982 1058 6ca9c856-6ca9c866 call 6ca93e8b 1054->1058 1067 6ca9c868-6ca9c876 call 6ca93981 1058->1067 1068 6ca9c87b-6ca9c893 call 6ca92f45 1058->1068 1059->1045 1066 6ca9c824-6ca9c828 1060->1066 1066->1045 1069 6ca9c82a-6ca9c82f call 6ca92473 1066->1069 1067->982 1075 6ca9c8a8-6ca9c8c4 call 6ca934e0 1068->1075 1076 6ca9c895-6ca9c8a3 call 6ca93981 1068->1076 1069->1045 1081 6ca9c8d0-6ca9c8e9 LoadLibraryW 1075->1081 1082 6ca9c8c6-6ca9c8cb 1075->1082 1076->982 1084 6ca9c8eb-6ca9c8fb GetProcAddress 1081->1084 1085 6ca9c961-6ca9c965 1081->1085 1083 6ca9c952-6ca9c958 call 6ca93981 1082->1083 1098 6ca9c95b 1083->1098 1089 6ca9c8fd-6ca9c907 GetLastError 1084->1089 1090 6ca9c92f-6ca9c94b 1084->1090 1087 6ca9c97d-6ca9c982 1085->1087 1088 6ca9c967-6ca9c96e 1085->1088 1093 6ca9c98a-6ca9c98c 1087->1093 1094 6ca9c984-6ca9c985 call 6ca93a08 1087->1094 1088->1087 1092 6ca9c970-6ca9c977 FreeLibrary 1088->1092 1095 6ca9c909-6ca9c90c 1089->1095 1096 6ca9c912-6ca9c92d call 6ca93981 1089->1096 1090->1085 1103 6ca9c94d 1090->1103 1092->1087 1101 6ca9c98e-6ca9c99c call 6ca93981 1093->1101 1102 6ca9c9a1-6ca9c9af call 6ca9475a 1093->1102 1094->1093 1095->1096 1096->1098 1098->1085 1101->982 1109 6ca9c9c1-6ca9c9dd call 6ca92734 1102->1109 1110 6ca9c9b1-6ca9c9bf call 6ca93981 1102->1110 1103->1083 1115 6ca9c9df-6ca9c9e4 1109->1115 1116 6ca9c9e6-6ca9c9f8 call 6ca9296e 1109->1116 1110->982 1117 6ca9ca1e-6ca9ca24 call 6ca93981 1115->1117 1122 6ca9c9fa-6ca9c9ff 1116->1122 1123 6ca9ca01-6ca9ca12 call a2fb15 1116->1123 1124 6ca9ca27-6ca9ca2c 1117->1124 1122->1117 1125 6ca9ca15-6ca9ca17 1123->1125 1124->982 1126 6ca9ca2e-6ca9ca2f call 6ca93a08 1124->1126 1125->1124 1127 6ca9ca19 1125->1127 1126->982 1127->1117
                                                                                                Strings
                                                                                                • Failed to load bootstrapper functions., xrefs: 6CA9C98E
                                                                                                • Failed to read overridable variables., xrefs: 6CA9C58A
                                                                                                • CreateBootstrapperBAFunction, xrefs: 6CA9C8EB
                                                                                                • Failed to get path to BA function DLL., xrefs: 6CA9C8C6
                                                                                                • Failed to load loc file from path: %ls, xrefs: 6CA9C70F
                                                                                                • Failed to load bundle information., xrefs: 6CA9C868
                                                                                                • Default.wxl, xrefs: 6CA9C6CD, 6CA9C6DF
                                                                                                • /BootstrapperApplicationData/WixStdbaOverridableVariable, xrefs: 6CA9C529
                                                                                                • Failed to get bundle file version., xrefs: 6CA9C9FA
                                                                                                • Name, xrefs: 6CA9C5F3
                                                                                                • Default.thm, xrefs: 6CA9C79B, 6CA9C7B4
                                                                                                • Failed to localize theme: %ls, xrefs: 6CA9C806
                                                                                                • WixBundleFileVersion, xrefs: 6CA9CA0A
                                                                                                • Failed to localize confirm close message: %ls, xrefs: 6CA9C761
                                                                                                • Failed to load theme from path: %ls, xrefs: 6CA9C7E1
                                                                                                • Failed to load bootstrapper application manifest., xrefs: 6CA9C50A
                                                                                                • Failed to get module path., xrefs: 6CA9C6A6
                                                                                                • Hidden, xrefs: 6CA9C60E
                                                                                                • Failed to create BA function., xrefs: 6CA9C94D
                                                                                                • Failed to get CreateBootstrapperBAFunction entry-point from: %ls, xrefs: 6CA9C91C
                                                                                                • Failed to get bundle path., xrefs: 6CA9C9DF
                                                                                                • Failed to probe for loc file: %ls in path: %ls, xrefs: 6CA9C6E4
                                                                                                • bafunctions.dll, xrefs: 6CA9C8B5
                                                                                                • Failed to probe for theme file: %ls in path: %ls, xrefs: 6CA9C7B9
                                                                                                • Failed to set WixBundleFileVersion variable., xrefs: 6CA9CA19
                                                                                                • Failed to load UI strings., xrefs: 6CA9C9B1
                                                                                                • Failed to load conditions from XML., xrefs: 6CA9C895
                                                                                                • #(loc.ConfirmCancelMessage), xrefs: 6CA9C730
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: #(loc.ConfirmCancelMessage)$/BootstrapperApplicationData/WixStdbaOverridableVariable$CreateBootstrapperBAFunction$Default.thm$Default.wxl$Failed to create BA function.$Failed to get CreateBootstrapperBAFunction entry-point from: %ls$Failed to get bundle file version.$Failed to get bundle path.$Failed to get module path.$Failed to get path to BA function DLL.$Failed to load UI strings.$Failed to load bootstrapper application manifest.$Failed to load bootstrapper functions.$Failed to load bundle information.$Failed to load conditions from XML.$Failed to load loc file from path: %ls$Failed to load theme from path: %ls$Failed to localize confirm close message: %ls$Failed to localize theme: %ls$Failed to probe for loc file: %ls in path: %ls$Failed to probe for theme file: %ls in path: %ls$Failed to read overridable variables.$Failed to set WixBundleFileVersion variable.$Hidden$Name$WixBundleFileVersion$bafunctions.dll
                                                                                                • API String ID: 0-1559905812
                                                                                                • Opcode ID: cf56c59a9ad6da2e26d38bb0eff3d41736d930af7ab4e727503951a2309ba9b8
                                                                                                • Instruction ID: 405ee612323b44800fa3ea7c3d8bb45a7860fa9686df38ccb20e70bb04e67d39
                                                                                                • Opcode Fuzzy Hash: cf56c59a9ad6da2e26d38bb0eff3d41736d930af7ab4e727503951a2309ba9b8
                                                                                                • Instruction Fuzzy Hash: E8E19675D26A2AABCF11DBA4CD46BDEBAF8AF0535CF040114E914B7F10E73199988BD0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A11070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00A134EF: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00A110DD,?,00000000), ref: 00A13510
                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00A110F6
                                                                                                  • Part of subcall function 00A11173: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00A1111A,cabinet.dll,00000009,?,?,00000000), ref: 00A11184
                                                                                                  • Part of subcall function 00A11173: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00A1111A,cabinet.dll,00000009,?,?,00000000), ref: 00A1118F
                                                                                                  • Part of subcall function 00A11173: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A1119D
                                                                                                  • Part of subcall function 00A11173: GetLastError.KERNEL32(?,?,?,?,?,00A1111A,cabinet.dll,00000009,?,?,00000000), ref: 00A111B8
                                                                                                  • Part of subcall function 00A11173: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A111C0
                                                                                                  • Part of subcall function 00A11173: GetLastError.KERNEL32(?,?,?,?,?,00A1111A,cabinet.dll,00000009,?,?,00000000), ref: 00A111D5
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00A5B4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 00A11131
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                                                                                • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                                                                                • API String ID: 3687706282-3151496603
                                                                                                • Opcode ID: 333ca38d9d6a0ee7befa3a684579e230f65386ab4857f2568489387f7f666345
                                                                                                • Instruction ID: ceae29faca7a94929cb0c30efff36a6c5c212ac721aff0dc1aa864c349ff0a48
                                                                                                • Opcode Fuzzy Hash: 333ca38d9d6a0ee7befa3a684579e230f65386ab4857f2568489387f7f666345
                                                                                                • Instruction Fuzzy Hash: AE216D71910218ABCB10DFA4DD09BEFBBB8BB48716F104219FA11B7281D77099488BB4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A502DD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00A7C6EC,00000000,?), ref: 00A5030B
                                                                                                • GetCurrentProcessId.KERNEL32(00000000), ref: 00A5031B
                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00A50324
                                                                                                • GetLocalTime.KERNEL32(?), ref: 00A5033A
                                                                                                • LeaveCriticalSection.KERNEL32(00A7C6EC,?,?,00000000,0000FDE9), ref: 00A50431
                                                                                                Strings
                                                                                                • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00A503D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                                                                                • API String ID: 296830338-59366893
                                                                                                • Opcode ID: 0b596a40113ceac1ce986c995ebf9b7d72e7b19bad1d309a70796b6035f738dd
                                                                                                • Instruction ID: 33577ff77b139df5cb7c8f134ac87d3660e5099404bba72b616a37e677f404ce
                                                                                                • Opcode Fuzzy Hash: 0b596a40113ceac1ce986c995ebf9b7d72e7b19bad1d309a70796b6035f738dd
                                                                                                • Instruction Fuzzy Hash: 6D416E71A00619ABDB21CFA4DC44BBEB7B8FB08763F108129FA05EA150D7349D85CBA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A2A096 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                • Failed to calculate working folder to ensure it exists., xrefs: 00A2A0B3
                                                                                                • Failed create working folder., xrefs: 00A2A0C9
                                                                                                • Failed to copy working folder., xrefs: 00A2A0F1
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentDirectoryErrorLastProcessWindows
                                                                                                • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                                                                                • API String ID: 3841436932-2072961686
                                                                                                • Opcode ID: ab13d3ede35f7b1d4d1543a1ed6dc5739e1f5b3a38954aceab87c6e214d632bf
                                                                                                • Instruction ID: f72c19f5f6ac1788cfc14eb96214657b94262336365d8ad71a940583aac324b0
                                                                                                • Opcode Fuzzy Hash: ab13d3ede35f7b1d4d1543a1ed6dc5739e1f5b3a38954aceab87c6e214d632bf
                                                                                                • Instruction Fuzzy Hash: 14018432904675F78B32AF9DEE06C9F7A75EFA07607204165F800B6150DF71DE50AA91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA599C Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 6CAA59D7
                                                                                                • FindClose.KERNELBASE(00000000), ref: 6CAA59E3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirst
                                                                                                • String ID:
                                                                                                • API String ID: 2295610775-0
                                                                                                • Opcode ID: 9fc9980784a13df1ddcec16ec627993460e959e3a898d2dfcd3e7719095ae9c0
                                                                                                • Instruction ID: 1638dc2747eb8d83be564cc4056b8ce02b196d81e0d6ac750b96effdbba9453f
                                                                                                • Opcode Fuzzy Hash: 9fc9980784a13df1ddcec16ec627993460e959e3a898d2dfcd3e7719095ae9c0
                                                                                                • Instruction Fuzzy Hash: 5F01F9717006086BDB10DEE9CD89D9FB7FCEBC5329F000155E918D7240D634A98E8768
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A1B54B Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 396 a1b54b-a1b5c0 call a3f710 * 2 401 a1b5c2-a1b5cc GetLastError 396->401 402 a1b5f8-a1b5fe 396->402 403 a1b5d9 401->403 404 a1b5ce-a1b5d7 401->404 405 a1b600 402->405 406 a1b602-a1b614 SetFilePointerEx 402->406 407 a1b5e0-a1b5ed call a138f5 403->407 408 a1b5db 403->408 404->403 405->406 409 a1b616-a1b620 GetLastError 406->409 410 a1b648-a1b662 ReadFile 406->410 426 a1b5f2-a1b5f3 407->426 408->407 414 a1b622-a1b62b 409->414 415 a1b62d 409->415 411 a1b664-a1b66e GetLastError 410->411 412 a1b699-a1b6a0 410->412 416 a1b670-a1b679 411->416 417 a1b67b 411->417 419 a1bc97-a1bcab call a138f5 412->419 420 a1b6a6-a1b6af 412->420 414->415 421 a1b634-a1b646 call a138f5 415->421 422 a1b62f 415->422 416->417 424 a1b682-a1b694 call a138f5 417->424 425 a1b67d 417->425 438 a1bcb0 419->438 420->419 428 a1b6b5-a1b6c5 SetFilePointerEx 420->428 421->426 422->421 424->426 425->424 431 a1bcb1-a1bcb7 call a50657 426->431 433 a1b6c7-a1b6d1 GetLastError 428->433 434 a1b6fc-a1b714 ReadFile 428->434 449 a1bcb8-a1bcc8 call a3de30 431->449 440 a1b6d3-a1b6dc 433->440 441 a1b6de 433->441 435 a1b716-a1b720 GetLastError 434->435 436 a1b74b-a1b752 434->436 446 a1b722-a1b72b 435->446 447 a1b72d 435->447 442 a1b758-a1b762 436->442 443 a1bc7c-a1bc95 call a138f5 436->443 438->431 440->441 444 a1b6e0 441->444 445 a1b6e5-a1b6f2 call a138f5 441->445 442->443 450 a1b768-a1b78b SetFilePointerEx 442->450 443->438 444->445 445->434 446->447 453 a1b734-a1b741 call a138f5 447->453 454 a1b72f 447->454 456 a1b7c2-a1b7da ReadFile 450->456 457 a1b78d-a1b797 GetLastError 450->457 453->436 454->453 464 a1b811-a1b829 ReadFile 456->464 465 a1b7dc-a1b7e6 GetLastError 456->465 462 a1b7a4 457->462 463 a1b799-a1b7a2 457->463 469 a1b7a6 462->469 470 a1b7ab-a1b7b8 call a138f5 462->470 463->462 467 a1b860-a1b87b SetFilePointerEx 464->467 468 a1b82b-a1b835 GetLastError 464->468 471 a1b7f3 465->471 472 a1b7e8-a1b7f1 465->472 476 a1b8b5-a1b8d4 ReadFile 467->476 477 a1b87d-a1b887 GetLastError 467->477 473 a1b842 468->473 474 a1b837-a1b840 468->474 469->470 470->456 478 a1b7f5 471->478 479 a1b7fa-a1b807 call a138f5 471->479 472->471 483 a1b844 473->483 484 a1b849-a1b856 call a138f5 473->484 474->473 481 a1b8da-a1b8dc 476->481 482 a1bc3d-a1bc47 GetLastError 476->482 486 a1b894 477->486 487 a1b889-a1b892 477->487 478->479 479->464 491 a1b8dd-a1b8e4 481->491 493 a1bc54 482->493 494 a1bc49-a1bc52 482->494 483->484 484->467 488 a1b896 486->488 489 a1b89b-a1b8ab call a138f5 486->489 487->486 488->489 489->476 496 a1bc18-a1bc35 call a138f5 491->496 497 a1b8ea-a1b8f6 491->497 499 a1bc56 493->499 500 a1bc5b-a1bc71 call a138f5 493->500 494->493 512 a1bc3a-a1bc3b 496->512 504 a1b901-a1b90a 497->504 505 a1b8f8-a1b8ff 497->505 499->500 511 a1bc72-a1bc7a call a50657 500->511 509 a1b910-a1b936 ReadFile 504->509 510 a1bbdb-a1bbf2 call a138f5 504->510 505->504 508 a1b944-a1b94b 505->508 514 a1b974-a1b98b call a13a1a 508->514 515 a1b94d-a1b96f call a138f5 508->515 509->482 513 a1b93c-a1b942 509->513 522 a1bbf7-a1bbfd call a50657 510->522 511->449 512->511 513->491 526 a1b98d-a1b9aa call a138f5 514->526 527 a1b9af-a1b9c4 SetFilePointerEx 514->527 515->512 532 a1bc03-a1bc04 522->532 526->431 530 a1ba04-a1ba29 ReadFile 527->530 531 a1b9c6-a1b9d0 GetLastError 527->531 533 a1ba60-a1ba6c 530->533 534 a1ba2b-a1ba35 GetLastError 530->534 536 a1b9d2-a1b9db 531->536 537 a1b9dd 531->537 538 a1bc05-a1bc07 532->538 541 a1ba8f-a1ba93 533->541 542 a1ba6e-a1ba8a call a138f5 533->542 539 a1ba42 534->539 540 a1ba37-a1ba40 534->540 536->537 543 a1b9e4-a1b9f4 call a138f5 537->543 544 a1b9df 537->544 538->449 545 a1bc0d-a1bc13 call a13adf 538->545 546 a1ba44 539->546 547 a1ba49-a1ba5e call a138f5 539->547 540->539 550 a1ba95-a1bac9 call a138f5 call a50657 541->550 551 a1bace-a1bae1 call a54e3d 541->551 542->522 562 a1b9f9-a1b9ff call a50657 543->562 544->543 545->449 546->547 547->562 550->538 565 a1bae3-a1bae8 551->565 566 a1baed-a1baf7 551->566 562->532 565->562 569 a1bb01-a1bb09 566->569 570 a1baf9-a1baff 566->570 572 a1bb15-a1bb18 569->572 573 a1bb0b-a1bb13 569->573 571 a1bb1a-a1bb7a call a13a1a 570->571 576 a1bb7c-a1bb98 call a138f5 571->576 577 a1bb9e-a1bbbf call a3ec10 call a1b2c8 571->577 572->571 573->571 576->577 577->538 584 a1bbc1-a1bbd1 call a138f5 577->584 584->510
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B5C2
                                                                                                • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B610
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B616
                                                                                                • ReadFile.KERNELBASE(00000000,00A144EB,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B65E
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B664
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B6C1
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B6C7
                                                                                                • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B710
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B716
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B787
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B78D
                                                                                                • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B7D6
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B7DC
                                                                                                • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B825
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B82B
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B877
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B87D
