Edit tour

Windows Analysis Report
Q3pEXxmWAD.exe

Overview

General Information

Sample name:	Q3pEXxmWAD.exe renamed because original name is a hash value
Original sample name:	f468ae483026819d6977e2a5e34ea52a.exe
Analysis ID:	1479908
MD5:	f468ae483026819d6977e2a5e34ea52a
SHA1:	bdcd08269c84863eace14dc54d64c6f0af41f332
SHA256:	578778fa4d79588a14d0830d4e52dc55aead1ca8bf99c9672cbdaf6c7b58eb5c
Tags:	64exetrojan
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Contains functionality to infect the boot sector

Detected Stratum mining protocol

Drops PE files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found pyInstaller with non standard icon

Found strings related to Crypto-Mining

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Sample is not signed and drops a device driver

Stops critical windows services

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to enumerate running services

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Q3pEXxmWAD.exe (PID: 5004 cmdline: "C:\Users\user\Desktop\Q3pEXxmWAD.exe" MD5: F468AE483026819D6977E2A5E34EA52A)

Q3pEXxmWAD.exe (PID: 3144 cmdline: "C:\Users\user\Desktop\Q3pEXxmWAD.exe" MD5: F468AE483026819D6977E2A5E34EA52A)

cmd.exe (PID: 2804 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Blsvr.exe (PID: 1352 cmdline: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe MD5: 4781C53D9BB1CB237B653C687028203D)

conhost.exe (PID: 5664 cmdline: C:\Windows\System32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 940 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6504 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6388 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4292 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 6772 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 760 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 3580 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 1988 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 3680 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6164 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 6204 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

Q3pEXxmWAD.exe (PID: 6388 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe" MD5: F468AE483026819D6977E2A5E34EA52A)

Q3pEXxmWAD.exe (PID: 2716 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe" MD5: F468AE483026819D6977E2A5E34EA52A)

cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Blsvr.exe (PID: 6004 cmdline: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe MD5: 4781C53D9BB1CB237B653C687028203D)

cmd.exe (PID: 2124 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1864 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1968 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1628 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2820 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2072 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 6160 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5392 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 4092 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2884 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2860 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