                                                                                                  • Part of subcall function 00A13A1A: GetProcessHeap.KERNEL32(?,?,?,00A123A7,?,00000001,75C0B390,8000FFFF,?,?,00A50687,?,?,00000000,00000000,8000FFFF), ref: 00A13A2B
                                                                                                  • Part of subcall function 00A13A1A: RtlAllocateHeap.NTDLL(00000000,?,00A123A7,?,00000001,75C0B390,8000FFFF,?,?,00A50687,?,?,00000000,00000000,8000FFFF), ref: 00A13A32
                                                                                                • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B8D0
                                                                                                • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B932
                                                                                                • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B9BC
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00A1B9C6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                                                                                • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\138\s\src\burn\engine\section.cpp
                                                                                                • API String ID: 3411815225-3112695413
                                                                                                • Opcode ID: 89ed6d79d5afd4dca64f581255c343991971b770ff1a12431528a4b0df6eeece
                                                                                                • Instruction ID: 7ded6a4a362d513f081842ee698ede80dcf06bda9a8ad235908af283a1206da5
                                                                                                • Opcode Fuzzy Hash: 89ed6d79d5afd4dca64f581255c343991971b770ff1a12431528a4b0df6eeece
                                                                                                • Instruction Fuzzy Hash: 3812C176950235FBDB209B558D46FEA7A78BF04B51F0141A5FD09AF280EB709D848BF0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAAEB29 Relevance: 86.2, APIs: 31, Strings: 18, Instructions: 473COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 587 6caaeb29-6caaeb58 call 6ca9141f 590 6caaeb5e-6caaeb6f 587->590 591 6caaf01f-6caaf023 587->591 590->591 599 6caaeb75-6caaeb80 590->599 592 6caaf02e-6caaf033 591->592 593 6caaf025-6caaf028 SysFreeString 591->593 594 6caaf03b-6caaf040 592->594 595 6caaf035-6caaf037 592->595 593->592 597 6caaf048-6caaf04e 594->597 598 6caaf042-6caaf044 594->598 595->594 598->597 600 6caaeb82-6caaeb90 599->600 601 6caaeb93-6caaeb95 599->601 600->601 602 6caaeb9e-6caaeba3 601->602 603 6caaeb97-6caaeb99 601->603 604 6caaebef-6caaec11 call 6ca91b72 602->604 605 6caaeba5-6caaebb8 call 6ca9414c 602->605 603->591 604->591 610 6caaec17-6caaec2b call 6ca91df7 604->610 605->591 611 6caaebbe-6caaebcd call 6ca93f3f 605->611 616 6caaec31-6caaec42 610->616 617 6caaf014 610->617 618 6caaebe9-6caaebec 611->618 619 6caaebcf-6caaebe4 call 6ca93fe4 611->619 620 6caaec45-6caaec49 616->620 617->591 621 6caaf016-6caaf01d 617->621 618->604 619->591 623 6caaec4f-6caaec64 CompareStringW 620->623 624 6caaf00d-6caaf012 620->624 621->591 626 6caaec6e-6caaec83 CompareStringW 623->626 627 6caaec66-6caaec69 623->627 624->592 629 6caaec89-6caaec9e CompareStringW 626->629 630 6caaef7d 626->630 628 6caaef80-6caaef8e call 6caae1ea 627->628 634 6caaef93-6caaef97 628->634 629->630 633 6caaeca4-6caaecb9 CompareStringW 629->633 631 6caaef7f 630->631 631->628 635 6caaef79-6caaef7b 633->635 636 6caaecbf-6caaecd4 CompareStringW 633->636 634->591 637 6caaef9d-6caaefa2 634->637 635->631 636->635 638 6caaecda-6caaecef CompareStringW 636->638 639 6caaefc3-6caaefc8 637->639 640 6caaefa4-6caaefc0 637->640 641 6caaef75-6caaef77 638->641 642 6caaecf5-6caaed0a CompareStringW 638->642 643 6caaefcb-6caaefcf 639->643 640->639 641->631 642->641 644 6caaed10-6caaed25 CompareStringW 642->644 645 6caaefde-6caaefe3 643->645 646 6caaefd1-6caaefda SysFreeString 643->646 647 6caaed2b-6caaed40 CompareStringW 644->647 648 6caaef71-6caaef73 644->648 649 6caaefef-6caaf003 call 6ca91df7 645->649 650 6caaefe5-6caaefeb 645->650 646->645 647->648 651 6caaed46-6caaed5b CompareStringW 647->651 648->631 649->617 659 6caaf005-6caaf008 649->659 650->649 652 6caaed5d-6caaed5f 651->652 653 6caaed64-6caaed79 CompareStringW 651->653 652->631 656 6caaed7f-6caaed94 CompareStringW 653->656 657 6caaef6d-6caaef6f 653->657 656->657 660 6caaed9a-6caaedaf CompareStringW 656->660 657->631 659->620 661 6caaef69-6caaef6b 660->661 662 6caaedb5-6caaedca CompareStringW 660->662 661->631 662->661 663 6caaedd0-6caaede5 CompareStringW 662->663 664 6caaedeb-6caaee00 CompareStringW 663->664 665 6caaef65-6caaef67 663->665 664->665 666 6caaee06-6caaee1b CompareStringW 664->666 665->631 667 6caaef61-6caaef63 666->667 668 6caaee21-6caaee36 CompareStringW 666->668 667->631 668->667 669 6caaee3c-6caaee51 CompareStringW 668->669 670 6caaef5d-6caaef5f 669->670 671 6caaee57-6caaee6c CompareStringW 669->671 670->631 671->670 672 6caaee72-6caaee87 CompareStringW 671->672 673 6caaef59-6caaef5b 672->673 674 6caaee8d-6caaeea2 CompareStringW 672->674 673->631 674->673 675 6caaeea8-6caaeebd CompareStringW 674->675 675->673 676 6caaeec3-6caaeed8 CompareStringW 675->676 677 6caaeeda-6caaeeef CompareStringW 676->677 678 6caaef55-6caaef57 676->678 677->678 679 6caaeef1-6caaef06 CompareStringW 677->679 678->631 679->678 680 6caaef08-6caaef1d CompareStringW 679->680 681 6caaef1f-6caaef34 CompareStringW 680->681 682 6caaef51-6caaef53 680->682 681->682 683 6caaef36-6caaef4b CompareStringW 681->683 682->631 683->643 684 6caaef4d-6caaef4f 683->684 684->631
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Billboard,000000FF,?,?,?,?,?,00000080,?), ref: 6CAAEC5F
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Button,000000FF), ref: 6CAAEC7E
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CB1CFDC,00000001), ref: 6CAAEC99
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Checkbox,000000FF), ref: 6CAAECB4
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CB1D04C,00000002), ref: 6CAAECCF
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Editbox,000000FF), ref: 6CAAECEA
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CB1D068,00000002), ref: 6CAAED05
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hyperlink,000000FF), ref: 6CAAED20
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,6CB1D088,00000001), ref: 6CAAED3B
                                                                                                • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,Hypertext,000000FF), ref: 6CAAED56
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 6CAAEFD4
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 6CAAF028
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: String$Compare$Free
                                                                                                • String ID: Billboard$Button$Checkbox$Combobox$Editbox$Hyperlink$Hypertext$Image$ListView$Listview$Progressbar$Richedit$Static$Tab$Text$TreeView$Treeview$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp
                                                                                                • API String ID: 318886736-3856504317
                                                                                                • Opcode ID: b708a84ba890e1d38b23c449a9c15323bb71f1dea2044286c81a05c20200b7a7
                                                                                                • Instruction ID: 0238a960cc79ce10f7aa031471e58380e9d60bee532b049f1545a6163b01595d
                                                                                                • Opcode Fuzzy Hash: b708a84ba890e1d38b23c449a9c15323bb71f1dea2044286c81a05c20200b7a7
                                                                                                • Instruction Fuzzy Hash: 13E1C935A8C256BADF129AE48C42F6D7671EF05734F300724F634BBAE0C671A592DB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAAE1EA Relevance: 58.4, APIs: 2, Strings: 31, Instructions: 625COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(?), ref: 6CAAE61B
                                                                                                • SysFreeString.OLEAUT32(?), ref: 6CAAE941
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString
                                                                                                • String ID: AlwaysShowSelect$Center$DisablePrefix$EnableDragDrop$FileSystemAutoComplete$FontId$FullRowSelect$HasButtons$HasLines$Height$HexExtendedStyle$HexStyle$HideWhenDisabled$HoverFontId$ImageList$ImageListGroupHeader$ImageListSmall$ImageListState$Interval$LinesAtRoot$Loop$Name$SelectedFontId$SourceX$SourceY$StringId$TabStop$Visible$Width$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp$sid
                                                                                                • API String ID: 3341692771-1950865521
                                                                                                • Opcode ID: 7d300a059cf46298db64bca9322d27b836d5a42e14383ad6cffea2517922e985
                                                                                                • Instruction ID: b5e59cf5357f368577c1ac8bb338a603986dbfd6c4b6bf99da0819067c7257e2
                                                                                                • Opcode Fuzzy Hash: 7d300a059cf46298db64bca9322d27b836d5a42e14383ad6cffea2517922e985
                                                                                                • Instruction Fuzzy Hash: D1129336C01675AACB11AEE4C984FFE77AC9B09728F050665ED10BBE00D324DDDA87E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA2760 Relevance: 54.9, APIs: 19, Strings: 12, Instructions: 638windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 6CAA276F
                                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 6CAA27B1
                                                                                                • SetWindowLongW.USER32(?,000000EB,00000000), ref: 6CAA27DF
                                                                                                • PostQuitMessage.USER32(00000000), ref: 6CAA2971
                                                                                                • SendMessageW.USER32 ref: 6CAA2AB2
                                                                                                • GetSysColorBrush.USER32(00000005), ref: 6CAA2B8E
                                                                                                • SetTextColor.GDI32(?,?), ref: 6CAA2B9B
                                                                                                • SetBkColor.GDI32(?,?), ref: 6CAA2BA3
                                                                                                • PostMessageW.USER32(?,00008068,00000000,?), ref: 6CAA2BD9
                                                                                                • ShowWindow.USER32(?,00000005), ref: 6CAA2BF0
                                                                                                Strings
                                                                                                • Failed to load theme controls., xrefs: 6CAA2807
                                                                                                • Failed to set taskbar button progress to: %d%%., xrefs: 6CAA2D64
                                                                                                • Failed to start applying packages., xrefs: 6CAA2D87
                                                                                                • Are you sure you want to cancel?, xrefs: 6CAA2905, 6CAA2918
                                                                                                • Failed to start detecting chain., xrefs: 6CAA2CB2, 6CAA2CB7
                                                                                                • Running detect BA function, xrefs: 6CAA2C2F
                                                                                                • Failed to open log file target: %ls, xrefs: 6CAA2A37
                                                                                                • notepad.exe, xrefs: 6CAA2A26
                                                                                                • The requested operation is successful. Changes will not be effective until the system is rebooted., xrefs: 6CAA2E2E, 6CAA2E40
                                                                                                • open, xrefs: 6CAA2A1E
                                                                                                • Failed to get log file variable '%ls'., xrefs: 6CAA2A0B
                                                                                                • Failed calling detect BA function., xrefs: 6CAA2C4F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$ColorLongMessage$Post$BrushQuitSendShowText
                                                                                                • String ID: Are you sure you want to cancel?$Failed calling detect BA function.$Failed to get log file variable '%ls'.$Failed to load theme controls.$Failed to open log file target: %ls$Failed to set taskbar button progress to: %d%%.$Failed to start applying packages.$Failed to start detecting chain.$Running detect BA function$The requested operation is successful. Changes will not be effective until the system is rebooted.$notepad.exe$open
                                                                                                • API String ID: 2528939093-341550051
                                                                                                • Opcode ID: 3c3b9eba596e84d11d9751cf8d25bad3f44323a61aa75e5a089fbca31e00d5ef
                                                                                                • Instruction ID: e38048d32ca0b23a8a98f38bd3ffa23ed1f166cccee292646ffdf7aa5ab96ee1
                                                                                                • Opcode Fuzzy Hash: 3c3b9eba596e84d11d9751cf8d25bad3f44323a61aa75e5a089fbca31e00d5ef
                                                                                                • Instruction Fuzzy Hash: 3322F2313006049FDB24CEA9CC49F9A77E5EF45314F104A29FA5EDBA90D771E8A5CB60
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB0F53 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 433windowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1316 6cab0f53-6cab0f9b GetClientRect 1317 6cab0fa1-6cab0fa4 1316->1317 1318 6cab14c4-6cab14d3 call 6ca92554 1316->1318 1319 6cab0fa7-6cab0fb0 1317->1319 1322 6cab0fbf 1319->1322 1323 6cab0fb2-6cab0fbd 1319->1323 1324 6cab0fc2-6cab0fd3 1322->1324 1323->1324 1325 6cab0fd9 1324->1325 1326 6cab14ac-6cab14b2 1324->1326 1327 6cab106b-6cab107e 1325->1327 1328 6cab112b-6cab1130 1325->1328 1329 6cab10ea-6cab10f1 1325->1329 1330 6cab10cf-6cab10d2 1325->1330 1331 6cab1083-6cab108f 1325->1331 1332 6cab1061-6cab1066 1325->1332 1333 6cab0fe0-6cab0fe3 1325->1333 1334 6cab1006-6cab1010 1325->1334 1335 6cab10a5-6cab10a8 1325->1335 1336 6cab0ffe-6cab1003 1325->1336 1337 6cab111d-6cab1129 1325->1337 1338 6cab1132-6cab1137 1325->1338 1339 6cab1057-6cab105c 1325->1339 1340 6cab1035-6cab1038 1325->1340 1341 6cab1094-6cab10a0 1325->1341 1342 6cab14b7 1326->1342 1349 6cab113e-6cab115e 1327->1349 1328->1349 1343 6cab110f-6cab111b 1329->1343 1344 6cab10f3-6cab1106 call 6ca923dd 1329->1344 1354 6cab10c5-6cab10ca 1330->1354 1355 6cab10d4-6cab10d7 1330->1355 1331->1349 1332->1349 1345 6cab0fe9 1333->1345 1346 6cab141d-6cab1428 1333->1346 1347 6cab102d-6cab1033 1334->1347 1348 6cab1012-6cab1015 1334->1348 1353 6cab10aa-6cab10ad 1335->1353 1335->1354 1336->1334 1337->1349 1338->1349 1339->1349 1351 6cab103a-6cab103d 1340->1351 1352 6cab1049 1340->1352 1341->1349 1350 6cab14b9-6cab14be call 6ca93fe4 1342->1350 1343->1349 1373 6cab14c3 1344->1373 1377 6cab110c 1344->1377 1357 6cab0fee 1345->1357 1346->1342 1362 6cab0ff5-6cab0ff9 1347->1362 1348->1349 1358 6cab101b-6cab101e 1348->1358 1359 6cab119f 1349->1359 1360 6cab1160-6cab1166 1349->1360 1350->1373 1351->1352 1363 6cab103f-6cab1042 1351->1363 1364 6cab104d-6cab1052 1352->1364 1365 6cab142d-6cab1438 1353->1365 1366 6cab10b3-6cab10b6 1353->1366 1354->1357 1367 6cab10d9-6cab10dc 1355->1367 1368 6cab10e3-6cab10e8 1355->1368 1357->1362 1358->1349 1371 6cab1024-6cab1027 1358->1371 1375 6cab11a2-6cab1205 call 6caad756 CreateWindowExW 1359->1375 1372 6cab1169-6cab116c 1360->1372 1362->1349 1363->1352 1374 6cab1044-6cab1047 1363->1374 1364->1349 1365->1342 1366->1365 1376 6cab10bc-6cab10bf 1366->1376 1367->1368 1369 6cab10de-6cab10e1 1367->1369 1368->1349 1369->1354 1369->1368 1371->1347 1371->1349 1372->1359 1378 6cab116e-6cab1185 CompareStringW 1372->1378 1373->1318 1374->1352 1374->1364 1383 6cab120b-6cab120e 1375->1383 1384 6cab1486-6cab1490 GetLastError 1375->1384 1376->1354 1376->1365 1377->1343 1380 6cab118b-6cab119d 1378->1380 1381 6cab122a-6cab1234 1378->1381 1380->1359 1380->1372 1381->1375 1387 6cab1239-6cab123c 1383->1387 1388 6cab1210-6cab1214 1383->1388 1385 6cab149d 1384->1385 1386 6cab1492-6cab149b 1384->1386 1389 6cab149f 1385->1389 1390 6cab14a4-6cab14aa 1385->1390 1386->1385 1393 6cab132a-6cab132d 1387->1393 1394 6cab1242-6cab125e SendMessageW call 6cab0097 1387->1394 1391 6cab121a-6cab1225 SHAutoComplete 1388->1391 1392 6cab13e5 1388->1392 1389->1390 1390->1350 1391->1392 1397 6cab13e7-6cab13ec 1392->1397 1395 6cab1359-6cab135c 1393->1395 1396 6cab132f-6cab1354 SendMessageW * 2 1393->1396 1394->1373 1406 6cab1264-6cab126c 1394->1406 1395->1392 1399 6cab1362-6cab1368 1395->1399 1396->1397 1400 6cab13ee-6cab13f6 SendMessageW 1397->1400 1401 6cab13fc-6cab1412 1397->1401 1403 6cab136a-6cab1377 1399->1403 1404 6cab1379-6cab1387 GetClassLongA 1399->1404 1400->1401 1401->1319 1405 6cab1418 1401->1405 1407 6cab138a-6cab139b SetClassLongA 1403->1407 1404->1407 1405->1373 1406->1397 1408 6cab1272 1406->1408 1407->1392 1409 6cab139d-6cab13d6 SendMessageW 1407->1409 1410 6cab1275-6cab12c9 SendMessageW 1408->1410 1411 6cab13dc-6cab13e3 1409->1411 1412 6cab1460-6cab146a GetLastError 1409->1412 1413 6cab143a-6cab1444 GetLastError 1410->1413 1414 6cab12cf-6cab12d3 1410->1414 1411->1392 1411->1409 1415 6cab146c-6cab1475 1412->1415 1416 6cab1477 1412->1416 1419 6cab1451 1413->1419 1420 6cab1446-6cab144f 1413->1420 1417 6cab12dc-6cab12e0 1414->1417 1418 6cab12d5-6cab12da 1414->1418 1415->1416 1422 6cab1479 1416->1422 1423 6cab147e-6cab1484 1416->1423 1424 6cab12e9-6cab12ed 1417->1424 1425 6cab12e2-6cab12e7 1417->1425 1421 6cab1301-6cab1309 SendMessageW 1418->1421 1426 6cab1458-6cab145e 1419->1426 1427 6cab1453 1419->1427 1420->1419 1430 6cab130f-6cab131f 1421->1430 1422->1423 1423->1350 1428 6cab12ef-6cab12f4 1424->1428 1429 6cab12f6-6cab12fa 1424->1429 1425->1421 1426->1350 1427->1426 1428->1421 1429->1430 1431 6cab12fc-6cab12ff 1429->1431 1430->1410 1432 6cab1325 1430->1432 1431->1421 1432->1392
                                                                                                APIs
                                                                                                • GetClientRect.USER32(?,?), ref: 6CAB0F8A
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 6CAB1179
                                                                                                • CreateWindowExW.USER32(?,Static,?,4000000D,?,00000010,?,?,?,?,00000000,00000000), ref: 6CAB11F8
                                                                                                • SHAutoComplete.SHLWAPI(00000000,00000010), ref: 6CAB121D
                                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 6CAB124E
                                                                                                • SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 6CAB12C0
                                                                                                • SendMessageW.USER32(00000004,00001003,00000003,00000000), ref: 6CAB1309
                                                                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 6CAB133A
                                                                                                • SendMessageW.USER32(?,00000445,00000000,04010000), ref: 6CAB134E
                                                                                                • GetClassLongA.USER32(?,000000F6), ref: 6CAB1381
                                                                                                • SetClassLongA.USER32(?,000000F6,00000000), ref: 6CAB138E
                                                                                                • SendMessageW.USER32(?,0000133E,00000000,00000003), ref: 6CAB13CD
                                                                                                • SendMessageW.USER32(?,00000030,?,00000000), ref: 6CAB13F6
                                                                                                • GetLastError.KERNEL32 ref: 6CAB143A
                                                                                                • GetLastError.KERNEL32 ref: 6CAB1460
                                                                                                • GetLastError.KERNEL32 ref: 6CAB1486
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$ErrorLast$ClassLong$AutoClientCompareCompleteCreateRectStringWindow
                                                                                                • String ID: +$Button$ComboBox$Edit$RichEdit20W$Riched20.dll$Static$SysLink$SysListView32$SysTabControl32$SysTreeView32$ThemeHyperLink$ThemeStaticOwnerDraw$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp$msctls_progress32
                                                                                                • API String ID: 3933361081-2825640338
                                                                                                • Opcode ID: bbcf5e88b3d94aa052b2bf8285316a00b99372f70f6d666062cbdb4be4e03d89
                                                                                                • Instruction ID: d360d97fe9636d073c49939baac0b9d4b16278fc09bbb4f49c9d5a5ecd829808
                                                                                                • Opcode Fuzzy Hash: bbcf5e88b3d94aa052b2bf8285316a00b99372f70f6d666062cbdb4be4e03d89
                                                                                                • Instruction Fuzzy Hash: 25F182B1901215DFDB10CF98C884BAEBBB9FF45314F25416AEA15BBA95D731C8C1CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A157E2 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1710 a157e2-a15829 EnterCriticalSection lstrlenW call a1200b 1713 a15a13-a15a21 call a3f86a 1710->1713 1714 a1582f-a1583c call a50657 1710->1714 1719 a15841-a15853 call a3f86a 1713->1719 1720 a15a27-a15a44 call a18445 1713->1720 1721 a15cb6-a15cc4 LeaveCriticalSection 1714->1721 1719->1720 1733 a15859-a15865 1719->1733 1738 a15a4a-a15a4e call a4f8ff 1720->1738 1739 a1588d 1720->1739 1723 a15cc6-a15cca 1721->1723 1724 a15cfd-a15d02 1721->1724 1727 a15cf7-a15cf8 call a13adf 1723->1727 1728 a15ccc 1723->1728 1730 a15d04-a15d05 call a4f8de 1724->1730 1731 a15d0a-a15d0e 1724->1731 1727->1724 1736 a15cce-a15cd2 1728->1736 1730->1731 1734 a15d10-a15d14 1731->1734 1735 a15d2e-a15d41 call a128a8 * 3 1731->1735 1740 a15867-a15887 call a18445 1733->1740 1741 a1589f-a158a1 1733->1741 1742 a15d16-a15d19 call a1278d 1734->1742 1743 a15d1e-a15d22 1734->1743 1754 a15d46-a15d4c 1735->1754 1744 a15ce4-a15ce7 call a128a8 1736->1744 1745 a15cd4-a15cd8 1736->1745 1760 a15a53-a15a5a 1738->1760 1746 a15892 1739->1746 1740->1739 1774 a15a0d-a15a10 1740->1774 1758 a158a3-a158c4 call a18445 1741->1758 1759 a158c9-a158ea call a18488 1741->1759 1742->1743 1753 a15d24-a15d2c call a1278d 1743->1753 1743->1754 1752 a15cec-a15cef 1744->1752 1751 a15cda-a15ce2 call a1278d 1745->1751 1745->1752 1755 a15893-a1589a call a50657 1746->1755 1751->1752 1752->1736 1768 a15cf1-a15cf4 1752->1768 1753->1754 1784 a15cb3 1755->1784 1758->1739 1786 a158c6 1758->1786 1781 a158f0-a15902 1759->1781 1782 a15afb-a15b00 1759->1782 1761 a15a60-a15a7f call a138f5 1760->1761 1762 a15b05-a15b13 call a4f90f 1760->1762 1787 a15aa0-a15aa1 1761->1787 1790 a15b15 1762->1790 1791 a15b4d-a15b54 1762->1791 1768->1727 1774->1713 1788 a15904-a1590c call a13bb7 1781->1788 1789 a15919-a15925 call a13a1a 1781->1789 1782->1746 1784->1721 1786->1759 1787->1755 1805 a15a81-a15a9b call a138f5 1788->1805 1806 a15912-a15917 1788->1806 1810 a1592b-a1592f 1789->1810 1811 a15ada-a15af9 call a138f5 1789->1811 1795 a15b17-a15b19 1790->1795 1796 a15b1b-a15b1e 1790->1796 1792 a15b56-a15b5f 1791->1792 1793 a15b7a-a15b95 call a4f91f 1791->1793 1798 a15b61-a15b70 call a4f90f 1792->1798 1799 a15b74-a15b78 1792->1799 1815 a15b97-a15b99 1793->1815 1816 a15c0b-a15c0f 1793->1816 1802 a15b24-a15b29 1795->1802 1796->1802 1823 a15ba1 1798->1823 1824 a15b72 1798->1824 1799->1792 1799->1793 1808 a15b33-a15b48 call a138f5 1802->1808 1809 a15b2b-a15b30 1802->1809 1805->1787 1806->1810 1808->1746 1809->1808 1817 a15931-a15938 1810->1817 1818 a15957-a1595b 1810->1818 1811->1787 1815->1816 1826 a15b9b 1815->1826 1827 a15c15-a15c2e call a18426 1816->1827 1828 a15ca7-a15cac 1816->1828 1817->1818 1829 a1593a-a15955 call a18488 1817->1829 1820 a15979-a15983 1818->1820 1821 a1595d-a15973 call a1802a 1818->1821 1832 a15995-a1599c call a173de 1820->1832 1833 a15985-a15993 call a122c9 1820->1833 1821->1820 1851 a15aa6-a15ab7 call a50657 1821->1851 1837 a15ba3-a15ba5 1823->1837 1838 a15ba7-a15baa 1823->1838 1824->1799 1834 a15bd9-a15bdc 1826->1834 1835 a15b9d-a15b9f 1826->1835 1856 a15c30-a15c35 1827->1856 1857 a15c3a-a15c51 call a4f91f 1827->1857 1828->1784 1839 a15cae-a15cb1 1828->1839 1850 a159c4-a159c6 1829->1850 1855 a159a1-a159ac 1832->1855 1864 a159bc-a159be 1833->1864 1842 a15be2-a15be7 1834->1842 1835->1842 1846 a15bb0-a15bb5 1837->1846 1838->1846 1839->1784 1852 a15bf1-a15c06 call a138f5 1842->1852 1853 a15be9-a15bee 1842->1853 1848 a15bb7-a15bbc 1846->1848 1849 a15bbf-a15bd4 call a138f5 1846->1849 1848->1849 1849->1746 1858 a15ad0 1850->1858 1859 a159cc-a159ea call a18467 1850->1859 1851->1784 1852->1746 1853->1852 1865 a159c1 1855->1865 1866 a159ae-a159b7 call a1241e 1855->1866 1856->1746 1874 a15c53 1857->1874 1875 a15c87-a15c9b call a18488 1857->1875 1858->1811 1876 a159f0-a15a07 call a18445 1859->1876 1877 a15ac6 1859->1877 1864->1865 1865->1850 1866->1864 1878 a15c63 1874->1878 1879 a15c55-a15c61 1874->1879 1875->1828 1887 a15c9d-a15ca2 1875->1887 1876->1774 1888 a15abc 1876->1888 1877->1858 1882 a15c65-a15c6a 1878->1882 1883 a15c6d-a15c82 call a138f5 1878->1883 1879->1878 1882->1883 1883->1746 1887->1746 1888->1877
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,00A1A97A,00000100,000002C0,000002C0,00000100), ref: 00A15807
                                                                                                • lstrlenW.KERNEL32(000002C0,?,00A1A97A,00000100,000002C0,000002C0,00000100), ref: 00A15811
                                                                                                • _wcschr.LIBVCRUNTIME ref: 00A15A16
                                                                                                • LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00A1A97A,00000100,000002C0,000002C0,00000100), ref: 00A15CB9
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                                                                                                • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\138\s\src\burn\engine\variable.cpp
                                                                                                • API String ID: 1026845265-2015882285
                                                                                                • Opcode ID: 36bc53d44d3fa11fc2502f9f3e1e8ebbf6fb11b8124f901b99cf9f0a6bd4c79c
                                                                                                • Instruction ID: b2c3d764b61d1a9b228155c1e8ce89341313096016f2082d3a826496411dd564
                                                                                                • Opcode Fuzzy Hash: 36bc53d44d3fa11fc2502f9f3e1e8ebbf6fb11b8124f901b99cf9f0a6bd4c79c
                                                                                                • Instruction Fuzzy Hash: 5BF1A272D00629FFDB109FB48945AEF7AB9FF84B51F158129FD05AB140E7749A808BE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A1520D Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 314COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 1890 a1520d-a152bb call a3f710 * 2 GetModuleHandleW call a50912 call a50ac6 call a11206 1901 a152d1-a152e2 call a14361 1890->1901 1902 a152bd 1890->1902 1907 a152e4-a152e9 1901->1907 1908 a152eb-a15307 call a1568e CoInitializeEx 1901->1908 1904 a152c2-a152cc call a50657 1902->1904 1911 a1554c-a15553 1904->1911 1907->1904 1918 a15310-a1531c call a500c9 1908->1918 1919 a15309-a1530e 1908->1919 1912 a15560-a15562 1911->1912 1913 a15555-a1555b call a1278d 1911->1913 1916 a15572-a15590 call a1d8c8 call a2a8bc call a2ab06 1912->1916 1917 a15564-a1556b 1912->1917 1913->1912 1940 a15592-a1559a 1916->1940 1941 a155be-a155d1 call a1501c 1916->1941 1917->1916 1920 a1556d call a24264 1917->1920 1927 a15330-a1533f call a512d3 1918->1927 1928 a1531e 1918->1928 1919->1904 1920->1916 1935 a15341-a15346 1927->1935 1936 a15348-a15357 call a52f7b 1927->1936 1930 a15323-a1532b call a50657 1928->1930 1930->1911 1935->1930 1946 a15360-a1536f call a539da 1936->1946 1947 a15359-a1535e 1936->1947 1940->1941 1944 a1559c-a1559f 1940->1944 1951 a155d3 call a53ea2 1941->1951 1952 a155d8-a155df 1941->1952 1944->1941 1945 a155a1-a155bc call a243c4 call a15678 1944->1945 1945->1941 1959 a15371-a15376 1946->1959 1960 a15378-a15397 GetVersionExW 1946->1960 1947->1930 1951->1952 1956 a155e1 call a53381 1952->1956 1957 a155e6-a155ed 1952->1957 1956->1957 1962 a155f4-a155fb 1957->1962 1963 a155ef call a5191f 1957->1963 1959->1930 1967 a153d1-a15416 call a134ef call a15678 1960->1967 1968 a15399-a153a3 GetLastError 1960->1968 1964 a15602-a15604 1962->1964 1965 a155fd call a501d8 1962->1965 1963->1962 1972 a15606 CoUninitialize 1964->1972 1973 a1560c-a15613 1964->1973 1965->1964 1992 a15429-a15439 call a27523 1967->1992 1993 a15418-a15423 call a1278d 1967->1993 1974 a153b0 1968->1974 1975 a153a5-a153ae 1968->1975 1972->1973 1977 a15615-a15617 1973->1977 1978 a1564e-a15657 call a50535 1973->1978 1979 a153b2 1974->1979 1980 a153b7-a153cc call a138f5 1974->1980 1975->1974 1984 a15619-a1561b 1977->1984 1985 a1561d-a15623 1977->1985 1990 a15659 call a14674 1978->1990 1991 a1565e-a15675 call a50c18 call a3de30 1978->1991 1979->1980 1980->1930 1989 a15625-a1563e call a23df9 call a15678 1984->1989 1985->1989 1989->1978 2011 a15640-a1564d call a15678 1989->2011 1990->1991 2005 a15445-a1544e 1992->2005 2006 a1543b 1992->2006 1993->1992 2008 a15454-a15457 2005->2008 2009 a15516-a1552c call a14db5 2005->2009 2006->2005 2012 a1545d-a15460 2008->2012 2013 a154ee-a15501 call a14b65 2008->2013 2025 a15538-a1554a 2009->2025 2026 a1552e 2009->2026 2011->1978 2017 a15462-a15465 2012->2017 2018 a154c6-a154e2 call a14971 2012->2018 2024 a15506-a1550a 2013->2024 2022 a15467-a1546a 2017->2022 2023 a1549e-a154ba call a14b08 2017->2023 2018->2025 2032 a154e4 2018->2032 2028 a1547b-a1548e call a14d04 2022->2028 2029 a1546c-a15471 2022->2029 2023->2025 2036 a154bc 2023->2036 2024->2025 2030 a1550c 2024->2030 2025->1911 2026->2025 2028->2025 2037 a15494 2028->2037 2029->2028 2030->2009 2032->2013 2036->2018 2037->2023
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A1528F
                                                                                                  • Part of subcall function 00A50912: InitializeCriticalSection.KERNEL32(00A7C6EC,?,00A1529B,00000000,?,?,?,?,?,?), ref: 00A50929
                                                                                                  • Part of subcall function 00A11206: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00A152B7,00000000,?), ref: 00A11244
                                                                                                  • Part of subcall function 00A11206: GetLastError.KERNEL32(?,?,?,00A152B7,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A1124E
                                                                                                • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00A152FD
                                                                                                  • Part of subcall function 00A512D3: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00A512F4
                                                                                                • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00A1538F
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A15399
                                                                                                • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A15606
                                                                                                Strings
                                                                                                • 3.14.0.5722, xrefs: 00A153FC
                                                                                                • Failed to initialize Cryputil., xrefs: 00A1531E
                                                                                                • Failed to parse command line., xrefs: 00A152BD
                                                                                                • Failed to run per-machine mode., xrefs: 00A154E4
                                                                                                • Invalid run mode., xrefs: 00A15471
                                                                                                • Failed to run RunOnce mode., xrefs: 00A15494
                                                                                                • Failed to initialize Wiutil., xrefs: 00A15359
                                                                                                • Failed to initialize engine state., xrefs: 00A152E4
                                                                                                • c:\agent\_work\138\s\src\burn\engine\engine.cpp, xrefs: 00A153BD
                                                                                                • Failed to initialize COM., xrefs: 00A15309
                                                                                                • Failed to initialize core., xrefs: 00A1543B
                                                                                                • Failed to initialize Regutil., xrefs: 00A15341
                                                                                                • Failed to get OS info., xrefs: 00A153C7
                                                                                                • Failed to run untrusted mode., xrefs: 00A1552E
                                                                                                • Failed to initialize XML util., xrefs: 00A15371
                                                                                                • Failed to run embedded mode., xrefs: 00A154BC
                                                                                                • Failed to run per-user mode., xrefs: 00A1550C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                                                                                • String ID: 3.14.0.5722$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 3262001429-872186229
                                                                                                • Opcode ID: df62a84b866262cda10131fdea5605daa43ee6955393987726afa1b76985fccd
                                                                                                • Instruction ID: 972b9cc8ffb3f469885ce82314d56e5f2e2cc213c8810986a069707bf189cb0f
                                                                                                • Opcode Fuzzy Hash: df62a84b866262cda10131fdea5605daa43ee6955393987726afa1b76985fccd
                                                                                                • Instruction Fuzzy Hash: 42B1B272D51A28EBDB21AB74CD46BED76B9BF84352F0401A5F908B7241DB708EC48E91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CA92D9C Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 204COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2038 6ca92d9c-6caa1f65 CoInitialize 2040 6caa1f7a-6caa1f8f call 6ca912b2 2038->2040 2041 6caa1f67-6caa1f75 call 6ca93981 2038->2041 2047 6caa1f91-6caa1f9f call 6ca93981 2040->2047 2048 6caa1fa4-6caa1faf call 6ca92351 2040->2048 2046 6caa2129-6caa2137 IsWindow 2041->2046 2050 6caa2159-6caa2160 2046->2050 2051 6caa2139-6caa214f DestroyWindow 2046->2051 2047->2046 2059 6caa1fb1-6caa1fbf call 6ca93981 2048->2059 2060 6caa1fc4-6caa1fe4 CoCreateInstance 2048->2060 2054 6caa2179-6caa2185 2050->2054 2055 6caa2162-6caa216f UnregisterClassW 2050->2055 2051->2050 2057 6caa218e-6caa2196 2054->2057 2058 6caa2187-6caa218c 2054->2058 2055->2054 2062 6caa2199-6caa21ab 2057->2062 2058->2062 2059->2046 2063 6caa2030-6caa203b call 6ca92b2b 2060->2063 2064 6caa1fe6-6caa1fe8 2060->2064 2073 6caa21bd-6caa21c6 call 6ca93706 2062->2073 2074 6caa21ad-6caa21b3 call 6ca91276 2062->2074 2078 6caa203d-6caa204b call 6ca93981 2063->2078 2079 6caa2050-6caa2061 call 6ca92838 2063->2079 2066 6caa1fea-6caa1fef 2064->2066 2067 6caa1ff1-6caa2004 RegisterWindowMessageW 2064->2067 2070 6caa2027-6caa202d call 6ca93981 2066->2070 2067->2063 2071 6caa2006-6caa200e GetLastError 2067->2071 2070->2063 2075 6caa2018-6caa2024 2071->2075 2076 6caa2010-6caa2013 2071->2076 2091 6caa21c8 CoUninitialize 2073->2091 2092 6caa21ce-6caa21d6 2073->2092 2074->2073 2075->2070 2076->2075 2078->2046 2089 6caa2063-6caa2073 call 6ca9464c 2079->2089 2090 6caa2075-6caa2077 call 6ca9464c 2079->2090 2097 6caa208f-6caa20af PostMessageW KiUserCallbackDispatcher 2089->2097 2096 6caa207c-6caa208e 2090->2096 2091->2092 2096->2097 2098 6caa20f0-6caa20fb 2097->2098 2099 6caa20b1-6caa20b4 2097->2099 2100 6caa2119-6caa2122 call 6ca934db 2098->2100 2101 6caa20fd-6caa20ff 2098->2101 2102 6caa2101-6caa2117 call 6ca93981 2099->2102 2103 6caa20b6-6caa20ca call 6ca92950 2099->2103 2100->2046 2112 6caa2124 2100->2112 2101->2046 2102->2046 2110 6caa20cc-6caa20da TranslateMessage DispatchMessageW 2103->2110 2111 6caa20e0-6caa20ee KiUserCallbackDispatcher 2103->2111 2110->2111 2111->2098 2111->2099 2112->2046
                                                                                                APIs
                                                                                                • CoInitialize.OLE32(00000000), ref: 6CAA1F55
                                                                                                • IsWindow.USER32(?), ref: 6CAA212F
                                                                                                • DestroyWindow.USER32(?), ref: 6CAA213F
                                                                                                • UnregisterClassW.USER32(PythonBA,00000000), ref: 6CAA2169
                                                                                                • CoUninitialize.OLE32(?), ref: 6CAA21C8
                                                                                                Strings
                                                                                                • Unexpected return value from message pump., xrefs: 6CAA2106
                                                                                                • Failed to create main window., xrefs: 6CAA203D
                                                                                                • Failed to create ITaskbarList3. Continuing., xrefs: 6CAA1FEA
                                                                                                • Failed to initialize theme manager., xrefs: 6CAA1F91
                                                                                                • Failed to initialize COM., xrefs: 6CAA1F67
                                                                                                • Failed to get TaskbarButtonCreated message. Continuing., xrefs: 6CAA201F
                                                                                                • TaskbarButtonCreated, xrefs: 6CAA1FF1
                                                                                                • Failed to initialize data in bootstrapper application., xrefs: 6CAA1FB1
                                                                                                • PythonBA, xrefs: 6CAA2164
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$ClassDestroyInitializeUninitializeUnregister
                                                                                                • String ID: Failed to create ITaskbarList3. Continuing.$Failed to create main window.$Failed to get TaskbarButtonCreated message. Continuing.$Failed to initialize COM.$Failed to initialize data in bootstrapper application.$Failed to initialize theme manager.$PythonBA$TaskbarButtonCreated$Unexpected return value from message pump.
                                                                                                • API String ID: 2669477862-2185323171
                                                                                                • Opcode ID: f9a5cdda122a031c0f1f4c7347fc91cb26a33f6f9b698268c2c011674a9312b5