svchost.exe (PID: 1548 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000011.00000002.3255036623.000001F6A91C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb68:$a1: mining.set_target 0x4ca348:$a2: XMRIG_HOSTNAME 0x4cbe40:$a3: Usage: xmrig [OPTIONS] 0x4ca320:$a4: XMRIG_VERSION
00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ceb68:$a1: mining.set_target 0x4ca348:$a2: XMRIG_HOSTNAME 0x4cbe40:$a3: Usage: xmrig [OPTIONS] 0x4ca320:$a4: XMRIG_VERSION
Process Memory Space: Blsvr.exe PID: 1352	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: Blsvr.exe PID: 1352	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x8ca58:$a1: mining.set_target 0x89613:$a2: XMRIG_HOSTNAME 0x8a1cf:$a3: Usage: xmrig [OPTIONS] 0x895f4:$a4: XMRIG_VERSION
Process Memory Space: conhost.exe PID: 5664	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.Blsvr.exe.7ff667860000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
25.2.Blsvr.exe.7ff667860000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4e8968:$a1: mining.set_target 0x4e4148:$a2: XMRIG_HOSTNAME 0x4e5c40:$a3: Usage: xmrig [OPTIONS] 0x4e4120:$a4: XMRIG_VERSION
25.2.Blsvr.exe.7ff667860000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4ee941:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
25.2.Blsvr.exe.7ff667860000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4eeea0:$s1: %s/%s (Windows NT %lu.%lu 0x4ef6c8:$s3: \\.\WinRing0_ 0x4e7bc8:$s4: pool_wallet 0x4e39d0:$s5: cryptonight 0x4e39e0:$s5: cryptonight 0x4e39f0:$s5: cryptonight 0x4e3a00:$s5: cryptonight 0x4e3a18:$s5: cryptonight 0x4e3a28:$s5: cryptonight 0x4e3a38:$s5: cryptonight 0x4e3a50:$s5: cryptonight 0x4e3a60:$s5: cryptonight 0x4e3a78:$s5: cryptonight 0x4e3a90:$s5: cryptonight 0x4e3aa0:$s5: cryptonight 0x4e3ab0:$s5: cryptonight 0x4e3ac0:$s5: cryptonight 0x4e3ad8:$s5: cryptonight 0x4e3af0:$s5: cryptonight 0x4e3b00:$s5: cryptonight 0x4e3b10:$s5: cryptonight
25.2.Blsvr.exe.7ff66787e900.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
25.2.Blsvr.exe.7ff66787e900.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
25.2.Blsvr.exe.7ff66787e900.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
25.2.Blsvr.exe.7ff66787e900.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
25.2.Blsvr.exe.7ff66787e900.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
25.2.Blsvr.exe.7ff66787e900.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
25.2.Blsvr.exe.7ff66787e900.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
25.2.Blsvr.exe.7ff66787e900.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4cb268:$a1: mining.set_target 0x4c6a48:$a2: XMRIG_HOSTNAME 0x4c8540:$a3: Usage: xmrig [OPTIONS] 0x4c6a20:$a4: XMRIG_VERSION
5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d1241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d17a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d1fc8:$s3: \\.\WinRing0_ 0x4ca4c8:$s4: pool_wallet 0x4c62d0:$s5: cryptonight 0x4c62e0:$s5: cryptonight 0x4c62f0:$s5: cryptonight 0x4c6300:$s5: cryptonight 0x4c6318:$s5: cryptonight 0x4c6328:$s5: cryptonight 0x4c6338:$s5: cryptonight 0x4c6350:$s5: cryptonight 0x4c6360:$s5: cryptonight 0x4c6378:$s5: cryptonight 0x4c6390:$s5: cryptonight 0x4c63a0:$s5: cryptonight 0x4c63b0:$s5: cryptonight 0x4c63c0:$s5: cryptonight 0x4c63d8:$s5: cryptonight 0x4c63f0:$s5: cryptonight 0x4c6400:$s5: cryptonight 0x4c6410:$s5: cryptonight
5.2.Blsvr.exe.7ff758a7e900.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5.2.Blsvr.exe.7ff758a7e900.1.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4ca268:$a1: mining.set_target 0x4c5a48:$a2: XMRIG_HOSTNAME 0x4c7540:$a3: Usage: xmrig [OPTIONS] 0x4c5a20:$a4: XMRIG_VERSION
5.2.Blsvr.exe.7ff758a7e900.1.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4d0241:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
5.2.Blsvr.exe.7ff758a7e900.1.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4d07a0:$s1: %s/%s (Windows NT %lu.%lu 0x4d0fc8:$s3: \\.\WinRing0_ 0x4c94c8:$s4: pool_wallet 0x4c52d0:$s5: cryptonight 0x4c52e0:$s5: cryptonight 0x4c52f0:$s5: cryptonight 0x4c5300:$s5: cryptonight 0x4c5318:$s5: cryptonight 0x4c5328:$s5: cryptonight 0x4c5338:$s5: cryptonight 0x4c5350:$s5: cryptonight 0x4c5360:$s5: cryptonight 0x4c5378:$s5: cryptonight 0x4c5390:$s5: cryptonight 0x4c53a0:$s5: cryptonight 0x4c53b0:$s5: cryptonight 0x4c53c0:$s5: cryptonight 0x4c53d8:$s5: cryptonight 0x4c53f0:$s5: cryptonight 0x4c5400:$s5: cryptonight 0x4c5410:$s5: cryptonight
5.2.Blsvr.exe.7ff758a60000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5.2.Blsvr.exe.7ff758a60000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4e8968:$a1: mining.set_target 0x4e4148:$a2: XMRIG_HOSTNAME 0x4e5c40:$a3: Usage: xmrig [OPTIONS] 0x4e4120:$a4: XMRIG_VERSION
5.2.Blsvr.exe.7ff758a60000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x4ee941:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
5.2.Blsvr.exe.7ff758a60000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4eeea0:$s1: %s/%s (Windows NT %lu.%lu 0x4ef6c8:$s3: \\.\WinRing0_ 0x4e7bc8:$s4: pool_wallet 0x4e39d0:$s5: cryptonight 0x4e39e0:$s5: cryptonight 0x4e39f0:$s5: cryptonight 0x4e3a00:$s5: cryptonight 0x4e3a18:$s5: cryptonight 0x4e3a28:$s5: cryptonight 0x4e3a38:$s5: cryptonight 0x4e3a50:$s5: cryptonight 0x4e3a60:$s5: cryptonight 0x4e3a78:$s5: cryptonight 0x4e3a90:$s5: cryptonight 0x4e3aa0:$s5: cryptonight 0x4e3ab0:$s5: cryptonight 0x4e3ac0:$s5: cryptonight 0x4e3ad8:$s5: cryptonight 0x4e3af0:$s5: cryptonight 0x4e3b00:$s5: cryptonight 0x4e3b10:$s5: cryptonight
Click to see the 19 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc, ProcessId: 940, ProcessName: cmd.exe