                                                                                                • Instruction ID: f36c91014e12e97a4e2b8bd137b7c99d4d34e5dfdfa011806d7f5c20eb145aeb
                                                                                                • Opcode Fuzzy Hash: f9a5cdda122a031c0f1f4c7347fc91cb26a33f6f9b698268c2c011674a9312b5
                                                                                                • Instruction Fuzzy Hash: 29613870644301ABDB118FE2CC49BAE76F5AF45308F140629FA4DE7A80EB74E8DD8721
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A27523 Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2113 a27523-a27568 call a3f710 call a176d4 2118 a27574-a27585 call a1c4bb 2113->2118 2119 a2756a-a2756f 2113->2119 2125 a27591-a275a2 call a1c322 2118->2125 2126 a27587-a2758c 2118->2126 2120 a2780d-a27814 call a50657 2119->2120 2127 a27815-a2781a 2120->2127 2135 a275a4-a275a9 2125->2135 2136 a275ae-a275c3 call a1c57a 2125->2136 2126->2120 2129 a27822-a27826 2127->2129 2130 a2781c-a2781d call a1278d 2127->2130 2133 a27830-a27835 2129->2133 2134 a27828-a2782b call a1278d 2129->2134 2130->2129 2138 a27837-a27838 call a1278d 2133->2138 2139 a2783d-a2784a call a1c271 2133->2139 2134->2133 2135->2120 2145 a275c5-a275ca 2136->2145 2146 a275cf-a275df call a3be03 2136->2146 2138->2139 2147 a27854-a27858 2139->2147 2148 a2784c-a2784f call a1278d 2139->2148 2145->2120 2154 a275e1-a275e6 2146->2154 2155 a275eb-a2765e call a25c9e 2146->2155 2152 a27862-a27866 2147->2152 2153 a2785a-a2785d call a1278d 2147->2153 2148->2147 2157 a27870-a27876 2152->2157 2158 a27868-a2786b call a13adf 2152->2158 2153->2152 2154->2120 2162 a27660-a27665 2155->2162 2163 a2766a-a2766f 2155->2163 2158->2157 2162->2120 2164 a27671 2163->2164 2165 a27676-a276ad call a15678 GetCurrentProcess call a50c8f call a18363 2163->2165 2164->2165 2172 a276c7-a276de call a18363 2165->2172 2173 a276af 2165->2173 2179 a276e0-a276e5 2172->2179 2180 a276e7-a276ec 2172->2180 2174 a276b4-a276c2 call a50657 2173->2174 2174->2127 2179->2174 2181 a27748-a2774d 2180->2181 2182 a276ee-a27700 call a18309 2180->2182 2183 a2774f-a27761 call a18309 2181->2183 2184 a2776d-a27776 2181->2184 2192 a27702-a27707 2182->2192 2193 a2770c-a2771c call a1355e 2182->2193 2183->2184 2196 a27763-a27768 2183->2196 2187 a27782-a27796 call a2a4fa 2184->2187 2188 a27778-a2777b 2184->2188 2200 a27798-a2779d 2187->2200 2201 a2779f 2187->2201 2188->2187 2191 a2777d-a27780 2188->2191 2191->2187 2197 a277a5-a277a8 2191->2197 2192->2120 2204 a27728-a2773c call a18309 2193->2204 2205 a2771e-a27723 2193->2205 2196->2120 2202 a277aa-a277ad 2197->2202 2203 a277af-a277c5 call a1d63d 2197->2203 2200->2120 2201->2197 2202->2127 2202->2203 2210 a277c7-a277cc 2203->2210 2211 a277ce-a277dd call a1cc73 2203->2211 2204->2181 2212 a2773e-a27743 2204->2212 2205->2120 2210->2120 2214 a277e2-a277e6 2211->2214 2212->2120 2215 a277e8-a277ed 2214->2215 2216 a277ef-a27806 call a1c996 2214->2216 2215->2120 2216->2127 2219 a27808 2216->2219 2219->2120
                                                                                                Strings
                                                                                                • Failed to open attached UX container., xrefs: 00A27587
                                                                                                • Failed to get unique temporary folder for bootstrapper application., xrefs: 00A277C7
                                                                                                • Failed to load manifest., xrefs: 00A275E1
                                                                                                • Failed to set source process folder variable., xrefs: 00A2773E
                                                                                                • Failed to parse command line., xrefs: 00A27660
                                                                                                • Failed to set original source variable., xrefs: 00A27763
                                                                                                • Failed to initialize variables., xrefs: 00A2756A
                                                                                                • Failed to set source process path variable., xrefs: 00A27702
                                                                                                • Failed to get manifest stream from container., xrefs: 00A275C5
                                                                                                • Failed to open manifest stream., xrefs: 00A275A4
                                                                                                • WixBundleUILevel, xrefs: 00A276CF, 00A276E0
                                                                                                • WixBundleElevated, xrefs: 00A2769E, 00A276AF
                                                                                                • Failed to load catalog files., xrefs: 00A27808
                                                                                                • WixBundleSourceProcessFolder, xrefs: 00A2772D
                                                                                                • Failed to overwrite the %ls built-in variable., xrefs: 00A276B4
                                                                                                • Failed to get source process folder from path., xrefs: 00A2771E
                                                                                                • Failed to initialize internal cache functionality., xrefs: 00A27798
                                                                                                • WixBundleSourceProcessPath, xrefs: 00A276F1
                                                                                                • Failed to extract bootstrapper application payloads., xrefs: 00A277E8
                                                                                                • WixBundleOriginalSource, xrefs: 00A27752
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalInitializeSection
                                                                                                • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                                                                                • API String ID: 32694325-1564579409
                                                                                                • Opcode ID: c720a60c13a5b1a9219041de13a62fdc31c3a5957568bee08b419662f08c6802
                                                                                                • Instruction ID: b1bf0e15dd8276697fd621a3c30abb2c92b5c3b334d2fe83246d35aaf3b47a4f
                                                                                                • Opcode Fuzzy Hash: c720a60c13a5b1a9219041de13a62fdc31c3a5957568bee08b419662f08c6802
                                                                                                • Instruction Fuzzy Hash: 85A17172E44626BBDB129BA8DD85EEEB6BCBB04710F100636F515E6140E771EA84C7E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A176D4 Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 430COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2325 a176d4-a17fcf InitializeCriticalSection 2326 a17fd2-a17ff6 call a15699 2325->2326 2329 a18003-a18014 call a50657 2326->2329 2330 a17ff8-a17fff 2326->2330 2334 a18017-a18027 call a3de30 2329->2334 2330->2326 2332 a18001 2330->2332 2332->2334
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(00A27564,00A15435,00000000,00A154BD), ref: 00A176F4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalInitializeSection
                                                                                                • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                                                                                • API String ID: 32694325-3635313340
                                                                                                • Opcode ID: 77bdc4bd61d71be5201a615cb38dbdcf4cb7e110bd159f06c4e6c4781dafa76e
                                                                                                • Instruction ID: 96835b636b759356cb92ef81b1bdaa54a5430858465ead720011142850ca5c17
                                                                                                • Opcode Fuzzy Hash: 77bdc4bd61d71be5201a615cb38dbdcf4cb7e110bd159f06c4e6c4781dafa76e
                                                                                                • Instruction Fuzzy Hash: 444235B0C117699FDB658F5AC9887C9FAB4BB48315F9081EED60CAA214D7B10B88CF45
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA09B0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 258COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2337 6caa09b0-6caa09f9 call 6ca945f2 2340 6caa09fb-6caa0a09 call 6ca93981 2337->2340 2341 6caa0a0e-6caa0a1c call 6ca91208 2337->2341 2348 6caa0c44-6caa0c49 2340->2348 2346 6caa0a3a-6caa0a4a call 6ca92ef0 2341->2346 2347 6caa0a1e-6caa0a28 call 6ca94115 2341->2347 2357 6caa0a4c-6caa0a5d call 6ca93981 2346->2357 2358 6caa0a62-6caa0a78 call 6ca9141f 2346->2358 2353 6caa0a2d-6caa0a35 2347->2353 2351 6caa0c4b-6caa0c4d 2348->2351 2352 6caa0c51-6caa0c56 2348->2352 2351->2352 2355 6caa0c58-6caa0c5a 2352->2355 2356 6caa0c5e-6caa0c63 2352->2356 2353->2348 2355->2356 2359 6caa0c6b-6caa0c70 2356->2359 2360 6caa0c65-6caa0c67 2356->2360 2357->2348 2368 6caa0a7a-6caa0a7c 2358->2368 2369 6caa0a81-6caa0a83 2358->2369 2361 6caa0c78-6caa0c7f 2359->2361 2362 6caa0c72-6caa0c73 call 6ca93a08 2359->2362 2360->2359 2362->2361 2368->2348 2370 6caa0a98-6caa0aa9 2369->2370 2371 6caa0a85-6caa0a93 call 6ca93981 2369->2371 2375 6caa0aab-6caa0ab9 call 6ca93981 2370->2375 2376 6caa0abe-6caa0ad6 call 6ca94115 2370->2376 2371->2348 2375->2348 2381 6caa0adc 2376->2381 2382 6caa0c31-6caa0c40 call 6ca94115 2376->2382 2384 6caa0ae0-6caa0af2 call 6ca91df7 2381->2384 2387 6caa0c43 2382->2387 2389 6caa0af8-6caa0b0d call 6ca93c38 2384->2389 2390 6caa0ca0-6caa0cae call 6ca93981 2384->2390 2387->2348 2395 6caa0b13-6caa0b28 call 6ca918d4 2389->2395 2396 6caa0c90-6caa0c9e call 6ca93981 2389->2396 2390->2387 2401 6caa0b2e-6caa0b33 2395->2401 2402 6caa0bc5-6caa0bd5 call 6ca946e2 2395->2402 2396->2387 2401->2402 2404 6caa0b39-6caa0b3d 2401->2404 2407 6caa0bdb-6caa0be6 2402->2407 2408 6caa0c80-6caa0c8e call 6ca93981 2402->2408 2404->2402 2406 6caa0b43-6caa0b5a CompareStringW 2404->2406 2409 6caa0b6e-6caa0b87 CompareStringW 2406->2409 2410 6caa0b5c-6caa0b6c 2406->2410 2416 6caa0bea-6caa0bef 2407->2416 2408->2387 2412 6caa0b9b-6caa0bac StrToIntExW 2409->2412 2413 6caa0b89-6caa0b99 2409->2413 2410->2416 2412->2407 2414 6caa0bae-6caa0bc3 2412->2414 2413->2416 2414->2416 2418 6caa0bff-6caa0c04 2416->2418 2419 6caa0bf1-6caa0bf8 SysFreeString 2416->2419 2422 6caa0c13-6caa0c18 2418->2422 2423 6caa0c06-6caa0c0c call 6ca93a08 2418->2423 2419->2418 2424 6caa0c1a-6caa0c20 2422->2424 2425 6caa0c27-6caa0c2b 2422->2425 2423->2422 2424->2425 2425->2382 2425->2384
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: /Options/Option$Did not find %ls$Failed to calculate path to unattend.xml$Failed to get @Name.$Failed to get @Value.$Failed to get next node.$Failed to get option node count.$Failed to read %ls$Failed to select option nodes.$Finished reading from %ls$Name$Reading settings from %ls$Value$[WixBundleOriginalSourceFolder]unattend.xml$yes
                                                                                                • API String ID: 0-690715931
                                                                                                • Opcode ID: 4ecbe4376f0f2201b978c0d635eeb3bc0f3bb619ecfff3732a9989edb4eb3e5a
                                                                                                • Instruction ID: 257eddd43da513bb3e3ccdab3a2a0f10fd5044740c3ec30dae545f9a7891cde9
                                                                                                • Opcode Fuzzy Hash: 4ecbe4376f0f2201b978c0d635eeb3bc0f3bb619ecfff3732a9989edb4eb3e5a
                                                                                                • Instruction Fuzzy Hash: 6491F235904249BFDB00CFE4CD45FEEB7B9AF45318F240058F916A7A80DB32DA8A8B10
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A282A6 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 152COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 2429 a282a6-a282ef call a3f710 2432 a282f5-a28303 GetCurrentProcess call a50c8f 2429->2432 2433 a28468-a28475 call a122c9 2429->2433 2436 a28308-a28315 2432->2436 2440 a28477 2433->2440 2441 a28484-a28494 call a3de30 2433->2441 2438 a283a3-a283b1 GetTempPathW 2436->2438 2439 a2831b-a2832a GetWindowsDirectoryW 2436->2439 2444 a283b3-a283bd GetLastError 2438->2444 2445 a283eb-a283fd UuidCreate 2438->2445 2446 a28364-a28375 call a134a9 2439->2446 2447 a2832c-a28336 GetLastError 2439->2447 2442 a2847c-a28483 call a50657 2440->2442 2442->2441 2453 a283ca 2444->2453 2454 a283bf-a283c8 2444->2454 2449 a28406-a2841b StringFromGUID2 2445->2449 2450 a283ff-a28404 2445->2450 2465 a28381-a28397 call a137c6 2446->2465 2466 a28377-a2837c 2446->2466 2455 a28343 2447->2455 2456 a28338-a28341 2447->2456 2459 a28439-a2845a call a1204d 2449->2459 2460 a2841d-a28437 call a138f5 2449->2460 2450->2442 2461 a283d1-a283e6 call a138f5 2453->2461 2462 a283cc 2453->2462 2454->2453 2463 a28345 2455->2463 2464 a2834a-a2835f call a138f5 2455->2464 2456->2455 2477 a28463 2459->2477 2478 a2845c-a28461 2459->2478 2460->2442 2461->2442 2462->2461 2463->2464 2464->2442 2465->2445 2479 a28399-a2839e 2465->2479 2466->2442 2477->2433 2478->2442 2479->2442
                                                                                                APIs
                                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00A15501), ref: 00A282FC
                                                                                                  • Part of subcall function 00A50C8F: OpenProcessToken.ADVAPI32(?,00000008,?,00A15435,00000000,?,?,?,?,?,?,?,00A27696,00000000), ref: 00A50CAD
                                                                                                  • Part of subcall function 00A50C8F: GetLastError.KERNEL32(?,?,?,?,?,?,?,00A27696,00000000), ref: 00A50CB7
                                                                                                  • Part of subcall function 00A50C8F: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00A27696,00000000), ref: 00A50D41
                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00A28322
                                                                                                • GetLastError.KERNEL32 ref: 00A2832C
                                                                                                • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00A283A9
                                                                                                • GetLastError.KERNEL32 ref: 00A283B3
                                                                                                • UuidCreate.RPCRT4(?), ref: 00A283F2
                                                                                                Strings
                                                                                                • Failed to get temp path for working folder., xrefs: 00A283E1
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cache.cpp, xrefs: 00A28350, 00A283D7, 00A28428
                                                                                                • Failed to concat Temp directory on windows path for working folder., xrefs: 00A28399
                                                                                                • Failed to ensure windows path for working folder ended in backslash., xrefs: 00A28377
                                                                                                • Failed to convert working folder guid into string., xrefs: 00A28432
                                                                                                • Failed to append bundle id on to temp path for working folder., xrefs: 00A2845C
                                                                                                • Failed to create working folder guid., xrefs: 00A283FF
                                                                                                • Temp\, xrefs: 00A28381
                                                                                                • %ls%ls\, xrefs: 00A28444
                                                                                                • Failed to get windows path for working folder., xrefs: 00A2835A
                                                                                                • Failed to copy working folder path., xrefs: 00A28477
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$Process$ChangeCloseCreateCurrentDirectoryFindNotificationOpenPathTempTokenUuidWindows
                                                                                                • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\138\s\src\burn\engine\cache.cpp
                                                                                                • API String ID: 2898636500-3402008805
                                                                                                • Opcode ID: f76514fac730cb59065c368b4b20171adfe985e34d705999289eddf05a7dce6f
                                                                                                • Instruction ID: 8ea2e3d5d2c83c59a5d46cdd43a4c64c35ccf5f566f552ff3329ca1827026369
                                                                                                • Opcode Fuzzy Hash: f76514fac730cb59065c368b4b20171adfe985e34d705999289eddf05a7dce6f
                                                                                                • Instruction Fuzzy Hash: 5541E572A56335B7DB20E6F8AC4AFAF76787B04B11F004572BA05FB180EA789D4546A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CA9BB40 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 197registrywindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(?), ref: 6CA9BB8E
                                                                                                • LoadIconW.USER32(00000000,00000001), ref: 6CA9BB9B
                                                                                                • GetSysColor.USER32(00000011), ref: 6CA9BBE4
                                                                                                • GetSysColor.USER32(00000005), ref: 6CA9BBF5
                                                                                                • GetSysColorBrush.USER32(00000005), ref: 6CA9BBF9
                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 6CA9BC1B
                                                                                                • RegisterClassW.USER32(00000000), ref: 6CA9BC39
                                                                                                • GetLastError.KERNEL32 ref: 6CA9BC44
                                                                                                • IsWindow.USER32 ref: 6CA9BCAA
                                                                                                • GetCursorPos.USER32(?), ref: 6CA9BCBE
                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 6CA9BCD0
                                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 6CA9BCE6
                                                                                                • CreateWindowExW.USER32(00000000,6CB19AD4,?,?,80000000,80000000,?,?,00000000,00000000,?), ref: 6CA9BD43
                                                                                                • GetLastError.KERNEL32 ref: 6CA9BD53
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$CursorErrorLastLoadMonitorWindow$BrushClassCreateFromHandleIconInfoModulePointRegister
                                                                                                • String ID: ($D:\a\1\s\Tools\msi\bundle\bootstrap\PythonBootstrapperApplication.cpp$PythonBA
                                                                                                • API String ID: 2242584887-1007707779
                                                                                                • Opcode ID: 989b60d234b3207e44450fb4001201f2689af9077a6298ae16420cc29845e5c8
                                                                                                • Instruction ID: 6036c995e63274e3a7a436102da84fe53b0d0a4cee91f7ea6f92cced6c2fd57a
                                                                                                • Opcode Fuzzy Hash: 989b60d234b3207e44450fb4001201f2689af9077a6298ae16420cc29845e5c8
                                                                                                • Instruction Fuzzy Hash: F171CF32E10209AFDF20CFA9D985B9DB7F0FF09304F154219E918AB290DB70AC44CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A14361 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00A152DE,?,?,00000000,?,?), ref: 00A1438D
                                                                                                • InitializeCriticalSection.KERNEL32(000000D0,?,?,00A152DE,?,?,00000000,?,?), ref: 00A14396
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00A152DE,?,?,00000000,?,?), ref: 00A143DC
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00A152DE,?,?,00000000,?,?), ref: 00A143E6
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A152DE,?,?,00000000,?,?), ref: 00A143FA
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00A152DE,?,?,00000000,?,?), ref: 00A1440A
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A152DE,?,?,00000000,?,?), ref: 00A1445A
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00A152DE,?,?,00000000,?,?), ref: 00A14464
                                                                                                • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00A152DE,?,?,00000000,?,?), ref: 00A14478
                                                                                                • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00A152DE,?,?,00000000,?,?), ref: 00A14488
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$CompareCriticalInitializeSectionString
                                                                                                • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\138\s\src\burn\engine\engine.cpp
                                                                                                • API String ID: 3039292287-4238739692
                                                                                                • Opcode ID: 2650458d9d0f815c0e46df162f619b14f4c1420f84b805a17d9e71437086cd99
                                                                                                • Instruction ID: 7f31c24ef138b1ab3348a3d5ca122a74e75e52b3e92c9d6a5cf477ac98d2b3fd
                                                                                                • Opcode Fuzzy Hash: 2650458d9d0f815c0e46df162f619b14f4c1420f84b805a17d9e71437086cd99
                                                                                                • Instruction Fuzzy Hash: 6851CF71A50615BFC7209BA8DC86FDA7769FF04762F004116FA15EB290DBB0A990CBB0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB0CE0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 139registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • LoadCursorA.USER32(00000000,00007F89), ref: 6CAB0D18
                                                                                                • GetClassInfoW.USER32(00000000,Button,?), ref: 6CAB0D33
                                                                                                • GetLastError.KERNEL32 ref: 6CAB0D39
                                                                                                • RegisterClassW.USER32(?), ref: 6CAB0D85
                                                                                                • GetLastError.KERNEL32 ref: 6CAB0D8C
                                                                                                • GetClassInfoW.USER32(00000000,Static,?), ref: 6CAB0DC6
                                                                                                • GetLastError.KERNEL32 ref: 6CAB0DCC
                                                                                                • RegisterClassW.USER32(?), ref: 6CAB0E0D
                                                                                                • GetLastError.KERNEL32 ref: 6CAB0E14
                                                                                                • GdiplusStartup.GDIPLUS(6CB33350,6CB322A8,6CB33348), ref: 6CAB0E62
                                                                                                • InitCommonControlsEx.COMCTL32(?,00000000,6CB33350,6CB322A8,6CB33348), ref: 6CAB0E90
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassErrorLast$InfoRegister$CommonControlsCursorGdiplusInitLoadStartup
                                                                                                • String ID: Button$Static$ThemeHyperLink$ThemeStaticOwnerDraw$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp
                                                                                                • API String ID: 914145761-1728460299
                                                                                                • Opcode ID: 6955221df2b313ffe7f6649f2bbbaa8772aced598c2d1a46181f686a66acee93
                                                                                                • Instruction ID: 11a957e7743aa494e61d26a8756f0aa20c65b5ad73815ce9ce7b56aa08a0fc38
                                                                                                • Opcode Fuzzy Hash: 6955221df2b313ffe7f6649f2bbbaa8772aced598c2d1a46181f686a66acee93
                                                                                                • Instruction Fuzzy Hash: AA41D5B7E413B6ABDB209B988D04BCFBB78BB05750F054115ED08BFA80D73098858AE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA2420 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 187COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001), ref: 6CAA249E
                                                                                                • VerifyVersionInfoW.KERNEL32(0000011C,00000080,00000000), ref: 6CAA24B2
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ConditionInfoMaskVerifyVersion
                                                                                                • String ID: #(loc.FailureOldOS)$Detected Windows 7$Detected Windows 8$Detected Windows Server 2003 or earlier$Detected Windows Server 2008$Detected Windows Server 2008 R2$Detected Windows Vista$Detected Windows XP or earlier$Target OS is Windows 10 or later$Target OS is Windows 8.1$Target OS is Windows Server 2012 or later$Windows 8.1 or later is required to continue installation$Windows Server 2012 or later is required to continue installation
                                                                                                • API String ID: 3739615805-3865552857
                                                                                                • Opcode ID: e270ed7fb215f9f01cb442915cce25ed6d83104f3bd1c1aeec9c11689663bb57
                                                                                                • Instruction ID: de603d3a1928c592152418c242bd6b02ce76fc4ff0711af8af4546d1bfaa688b
                                                                                                • Opcode Fuzzy Hash: e270ed7fb215f9f01cb442915cce25ed6d83104f3bd1c1aeec9c11689663bb57
                                                                                                • Instruction Fuzzy Hash: 345123B1B5020466EA18CE948D07BFA73A99F45708F1001A9AE0D6FBC1DBA399AD8751
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A1C343 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00A1C533,00A1547D,?,?,00A154BD), ref: 00A1C38A
                                                                                                • GetLastError.KERNEL32(?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C39B
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?), ref: 00A1C3EA
                                                                                                • GetCurrentProcess.KERNEL32(000000FF,00000000,?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C3F0
                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C3F3
                                                                                                • GetLastError.KERNEL32(?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C3FD
                                                                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C44F
                                                                                                • GetLastError.KERNEL32(?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A1C459
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\138\s\src\burn\engine\container.cpp$crypt32.dll$feclient.dll
                                                                                                • API String ID: 2619879409-2236165814
                                                                                                • Opcode ID: 1926cc13c0f56862fc52bed8bfb5dc902451c8ccb7703def858df317c0d0a772
                                                                                                • Instruction ID: 737d7d863054b8ebfcc9be3171ec9a05d47086811d2fbdf6ddf5aad758aa8b2c
                                                                                                • Opcode Fuzzy Hash: 1926cc13c0f56862fc52bed8bfb5dc902451c8ccb7703def858df317c0d0a772
                                                                                                • Instruction Fuzzy Hash: 7741C336180311ABCB209F599D49EAB7A69BBC4772B218029FD189B281EB71C841CB71
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB2503 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 6CAB251D
                                                                                                • GetLastError.KERNEL32(?,00000000,00000000), ref: 6CAB2529
                                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CAB2569
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 6CAB2575
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 6CAB2580
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 6CAB258A
                                                                                                • CoCreateInstance.OLE32(6CB33378,00000000,00000001,6CB1C094,?), ref: 6CAB25C5
                                                                                                • ExitProcess.KERNEL32 ref: 6CAB2674
                                                                                                Strings
                                                                                                • Wow64RevertWow64FsRedirection, xrefs: 6CAB2582
                                                                                                • kernel32.dll, xrefs: 6CAB250D
                                                                                                • IsWow64Process, xrefs: 6CAB2563
                                                                                                • Wow64DisableWow64FsRedirection, xrefs: 6CAB256F
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 6CAB254D
                                                                                                • Wow64EnableWow64FsRedirection, xrefs: 6CAB2577
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp$kernel32.dll
                                                                                                • API String ID: 2124981135-566418578
                                                                                                • Opcode ID: 3368ffbb1fbd8f73e5adfff5b1e90be0140d429f72e667e06a2262cf7d641b93
                                                                                                • Instruction ID: a300633790bf8c1797325a53bbc19db77cf97cd1737c0910d92d203646deefd0
                                                                                                • Opcode Fuzzy Hash: 3368ffbb1fbd8f73e5adfff5b1e90be0140d429f72e667e06a2262cf7d641b93
                                                                                                • Instruction Fuzzy Hash: CD412535A01215ABDB118FA8C869FAF77B8EF05715F15436AE805FBA01DB35CD808B90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A534D0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00A53A7E,00000000,?,00000000), ref: 00A534EA
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00A3BE27,?,00A1547D,?,00000000,?), ref: 00A534F6
                                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00A53536
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A53542
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00A5354D
                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A53557
                                                                                                • CoCreateInstance.OLE32(00A7C7A0,00000000,00000001,00A5B878,?,?,?,?,?,?,?,?,?,?,?,00A3BE27), ref: 00A53592
                                                                                                • ExitProcess.KERNEL32 ref: 00A53641
                                                                                                Strings
                                                                                                • Wow64DisableWow64FsRedirection, xrefs: 00A5353C
                                                                                                • Wow64RevertWow64FsRedirection, xrefs: 00A5354F
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 00A5351A
                                                                                                • Wow64EnableWow64FsRedirection, xrefs: 00A53544
                                                                                                • IsWow64Process, xrefs: 00A53530
                                                                                                • kernel32.dll, xrefs: 00A534DA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                                                                                • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp$kernel32.dll
                                                                                                • API String ID: 2124981135-566418578
                                                                                                • Opcode ID: 6392704f3c4f862378f0d883822e5f65709be3f664c9cf1df17c9a5cc45a87c9
                                                                                                • Instruction ID: 5048d1d6c01ac7080c3f46ece8224191aa77822f01250d0d9cdc4285e9f63888
                                                                                                • Opcode Fuzzy Hash: 6392704f3c4f862378f0d883822e5f65709be3f664c9cf1df17c9a5cc45a87c9
                                                                                                • Instruction Fuzzy Hash: ED418232A01315BFCF25DBA8C854B6E77A4BF84793F118569ED05EB240EB71DE058AA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A315F7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00A1C49F,?,00000000,?,00A1C533), ref: 00A3162E
                                                                                                • GetLastError.KERNEL32(?,00A1C49F,?,00000000,?,00A1C533,00A1547D,?,?,00A154BD,00A154BD,00000000,?,00000000), ref: 00A31637
                                                                                                Strings
                                                                                                • Failed to create operation complete event., xrefs: 00A316AB
                                                                                                • wininet.dll, xrefs: 00A3160D
                                                                                                • Failed to create extraction thread., xrefs: 00A316F7
                                                                                                • Failed to wait for operation complete., xrefs: 00A3170A
                                                                                                • Failed to copy file name., xrefs: 00A31619
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00A3165B, 00A316A1, 00A316ED
                                                                                                • Failed to create begin operation event., xrefs: 00A31665
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorEventLast
                                                                                                • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp$wininet.dll
                                                                                                • API String ID: 545576003-9491624
                                                                                                • Opcode ID: 1a2f0c116b27f1465c7f729a1f71d5d4e8cfdc191c290dad4db25ad1e687c90a
                                                                                                • Instruction ID: 1d1becb393c6970a1256d32271017a3bce0c3fdb82ec5678b759c9bd01ca9e24
                                                                                                • Opcode Fuzzy Hash: 1a2f0c116b27f1465c7f729a1f71d5d4e8cfdc191c290dad4db25ad1e687c90a
                                                                                                • Instruction Fuzzy Hash: D72106B3A41736B7E22157E49D47F6BAA6CBF00BA1F054622FD04BB580EB64DC014AF1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A500C9 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00A500F1
                                                                                                • GetProcAddress.KERNEL32(SystemFunction041), ref: 00A50103
                                                                                                • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00A50146
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A5015A
                                                                                                • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00A50192
                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00A501A6
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$ErrorLast
                                                                                                • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\138\s\src\libs\dutil\cryputil.cpp
                                                                                                • API String ID: 4214558900-403682633
                                                                                                • Opcode ID: 06e0d712535c04a236ee2be6d881e6543284f985aa1b8279294b59300552f6aa
                                                                                                • Instruction ID: 4f72ad8a299b9121e7b55ba1aa30b274e3fe12cc2dff12157dfa718a05cc8d84
                                                                                                • Opcode Fuzzy Hash: 06e0d712535c04a236ee2be6d881e6543284f985aa1b8279294b59300552f6aa
                                                                                                • Instruction Fuzzy Hash: C921AD37981F31B7C731DB94AD45F267960B7107A2F02E629EC09B61B0D3709C8987D1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB0358 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 291windowkeyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetUpdateRect.USER32(?,00000000,00000000), ref: 6CAB03EB
                                                                                                • BeginPaint.USER32(?,?), ref: 6CAB0400
                                                                                                • EndPaint.USER32(?,?,?,?), ref: 6CAB0415
                                                                                                • GetClientRect.USER32(?,?), ref: 6CAB0434
                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 6CAB0493
                                                                                                • SendMessageW.USER32(?,0000101E,?,?), ref: 6CAB04E2
                                                                                                • GetDlgItem.USER32(?,?), ref: 6CAB0563
                                                                                                • GetKeyState.USER32(00000010), ref: 6CAB05F5
                                                                                                • GetNextDlgTabItem.USER32(?,?,00000000), ref: 6CAB060A
                                                                                                • SetFocus.USER32(00000000), ref: 6CAB0611
                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 6CAB06FA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemPaintRectWindow$BeginClientFocusMessageMoveNextProcSendStateUpdate
                                                                                                • String ID: open
                                                                                                • API String ID: 3202820204-2758837156