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Q3pEXxmWAD.exe, ProcessId: 3144, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 1548, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T10:58:06.272680+0200
SID:	2047928
Source Port:	55678
Destination Port:	53
Protocol:	UDP
Classtype:	Crypto Currency Mining Activity Detected

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.5 - Destination IP: 141.94.96.195

Timestamp:	2024-07-24T10:57:57.586154+0200
SID:	2826930
Source Port:	49705
Destination Port:	3333
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: pool.supportxmr.com

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: Q3pEXxmWAD.exe	ReversingLabs: Detection: 36%
Source: Q3pEXxmWAD.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D8A60 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FF8A92D8A60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2608 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	2_2_00007FF8A92D2608
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D13A2 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D13A2
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1CC1 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1CC1
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D218F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D218F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E4960 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	2_2_00007FF8A92E4960
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1401
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1F2D ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D1F2D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93289B0 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A93289B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9318C60 CRYPTO_free,	2_2_00007FF8A9318C60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D4C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4C00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931EC10 CRYPTO_free,	2_2_00007FF8A931EC10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9312C30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FF8A9312C30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FEC90 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92FEC90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1154 CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1154
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D17DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D17DF
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1CA8 CRYPTO_strdup,CRYPTO_free,	2_2_00007FF8A92D1CA8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2383 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2383
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2432 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D2432
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934AB20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A934AB20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D4B40 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4B40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EABB0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A92EABB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9342BC0 CRYPTO_memcmp,	2_2_00007FF8A9342BC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1492
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1212 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FF8A92D1212
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D26C6 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D26C6
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931EBB0 CRYPTO_free,	2_2_00007FF8A931EBB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9334BB0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A9334BB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9318E50 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A9318E50
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D22E8 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D22E8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EEE43 CRYPTO_free,	2_2_00007FF8A92EEE43
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1370 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1370
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934AED0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	2_2_00007FF8A934AED0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D258B ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,	2_2_00007FF8A92D258B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FF8A92D1A05
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9330D60 ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A9330D60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9318D10 OPENSSL_cleanse,CRYPTO_free,	2_2_00007FF8A9318D10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E4D50 CRYPTO_get_ex_new_index,	2_2_00007FF8A92E4D50
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D14CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D14CE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E4DB0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92E4DB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D17E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D17E9
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1771 CRYPTO_free,	2_2_00007FF8A92D1771
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9336D90 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9336D90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1186 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1186
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92ED040 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92ED040
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93190C0 CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A93190C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A32
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1181 _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1181
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9342F40 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A9342F40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,	2_2_00007FF8A92D1460
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1811
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2379 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D2379
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D17F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D17F8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D4FE0 CRYPTO_free,	2_2_00007FF8A92D4FE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D6233 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FF8A92D6233
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D138E CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D138E
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D23FB CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92D23FB
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F6290 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F6290
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E62F0 CRYPTO_THREAD_run_once,	2_2_00007FF8A92E62F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1366 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A92D1366
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D4130 CRYPTO_free,	2_2_00007FF8A92D4130
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D150A OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FF8A92D150A
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E160 CRYPTO_free,	2_2_00007FF8A931E160
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2694 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D2694
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1C58 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1C58
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D13D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,	2_2_00007FF8A92D13D9
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E1D0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A931E1D0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9336180 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9336180
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9346190 CRYPTO_memcmp,	2_2_00007FF8A9346190
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1CF3 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FF8A92D1CF3
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D15E1 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D15E1
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9348450 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_new,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9348450
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1627 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FF8A92D1627
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D6460 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FF8A92D6460
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D18B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D18B6
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DE4A0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92DE4A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FE4F0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92FE4F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D4330 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4330
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1F41 CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1F41
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933C370 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933C370
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F2360 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FF8A92F2360
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D19DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D19DD
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9328330 CRYPTO_memcmp,	2_2_00007FF8A9328330
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EC3A0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92EC3A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1F5A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1F5A