                                                                                                • Opcode ID: 7afe4b11ba60fbda6478e8b3c6c14cbbbfd10da1075a7532c4e52e3ceaff4122
                                                                                                • Instruction ID: cec0509a01ca078acc065c5b5184ec66bd193a10c1b5fc7e839a48dba4bc7b43
                                                                                                • Opcode Fuzzy Hash: 7afe4b11ba60fbda6478e8b3c6c14cbbbfd10da1075a7532c4e52e3ceaff4122
                                                                                                • Instruction Fuzzy Hash: 72A1D3B1A01245AFDB248E64CE84AEEB7BDEF89304F144599E615B3910C770E9C5CFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A30785 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00A307B5
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00A307CD
                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00A307D2
                                                                                                • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00A307D5
                                                                                                • GetLastError.KERNEL32(?,?), ref: 00A307DF
                                                                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00A3084E
                                                                                                • GetLastError.KERNEL32(?,?), ref: 00A3085B
                                                                                                Strings
                                                                                                • Failed to duplicate handle to cab container., xrefs: 00A3080D
                                                                                                • Failed to open cabinet file: %hs, xrefs: 00A3088C
                                                                                                • <the>.cab, xrefs: 00A307AE
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00A30803, 00A3087F
                                                                                                • Failed to add virtual file pointer for cab container., xrefs: 00A30834
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 3030546534-4070612573
                                                                                                • Opcode ID: caff0565a4cf3e0e760c8be76ba6031e05103cee897cdd508fd098a25369eacd
                                                                                                • Instruction ID: 58ae66433306e1d2d383383c1b076339dbba5fc33d362f272402442acbf5b01c
                                                                                                • Opcode Fuzzy Hash: caff0565a4cf3e0e760c8be76ba6031e05103cee897cdd508fd098a25369eacd
                                                                                                • Instruction Fuzzy Hash: 5731DF76951635FBDB219B989D19E9F7E68FF14BA2F014221FD08BB290D7609D008AF0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A2400F Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 225sleepCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00A23B19: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00A24029,feclient.dll,?,00000000,?,?,?,00A14B92), ref: 00A23BBA
                                                                                                • Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00A14B92,?,?,00A5B478,?,00000001,00000000,00000000), ref: 00A240C0
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseSleep
                                                                                                • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
                                                                                                • API String ID: 2834455192-2673269691
                                                                                                • Opcode ID: 4cb58b14d3e3f5d34f0050449e39e6265f92c08bf82a8e9fc33887f28aee8d94
                                                                                                • Instruction ID: bbbf16dc052a5f3290623c2b2ebf0cf57fede169967e4bcb071474e56462ad64
                                                                                                • Opcode Fuzzy Hash: 4cb58b14d3e3f5d34f0050449e39e6265f92c08bf82a8e9fc33887f28aee8d94
                                                                                                • Instruction Fuzzy Hash: FE61A171A04635EADF159B6CE942BBA76B9FF18340B048635FD01DB140E774EDA08791
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA7F82 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 309libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetThreadPreferredUILanguages), ref: 6CAA7FA3
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 6CAA7FAA
                                                                                                • GetLastError.KERNEL32 ref: 6CAA802E
                                                                                                • GetLastError.KERNEL32 ref: 6CAA808C
                                                                                                • GetUserDefaultUILanguage.KERNEL32(?,00000000,?,?,?,00000002), ref: 6CAA814F
                                                                                                • GetUserDefaultLangID.KERNEL32 ref: 6CAA8157
                                                                                                • GetSystemDefaultUILanguage.KERNEL32(?,00000000,?,?,?), ref: 6CAA820B
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Default$ErrorLanguageLastUser$AddressHandleLangModuleProcSystem
                                                                                                • String ID: %u\%ls$GetThreadPreferredUILanguages$Kernel32.dll$c:\agent\_work\138\s\src\libs\dutil\locutil.cpp
                                                                                                • API String ID: 1135603519-642233935
                                                                                                • Opcode ID: 5113dd059ef73680d41e061a89dd76f650120db87f242263226cfb955dcb3805
                                                                                                • Instruction ID: 802684aa40b67888d6cc666f8e6edf65c9ae58a40f0bf80eea687d1c8a4796d8
                                                                                                • Opcode Fuzzy Hash: 5113dd059ef73680d41e061a89dd76f650120db87f242263226cfb955dcb3805
                                                                                                • Instruction Fuzzy Hash: E7A18172C12A69BBDB119AD0CD45BFF7AB8AF00715F044166ED20F7A40E734CE8997A4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A3139A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,74DF2F60,?,?), ref: 00A313BE
                                                                                                • GetLastError.KERNEL32 ref: 00A313D1
                                                                                                • GetExitCodeThread.KERNELBASE(00A5B478,00000000), ref: 00A31413
                                                                                                • GetLastError.KERNEL32 ref: 00A31421
                                                                                                • ResetEvent.KERNEL32(00A5B450), ref: 00A3145C
                                                                                                • GetLastError.KERNEL32 ref: 00A31466
                                                                                                Strings
                                                                                                • Failed to get extraction thread exit code., xrefs: 00A31452
                                                                                                • Failed to reset operation complete event., xrefs: 00A31497
                                                                                                • Failed to wait for operation complete event., xrefs: 00A31402
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00A313F8, 00A31448, 00A3148D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2979751695-2767648441
                                                                                                • Opcode ID: 3596e51e8ce4c91488c681d9961fd009b9a7607792e2e484347dde91c6f53c96
                                                                                                • Instruction ID: 917130ecfdc668af60f1025a0fb4676328b3a627eec2c30053fe97363df31b1b
                                                                                                • Opcode Fuzzy Hash: 3596e51e8ce4c91488c681d9961fd009b9a7607792e2e484347dde91c6f53c96
                                                                                                • Instruction Fuzzy Hash: C3318FB1A00316FBEB00DFA49D05BBE77F8BB04712F108119F405EA1A0EB71DA409B61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA6EF4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 6CAA6F11
                                                                                                • GetLastError.KERNEL32(?,?), ref: 6CAA6F25
                                                                                                • GlobalAlloc.KERNEL32(00000000,00000000,?,?), ref: 6CAA6F52
                                                                                                • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 6CAA6F75
                                                                                                • GetLastError.KERNEL32(?,?,?,00000000), ref: 6CAA6F7E
                                                                                                • VerQueryValueW.VERSION(00000000,6CB1B8D0,?,?,?,?,?,00000000), ref: 6CAA6FB3
                                                                                                • GetLastError.KERNEL32(00000000,6CB1B8D0,?,?,?,?,?,00000000), ref: 6CAA6FBC
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 6CAA6FED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast$FileGlobalInfoVersion$AllocFreeQuerySizeValue
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\fileutil.cpp
                                                                                                • API String ID: 2342464106-3168567549
                                                                                                • Opcode ID: fba39edd39aa5388ca6e3718d6899ffc3e5ab18c082d7af3a770077f6ebc35bd
                                                                                                • Instruction ID: 4b44bbf6054b788ff9d47602bb73fd809b253232df3b768016007571e9ce2efa
                                                                                                • Opcode Fuzzy Hash: fba39edd39aa5388ca6e3718d6899ffc3e5ab18c082d7af3a770077f6ebc35bd
                                                                                                • Instruction Fuzzy Hash: CC31E477954225ABC7118ADDCC00ECFFAB8AF49764F054266ED18E7B40E731D8428AE0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA1790 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 272COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,00000000), ref: 6CAA1B12
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: InvalidateRect
                                                                                                • String ID: #(loc.Include_launcherHelp)$#(loc.Include_launcherRemove)$#(loc.Include_launcherUpgrade)$0x%08x - %ls$DetectedLauncher$DetectedOldLauncher$InstallLauncherAllUsers
                                                                                                • API String ID: 634782764-3320291752
                                                                                                • Opcode ID: acc88b2b1576c88c141066c63325f55da158251e1127d3860ae2c8ff5d6b34f3
                                                                                                • Instruction ID: 7fa6999abda49c875bc460a19878e7ef2c62da75e89b7ad1799fcd99d72965f8
                                                                                                • Opcode Fuzzy Hash: acc88b2b1576c88c141066c63325f55da158251e1127d3860ae2c8ff5d6b34f3
                                                                                                • Instruction Fuzzy Hash: 79A1B275A00704FAEB108FA0CE46FEA77F9AF44308F004529E759ABA50D771E9C9CB55
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA1070 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,disable,000000FF,00000000,?), ref: 6CAA11A3
                                                                                                • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,hide,000000FF), ref: 6CAA11D4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareString
                                                                                                • String ID: #(loc.%lsNote)$%lsState$Disable control %ls$Hide control %ls$disable$hide
                                                                                                • API String ID: 1825529933-2350438598
                                                                                                • Opcode ID: 1892e067cc28ed903ae6438d2106857c519389d5ea31ece5f69b603685ce4bdb
                                                                                                • Instruction ID: daf0eb70da2c9cbb32992bd322136c037d814498d285b9f74f48b26af206dba5
                                                                                                • Opcode Fuzzy Hash: 1892e067cc28ed903ae6438d2106857c519389d5ea31ece5f69b603685ce4bdb
                                                                                                • Instruction Fuzzy Hash: F7819070A01209FAEB108BA5CD41BBEB7F8EF05318F144569FA24E7A90E771E9C9D710
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CA9B2C0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • InitializeCriticalSection.KERNEL32(?), ref: 6CA9B318
                                                                                                • GetFileVersionInfoSizeW.VERSION ref: 6CA9B439
                                                                                                • GetFileVersionInfoW.VERSION(ucrtbase.dll,00000000,?,00000000), ref: 6CA9B462
                                                                                                • VerQueryValueW.VERSION(?,6CB1B8D0,?,?,ucrtbase.dll,00000000,?,00000000), ref: 6CA9B48A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileInfoVersion$CriticalInitializeQuerySectionSizeValue
                                                                                                • String ID: CRTInstalled$WixBundleForcedRestartPackage$WixBundleInstalled$ucrtbase.dll
                                                                                                • API String ID: 681917485-1387255620
                                                                                                • Opcode ID: 62b6338a274d0e6e3556c37bcd792f406d09d37f8c986947dba4c3eb5f1bfa8d
                                                                                                • Instruction ID: a3b068a3fae314c2df2da37b3cbcc2e46cc16b74f403a438b774e0c241285fde
                                                                                                • Opcode Fuzzy Hash: 62b6338a274d0e6e3556c37bcd792f406d09d37f8c986947dba4c3eb5f1bfa8d
                                                                                                • Instruction Fuzzy Hash: F5A16DB0510B45CFE720CF25C955B9BBBF4FF45308F104A1DE5AA9BA90D7B5A088CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CA9E640 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 142windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostMessageW.USER32(?,00008068,00000000,?), ref: 6CA9E78B
                                                                                                • PostMessageW.USER32(?,00008066,00000000,?), ref: 6CA9E7BA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost
                                                                                                • String ID: %ls$AssociateFiles$Bundle condition evaluated to false: %ls$Failed to evaluate condition.$Include_launcher$Running detect complete BA function
                                                                                                • API String ID: 410705778-64571480
                                                                                                • Opcode ID: e376296feff2dbe3756e8088632e93a8c89e28d17168ab0a352f743dee32d01c
                                                                                                • Instruction ID: a4f865a40c6214de0bcc8142efee989422ec4ea91d87eac2635010148c0d6d6d
                                                                                                • Opcode Fuzzy Hash: e376296feff2dbe3756e8088632e93a8c89e28d17168ab0a352f743dee32d01c
                                                                                                • Instruction Fuzzy Hash: 2F51C531610704ABD7209F65CC82FCA77E5BF45308F144829E66A9BA92DB71F8D8CB91
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAAF682 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(?), ref: 6CAAF6D8
                                                                                                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,FF000000,00000000,ImageResource,?,?,00000000,Image,?), ref: 6CAAF747
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 6CAAF799
                                                                                                Strings
                                                                                                • ImageFile, xrefs: 6CAAF6EC
                                                                                                • ImageResource, xrefs: 6CAAF690
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp, xrefs: 6CAAF769
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString$BitmapCreateFromGdip
                                                                                                • String ID: ImageFile$ImageResource$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp
                                                                                                • API String ID: 199785505-2790893307
                                                                                                • Opcode ID: b98a6eb7ac11a58a3e3eb77fcb5770c1aa313ada06ee904dbbf8e409087ce850
                                                                                                • Instruction ID: c13af80b53f0dbcee688c46c50e5de73cb9dba92b3aaba21d008b7438bd92e51
                                                                                                • Opcode Fuzzy Hash: b98a6eb7ac11a58a3e3eb77fcb5770c1aa313ada06ee904dbbf8e409087ce850
                                                                                                • Instruction Fuzzy Hash: D8318D36D01519BBCF129FD5CD01ADEBBB9EF40318F244169E814B7A20D7319A95EB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A173DE Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00A159A1,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00A173F0
                                                                                                • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00A159A1,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00A174CF
                                                                                                Strings
                                                                                                • *****, xrefs: 00A1748B, 00A17498
                                                                                                • Failed to get unformatted string., xrefs: 00A17460
                                                                                                • Failed to format value '%ls' of variable: %ls, xrefs: 00A17499
                                                                                                • Failed to get variable: %ls, xrefs: 00A17431
                                                                                                • Failed to get value as string for variable: %ls, xrefs: 00A174BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CriticalSection$EnterLeave
                                                                                                • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                                                                                • API String ID: 3168844106-2873099529
                                                                                                • Opcode ID: e96137b06ead50e2abcc2e65e0d4e1f5ae36a45ba696587d1df797a4840ff0ec
                                                                                                • Instruction ID: 3d82496e2f7c4b3a077ad2308dd2fb5ca1caa146d64868d09e748bc5bce463c4
                                                                                                • Opcode Fuzzy Hash: e96137b06ead50e2abcc2e65e0d4e1f5ae36a45ba696587d1df797a4840ff0ec
                                                                                                • Instruction Fuzzy Hash: B731BC3690862AFBCF219B90CD05FDE7E35FF14326F105124F908A6590D771AAE48BD5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A516C7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147registrystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegQueryValueExW.KERNELBASE(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00A516EF
                                                                                                • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,00A270CF,00000100,000000B0,00000088,00000410,000002C0), ref: 00A51726
                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00A51818
                                                                                                Strings
                                                                                                • BundleUpgradeCode, xrefs: 00A516CE
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00A51769
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: QueryValue$lstrlen
                                                                                                • String ID: BundleUpgradeCode$c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 3790715954-4149154654
                                                                                                • Opcode ID: f8147bf9021c01439a54897fd26c99371ab673f66e93acf36580e6ef51e8f850
                                                                                                • Instruction ID: 32a7e1e447f9e1545acb80c931c6f18d54d52097c26c460deb66f6929bb35448
                                                                                                • Opcode Fuzzy Hash: f8147bf9021c01439a54897fd26c99371ab673f66e93acf36580e6ef51e8f850
                                                                                                • Instruction Fuzzy Hash: 48417C35E0021AABCB258F99D885FBE77B9FF44712B154169FC05AB210D6309D05CFA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAAFB20 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 132COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SysFreeString.OLEAUT32(00000000), ref: 6CAAFC61
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeString
                                                                                                • String ID: Name$Page$c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp
                                                                                                • API String ID: 3341692771-1197800903
                                                                                                • Opcode ID: 286b22cada213bbc8234f8d77b4121dd930bb317045b94487e75a84a0219ee55
                                                                                                • Instruction ID: 5e15bc559060fb248738302a643e9c247de6a539c7841e4834d9dee46366c695
                                                                                                • Opcode Fuzzy Hash: 286b22cada213bbc8234f8d77b4121dd930bb317045b94487e75a84a0219ee55
                                                                                                • Instruction Fuzzy Hash: 2041AA71901229BFDB05CFA5CC40AAEB7B8AF04349F1401A9E911E7620D731DA89DB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A1419A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00A2A0C3,00000000,00000000,?,00000000,00A15435,00000000,?,?,00A1D652,?), ref: 00A141A8
                                                                                                • GetLastError.KERNEL32(?,00A2A0C3,00000000,00000000,?,00000000,00A15435,00000000,?,?,00A1D652,?,00000000,00000000), ref: 00A141B6
                                                                                                • CreateDirectoryW.KERNEL32(?,840F01E8,00A15501,?,00A2A0C3,00000000,00000000,?,00000000,00A15435,00000000,?,?,00A1D652,?,00000000), ref: 00A14226
                                                                                                • GetLastError.KERNEL32(?,00A2A0C3,00000000,00000000,?,00000000,00A15435,00000000,?,?,00A1D652,?,00000000,00000000), ref: 00A14230
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp, xrefs: 00A14260
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateDirectoryErrorLast
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\dirutil.cpp
                                                                                                • API String ID: 1375471231-215211224
                                                                                                • Opcode ID: 88cd3748eb69d3e56ae145552897fe5b8b8268689291ba2b18d4fdd7c7152771
                                                                                                • Instruction ID: 1046d02849cf451a4911ab34ac0801250be0072091babbccdf9b3d31c9aa2a1d
                                                                                                • Opcode Fuzzy Hash: 88cd3748eb69d3e56ae145552897fe5b8b8268689291ba2b18d4fdd7c7152771
                                                                                                • Instruction Fuzzy Hash: 0221D436644331A7EB215BAD8C44BFBB664FFADBA2F114221FD04AB150D6708CC292E0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB2F02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp, xrefs: 6CAB2F44
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Variant$AllocClearInitString
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\xmlutil.cpp
                                                                                                • API String ID: 2213243845-3319182157
                                                                                                • Opcode ID: 5d487ba8dc9298b82f8617c02616b3cc6775a9474c8ff1129bc181f5e7d0932e
                                                                                                • Instruction ID: ac2084340eec8f7652b35cf4d15ded5b9a538f173b50a595059a4db6243c06c6
                                                                                                • Opcode Fuzzy Hash: 5d487ba8dc9298b82f8617c02616b3cc6775a9474c8ff1129bc181f5e7d0932e
                                                                                                • Instruction Fuzzy Hash: A441B175901629ABCB109FA5C888E9FBBBCAF05714F0542A5FC16FB600DB35D940CBA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A5131B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00A38C68), ref: 00A51376
                                                                                                • RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00A38C68,00000000), ref: 00A51394
                                                                                                • RegEnumKeyExW.KERNELBASE(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00A38C68,00000000,00000000,00000000), ref: 00A513EA
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00A513BA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Enum$InfoQuery
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 73471667-3069916640
                                                                                                • Opcode ID: 52be0a62a47d29fb14fd49020a39faa69d0f87285aef7b31a4e0c1712f3b3f78
                                                                                                • Instruction ID: 93cb2d2b9cff28f734c367cd6f138bc595674ec91c18464da3a70c4dff813595
                                                                                                • Opcode Fuzzy Hash: 52be0a62a47d29fb14fd49020a39faa69d0f87285aef7b31a4e0c1712f3b3f78
                                                                                                • Instruction Fuzzy Hash: 82317EBA901529FBEB218B98CD94FBFB67CFF047A1F114065BD01AB110E7358E549AA0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A5023C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00A5090E,?,?,?,?,00000001), ref: 00A5025B
                                                                                                • GetLastError.KERNEL32(?,00A5090E,?,?,?,?,00000001,?,00A1568C,?,?,00000000,?,?,00A1540D,00000002), ref: 00A50267
                                                                                                • LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00A5090E,?,?,?,?,00000001,?,00A1568C,?,?), ref: 00A502D0
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\logutil.cpp, xrefs: 00A50286
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\logutil.cpp
                                                                                                • API String ID: 1365068426-1566132964
                                                                                                • Opcode ID: c80499656f7fa3ed155c59300bae4549c362d8c35c31c389f0c61717ed599ff9
                                                                                                • Instruction ID: ca332e226622d7ecb4f618b3261373a34db16f1ad292a49532806c89b3917965
                                                                                                • Opcode Fuzzy Hash: c80499656f7fa3ed155c59300bae4549c362d8c35c31c389f0c61717ed599ff9
                                                                                                • Instruction Fuzzy Hash: FA118F32600225EBDF219F95CD09EEE7A69FF54752F014019FE05AA160D7308E55D6A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A312C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00A308DA,?,?,?), ref: 00A312ED
                                                                                                • GetLastError.KERNEL32(?,00A308DA,?,?,?), ref: 00A312F7
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00A3131B
                                                                                                • Failed to move to virtual file pointer., xrefs: 00A31325
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorFileLastPointer
                                                                                                • String ID: Failed to move to virtual file pointer.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 2976181284-2495663704
                                                                                                • Opcode ID: dec673db96bd9aa631e5b65075883ab4872bd966acace561a703ff3c0212e8a5
                                                                                                • Instruction ID: 5c3218a6aca581e6dee121ef461267a3c781be853bad3f0617d1b9d83bb0d831
                                                                                                • Opcode Fuzzy Hash: dec673db96bd9aa631e5b65075883ab4872bd966acace561a703ff3c0212e8a5
                                                                                                • Instruction Fuzzy Hash: FE01A237501636B7D7215B969C05D9FFF28FF407B2B018526FD28AA550EB21DC208AE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A30678 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetEvent.KERNEL32(00A5B468,00000000,?,00A315CD,?,00000000,?,00A1C33B,?,00A1547D,?,00A2759E,?,?,00A1547D,?), ref: 00A30682
                                                                                                • GetLastError.KERNEL32(?,00A315CD,?,00000000,?,00A1C33B,?,00A1547D,?,00A2759E,?,?,00A1547D,?,00A154BD,00000001), ref: 00A3068C
                                                                                                Strings
                                                                                                • Failed to set begin operation event., xrefs: 00A306BA
                                                                                                • c:\agent\_work\138\s\src\burn\engine\cabextract.cpp, xrefs: 00A306B0
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorEventLast
                                                                                                • String ID: Failed to set begin operation event.$c:\agent\_work\138\s\src\burn\engine\cabextract.cpp
                                                                                                • API String ID: 3848097054-2744104430
                                                                                                • Opcode ID: 10033824f43801bf1bac6eb5a28c857d769bfb77ec0a7aff38d3afd27ff70136
                                                                                                • Instruction ID: ca197067d66d8a6a8a48c7fb347261026ce5c4b1cc30f5e13299a48fc5ba0cb3
                                                                                                • Opcode Fuzzy Hash: 10033824f43801bf1bac6eb5a28c857d769bfb77ec0a7aff38d3afd27ff70136
                                                                                                • Instruction Fuzzy Hash: 3FF0EC73A5173177432077946D1BE9F7658AF40BA2F014125FD04FB540EB919C1046F5
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB1F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,?), ref: 6CAB1F8E
                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 6CAB1F9C
                                                                                                • GetLastError.KERNEL32 ref: 6CAB1FA6
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp, xrefs: 6CAB1FCA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorItemLastTextWindow
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\thmutil.cpp
                                                                                                • API String ID: 1272195076-1050607245
                                                                                                • Opcode ID: fd7c363a1fc32edaf438c5013c50fa5764757b9076358c6f77aef1d185a1e782
                                                                                                • Instruction ID: a3458f04d4a308cd1df0e7108b2b9d6d938ed427d85e9e1d19f19861e0a5c5ef
                                                                                                • Opcode Fuzzy Hash: fd7c363a1fc32edaf438c5013c50fa5764757b9076358c6f77aef1d185a1e782
                                                                                                • Instruction Fuzzy Hash: C7F0E233B012316BCB204AA58C08A9FBBACAF00AA0B020411BE08FBA00D331DC50C6E4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB6101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64memoryfilewindowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GdipAlloc.GDIPLUS(00000010), ref: 6CAB6124
                                                                                                • GdipCreateBitmapFromFile.GDIPLUS(?,00000000,00000010), ref: 6CAB6140
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Gdip$AllocBitmapCreateFileFrom
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\gdiputil.cpp
                                                                                                • API String ID: 2762118622-3969076719
                                                                                                • Opcode ID: 694da9379099024543be0a21e76ee7ab481716fe0b5d78501bee6caa1d453265
                                                                                                • Instruction ID: 12eb2016cf03fc7b0ee6dcbb0cdf89d8ef71a8b44e9246b5855d94202a1e475f
                                                                                                • Opcode Fuzzy Hash: 694da9379099024543be0a21e76ee7ab481716fe0b5d78501bee6caa1d453265
                                                                                                • Instruction Fuzzy Hash: 66110136145A55ABC7218E59AC01F8B7BEC9B81B24F008519FA8CABF80C772D48587A0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A1519B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00A11104,?,?,00000000), ref: 00A151BA
                                                                                                • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00A11104,?,?,00000000), ref: 00A151EA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CompareStringlstrlen
                                                                                                • String ID: burn.clean.room
                                                                                                • API String ID: 1433953587-3055529264
                                                                                                • Opcode ID: 760e6cadd1086197719a4ee1c7ba11c858327920295ed099dda3a758b8092934
                                                                                                • Instruction ID: 203b34434c8e2a93e84149598c7eb8a74bbee19c63f7abeaa25721e154d84b84
                                                                                                • Opcode Fuzzy Hash: 760e6cadd1086197719a4ee1c7ba11c858327920295ed099dda3a758b8092934
                                                                                                • Instruction Fuzzy Hash: E00186B6911624AA83208BA9EC89EF7B7ECFB997917504216ED19C3214D3709CC1C6B4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA08D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40threadCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00002D9C,?,00000000,?), ref: 6CAA08EF
                                                                                                • GetLastError.KERNEL32 ref: 6CAA08FF
                                                                                                Strings
                                                                                                • D:\a\1\s\Tools\msi\bundle\bootstrap\PythonBootstrapperApplication.cpp, xrefs: 6CAA0924
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateErrorLastThread
                                                                                                • String ID: D:\a\1\s\Tools\msi\bundle\bootstrap\PythonBootstrapperApplication.cpp
                                                                                                • API String ID: 1689873465-1680496649
                                                                                                • Opcode ID: 0ab8739b9187cf7c7d73ed47a0594fe11ce06010b77cd15c8deebf7054f55868
                                                                                                • Instruction ID: fbd1cde299c14f677714299fb0d51d1c82cd03a3603735b311931f8a26b38e2c
                                                                                                • Opcode Fuzzy Hash: 0ab8739b9187cf7c7d73ed47a0594fe11ce06010b77cd15c8deebf7054f55868
                                                                                                • Instruction Fuzzy Hash: 8BF0F633A5122967EB2085D94C05B9BB7E8DB05760F010117FD08FB680E6609C0486E8
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB2048 Relevance: 4.6, APIs: 3, Instructions: 86windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • EnableWindow.USER32(?,00000000), ref: 6CAB20AC
                                                                                                • ShowWindow.USER32(?,00000000), ref: 6CAB20D2
                                                                                                • SetFocus.USER32(00000000), ref: 6CAB2123
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$EnableFocusShow
                                                                                                • String ID:
                                                                                                • API String ID: 3640841677-0
                                                                                                • Opcode ID: 30e0050a8646590d59e1bc9dbe5cc81fa820a07969116bd737a753f2a68aeddf
                                                                                                • Instruction ID: d5eb5e4eb1e7433db44e60ca18a74d0982b2e420796e1a4ec4c18c51fad863af
                                                                                                • Opcode Fuzzy Hash: 30e0050a8646590d59e1bc9dbe5cc81fa820a07969116bd737a753f2a68aeddf
                                                                                                • Instruction Fuzzy Hash: AC31DFB1500259EFD7008F59C848BAAB7B8FF45308F28822AEE1567950C775ECD5CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB3BCC Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 6CAB3BD6
                                                                                                • RtlFreeHeap.NTDLL(00000000), ref: 6CAB3BDD
                                                                                                • GetLastError.KERNEL32 ref: 6CAB3BE7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ErrorFreeLastProcess
                                                                                                • String ID:
                                                                                                • API String ID: 406640338-0
                                                                                                • Opcode ID: 7fd48688cbf0aba77a878bdfb16ca1bf186c7f31a486c57a29653cbd7d6b37d3
                                                                                                • Instruction ID: 1f19468c1aa8e399aff4ae01be1fae93faed29e500492cfdb62f64b768ace821
                                                                                                • Opcode Fuzzy Hash: 7fd48688cbf0aba77a878bdfb16ca1bf186c7f31a486c57a29653cbd7d6b37d3
                                                                                                • Instruction Fuzzy Hash: 4CD01273B4163557862116E6480854FBE7CEF06AA5B054121FD48EB600DA36C84497E8
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A51436 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00A7BB7C,00000000,?,00A55BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A5144A
                                                                                                Strings
                                                                                                • c:\agent\_work\138\s\src\libs\dutil\regutil.cpp, xrefs: 00A51487
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Open
                                                                                                • String ID: c:\agent\_work\138\s\src\libs\dutil\regutil.cpp
                                                                                                • API String ID: 71445658-3069916640
                                                                                                • Opcode ID: 0248a07d35210d2cf7d53e313016cc0d6270f368340f45659865391a7dce1380
                                                                                                • Instruction ID: 68912f972782816a1bba7a81700bf674899c5b09a3216cf7a48fee226c77e5cd
                                                                                                • Opcode Fuzzy Hash: 0248a07d35210d2cf7d53e313016cc0d6270f368340f45659865391a7dce1380
                                                                                                • Instruction Fuzzy Hash: 35F0BB72740235778B310A558C05B7B6DA5EB81BB1F158025BD49DB210E631CC1597F0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CA9BA10 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 79COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetLastError.KERNEL32(4BD7BA2A,?,?,6CB16A97,000000FF), ref: 6CA9BA39
                                                                                                Strings
                                                                                                • D:\a\1\s\Tools\msi\bundle\bootstrap\PythonBootstrapperApplication.cpp, xrefs: 6CA9BA5E, 6CA9BADC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ErrorLast
                                                                                                • String ID: D:\a\1\s\Tools\msi\bundle\bootstrap\PythonBootstrapperApplication.cpp
                                                                                                • API String ID: 1452528299-1680496649
                                                                                                • Opcode ID: ba886cdcdaee35ad80cda3369795eb9aec905d101b0ae3fbfb08760848a5c318
                                                                                                • Instruction ID: 3407cef37c21b419a599a7ce9d66ad72cb62a557ea37549f1502a1bdb872aa24
                                                                                                • Opcode Fuzzy Hash: ba886cdcdaee35ad80cda3369795eb9aec905d101b0ae3fbfb08760848a5c318
                                                                                                • Instruction Fuzzy Hash: 8B21C776A55258AFEB24CF54DD02BA9B7E4EB04724F10825EFC199BF80D736D814CB90
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB6021 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Gdip$DisposeFreeImage
                                                                                                • String ID:
                                                                                                • API String ID: 1950503971-0
                                                                                                • Opcode ID: dc5b79900cb0058a62d78ce89b10d881a7fc817f9177a55451037b8136a57821
                                                                                                • Instruction ID: 0ab78f200a248f06f53902332026f0579e4c1002c645f2e00362d03d6a958a91
                                                                                                • Opcode Fuzzy Hash: dc5b79900cb0058a62d78ce89b10d881a7fc817f9177a55451037b8136a57821
                                                                                                • Instruction Fuzzy Hash: 75E0CD7110D39825D21A1755F4417D97FDC4F0276CF14C01AFF4491F81D7B555D445D9
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB3CDC Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetProcessHeap.KERNEL32(?,?,?), ref: 6CAB3CF0
                                                                                                • RtlReAllocateHeap.NTDLL(00000000), ref: 6CAB3CF7
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$AllocateProcess
                                                                                                • String ID:
                                                                                                • API String ID: 1357844191-0
                                                                                                • Opcode ID: a6ebb1c913bb567e79b96b26bff428ba2dd364906fda0095b08b893bab798d3e
                                                                                                • Instruction ID: d65cf46e6a29e458296e001eb016982a33737266cd932021b9bb7be7dcdc54d9
                                                                                                • Opcode Fuzzy Hash: a6ebb1c913bb567e79b96b26bff428ba2dd364906fda0095b08b893bab798d3e
                                                                                                • Instruction Fuzzy Hash: A8D0127229070DFBCF005FE8CC09DAE7BBCEB596127008405FD19C7100C67AE4649B64
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A59598 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00A59213: lstrlenW.KERNEL32(00000100,?,?,?,00A595B3,000002C0,00000100,00000100,00000100,?,?,?,00A37BE4,?,?,000001BC), ref: 00A59238
                                                                                                • RegCloseKey.ADVAPI32(000002C0,000002C0,00000100,00000100,00000100,?,?,?,00A37BE4,?,?,000001BC,00000000,00000000,00000000,00000100), ref: 00A59650
                                                                                                  • Part of subcall function 00A51436: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00A7BB7C,00000000,?,00A55BF9,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00A5144A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseOpenlstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 514153755-0
                                                                                                • Opcode ID: 78a73f89698ddac2d2f2deeebf474e176d94772744ac5b28805d942024b8f462
                                                                                                • Instruction ID: c6e86174779c76563dc22a66fb477226c0583d5966cb5e41a059b983545daa1e
                                                                                                • Opcode Fuzzy Hash: 78a73f89698ddac2d2f2deeebf474e176d94772744ac5b28805d942024b8f462
                                                                                                • Instruction Fuzzy Hash: 3E219572C00129EB8F219FA4CD418DEBAB9FB44752B154265FD017A520E3324E589BD1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A485B4 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00A475B4: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A45D2F,00000001,00000364,00000006,000000FF), ref: 00A475F5
                                                                                                • _free.LIBCMT ref: 00A48623
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap_free
                                                                                                • String ID:
                                                                                                • API String ID: 614378929-0
                                                                                                • Opcode ID: 3a00d63f73557a1055e6e43c2179615d9823bf564a77c10da0b4b22cc80c2b24
                                                                                                • Instruction ID: 004ee5593d9ec064b761a8a9ed8208056c3ebae830c8496da0f594518162417d
                                                                                                • Opcode Fuzzy Hash: 3a00d63f73557a1055e6e43c2179615d9823bf564a77c10da0b4b22cc80c2b24
                                                                                                • Instruction Fuzzy Hash: 150149766043566BC330DF58D8819DEFB98EB85370F110769E945A76C0DB706C10CBE4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A475B4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A45D2F,00000001,00000364,00000006,000000FF), ref: 00A475F5
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocateHeap
                                                                                                • String ID:
                                                                                                • API String ID: 1279760036-0
                                                                                                • Opcode ID: 4ae6adee8c2cb94cbe9311fe0aaa3cbe24cd228ca327186d2554ee36b190b34e
                                                                                                • Instruction ID: c852fd434a345aea87d84349569625de7ed27f7529285ab7f88567798a871d70
                                                                                                • Opcode Fuzzy Hash: 4ae6adee8c2cb94cbe9311fe0aaa3cbe24cd228ca327186d2554ee36b190b34e
                                                                                                • Instruction Fuzzy Hash: 6EF0E93A20C6A46BDF62AF769C45B6F7759AFC1770B168111F804DF180CF30DC028AA1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A54191 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00A541BE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FolderPath
                                                                                                • String ID:
                                                                                                • API String ID: 1514166925-0
                                                                                                • Opcode ID: 51591ae8b0743248438f5bbeb11ae1c276d5bad42ad8e841b69ecaf383027464
                                                                                                • Instruction ID: 3d3a5bd6c9f5bb67975aaf3a735800adc2f34776d8f32cd8eb6537dc60355364
                                                                                                • Opcode Fuzzy Hash: 51591ae8b0743248438f5bbeb11ae1c276d5bad42ad8e841b69ecaf383027464
                                                                                                • Instruction Fuzzy Hash: 68F09075200118ABD710EB69EC05EEF7BBCFB89744F104155F804D6001CA30EA598774
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A135D3 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00A28BB5,0000001C,80070490,00000000,00000000,80070490), ref: 00A135F3
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: FolderPath
                                                                                                • String ID:
                                                                                                • API String ID: 1514166925-0
                                                                                                • Opcode ID: 2b964444c817908463fb403abd3901f4bc542b3125e45ce8d4e6ce8de7a4e32f
                                                                                                • Instruction ID: 3c15a2c91319a3160fcd58d31c797b70ce2aab8d0fdcca46bff006a5c66d4fc7
                                                                                                • Opcode Fuzzy Hash: 2b964444c817908463fb403abd3901f4bc542b3125e45ce8d4e6ce8de7a4e32f
                                                                                                • Instruction Fuzzy Hash: 0FE012762112247BEB016EA5ED05DEB7B5CEF093A17104411FE41D6100D661DA9087B4
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A14273 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(00000000,00000000,?,00A2A41F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 00A1427C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: e2d8f1700881a37c3d2a68b124c308b0eeddcfd6d57362f3da74d52ec570cd62
                                                                                                • Instruction ID: 1d6f2ea690a656ea527e85b26ce3f9f61fbb5bb2b5204fd69ff358459f5ff757
                                                                                                • Opcode Fuzzy Hash: e2d8f1700881a37c3d2a68b124c308b0eeddcfd6d57362f3da74d52ec570cd62
                                                                                                • Instruction Fuzzy Hash: 0BD02E32201234979B288FFDC8048EABF0AEF4A7B27408225FC24CB1A0C3308C92C3C0
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAA1730 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • PostMessageW.USER32(?,00008068,00000000,?), ref: 6CAA1768
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessagePost
                                                                                                • String ID:
                                                                                                • API String ID: 410705778-0
                                                                                                • Opcode ID: 4624a009ed7d596ed824253b2d33925c19b6445a09d6b7e924363015c21e0c13
                                                                                                • Instruction ID: 859525b082b987d3b73f8f9fa1020494e05d49ba64c61e7e08db13dad32071b3
                                                                                                • Opcode Fuzzy Hash: 4624a009ed7d596ed824253b2d33925c19b6445a09d6b7e924363015c21e0c13
                                                                                                • Instruction Fuzzy Hash: F0E04F30300245EBD70CCA40D454BA9F765BB00701F14C27DE60E5AA81DB70A8D9CB94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB01DE Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DefWindowProcA.USER32(?,00000128,?,?), ref: 6CAB01FC
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProcWindow
                                                                                                • String ID:
                                                                                                • API String ID: 181713994-0
                                                                                                • Opcode ID: 94cc0de45745a970caa4c5dbb7a04c52649b74c87785bc0509dda3a0a3da54ff
                                                                                                • Instruction ID: 7f99b2bff1f6acb3cdd5c75a13e516c8cd0db9e05d6eb011a4eed02dbb45c1aa
                                                                                                • Opcode Fuzzy Hash: 94cc0de45745a970caa4c5dbb7a04c52649b74c87785bc0509dda3a0a3da54ff
                                                                                                • Instruction Fuzzy Hash: C0D0C93214420DEFDF114E98EC049FA3BBAFB08351F04C426F91946451CB36A8B0EF61
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 6CAB0C66 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsDialogMessageW.USER32(?,?), ref: 6CAB0C76
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2912952501.000000006CA9B000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CA90000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2912936616.000000006CA90000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA91000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CA98000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2912952501.000000006CB16000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913054141.000000006CB18000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913098126.000000006CB32000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB35000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2913148724.000000006CB39000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_6ca90000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: DialogMessage
                                                                                                • String ID:
                                                                                                • API String ID: 547518314-0
                                                                                                • Opcode ID: d11704e8562ce52333d51d4f53027cc5c37c8d818d7f9f9c907f30c3a803b6db
                                                                                                • Instruction ID: 7695490cbf22e6c49fd46c4238313fa75c851a8bace7a5d1efc74eba412706d3
                                                                                                • Opcode Fuzzy Hash: d11704e8562ce52333d51d4f53027cc5c37c8d818d7f9f9c907f30c3a803b6db
                                                                                                • Instruction Fuzzy Hash: 3AC01232204289DB9B848EA8CE04D2A3BBEAB06600B440025F809D2421D731E8A0EB94
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%

                                                                                                Function 00A114AC Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00A122DC,?,00000000,?,00000000,?,00A139E0,00000000,?,00000104), ref: 00A114DC
                                                                                                  • Part of subcall function 00A13C9A: GetProcessHeap.KERNEL32(00000000,?,?,00A12300,?,75C0B390,8000FFFF,?,?,00A50687,?,?,00000000,00000000,8000FFFF), ref: 00A13CA2
                                                                                                  • Part of subcall function 00A13C9A: HeapSize.KERNEL32(00000000,?,00A12300,?,75C0B390,8000FFFF,?,?,00A50687,?,?,00000000,00000000,8000FFFF), ref: 00A13CA9
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000001.00000002.2911409382.0000000000A11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A10000, based on PE: true
                                                                                                • Associated: 00000001.00000002.2911303634.0000000000A10000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911475855.0000000000A5B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911525795.0000000000A7B000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                • Associated: 00000001.00000002.2911556284.0000000000A7E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_1_2_a10000_python-3.jbxd
                                                                                                Similarity
                                                                                                • API ID: Heap$ProcessSizelstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3492610842-0
                                                                                                • Opcode ID: 942dffcbf35efbd8236c5758e88baba0008972d7677835af0fdce81202081395
                                                                                                • Instruction ID: 317d9ac4fe5332d4dfef607075ad770574654fb3dbb495d9919d5f47eb03e387
                                                                                                • Opcode Fuzzy Hash: 942dffcbf35efbd8236c5758e88baba0008972d7677835af0fdce81202081395
                                                                                                • Instruction Fuzzy Hash: 7A01D436100228BBCF215E65DC84FCA7BAAEF41BB0F118111FF15AB191C770AD8196A1
                                                                                                Uniqueness

                                                                                                Uniqueness Score: -1.00%