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93343A0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A93343A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934A3A0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,	2_2_00007FF8A934A3A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1217 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D1217
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D103C CRYPTO_malloc,COMP_expand_block,	2_2_00007FF8A92D103C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93046B0 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A93046B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F26C0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FF8A92F26C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E6B0 CRYPTO_free,	2_2_00007FF8A931E6B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2036 CRYPTO_free,	2_2_00007FF8A92D2036
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D24FA CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D24FA
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D16A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D16A4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1EE7 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1EE7
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D1488
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1D98 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D1D98
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DE592 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	2_2_00007FF8A92DE592
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2059 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2059
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1AC3
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E870 CRYPTO_free,	2_2_00007FF8A931E870
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A92D1B54
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E8D0 CRYPTO_free,	2_2_00007FF8A931E8D0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F0880 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92F0880
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9314880 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A9314880
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D23EC EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D23EC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9312890 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	2_2_00007FF8A9312890
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EE72A CRYPTO_THREAD_write_lock,	2_2_00007FF8A92EE72A
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EE72C CRYPTO_THREAD_write_lock,	2_2_00007FF8A92EE72C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1893
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D26F8 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FF8A92D26F8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1AB4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9328700 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A9328700
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D198D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931E731 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A931E731
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E27B0 CRYPTO_THREAD_run_once,	2_2_00007FF8A92E27B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D24DC CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	2_2_00007FF8A92D24DC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D223E ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A92D223E
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9334780 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A9334780
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D193D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E1AA0 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A92E1AA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9333A90 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FF8A9333A90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D12D0 CRYPTO_THREAD_run_once,	2_2_00007FF8A92D12D0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9321950 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A9321950
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931D960 RAND_bytes_ex,CRYPTO_malloc,memset,	2_2_00007FF8A931D960
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933D9E0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	2_2_00007FF8A933D9E0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1023
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D11C2 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D11C2
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93199A0 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A93199A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FF8A92D1087
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9313C30 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9313C30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E7CB0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92E7CB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A932FCC0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A932FCC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2536 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2536
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9303B10 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9303B10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DFB00 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92DFB00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931FB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A931FB00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D19E7 CRYPTO_free,	2_2_00007FF8A92D19E7
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D5E4A BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FF8A92D5E4A
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D3EE0 CRYPTO_free,	2_2_00007FF8A92D3EE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9339E90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A9339E90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D176C CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FF8A92D176C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E9D50 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92E9D50
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DFDB0 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	2_2_00007FF8A92DFDB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9327DE0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9327DE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D108C ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A92D108C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D25EF CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	2_2_00007FF8A92D25EF
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D157D CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D157D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D11E0 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92D11E0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F5DE0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F5DE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FDDC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92FDDC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D107D CRYPTO_free,	2_2_00007FF8A92D107D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E60B0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,	2_2_00007FF8A92E60B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2734 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D2734
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F6080 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F6080
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E40F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92E40F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93280B0 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A93280B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1B31
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A932FF50 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A932FF50
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1ACD
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E7F00 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FF8A92E7F00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D25A4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D25A4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9333F10 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	2_2_00007FF8A9333F10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,	2_2_00007FF8A92D1B18
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1D8E CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92D1D8E
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F5F90 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92F5F90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D144C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	2_2_00007FF8A92D144C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E5FD0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,	2_2_00007FF8A92E5FD0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2400 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D2400
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9313270 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A9313270
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F9274 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A92F9274
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1F91 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1F91
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2121 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2121
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2478 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2478
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93052D8 EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A93052D8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1113 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	2_2_00007FF8A92D1113
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9343160 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A9343160
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92EF100 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FF8A92EF100
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933B100 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A933B100
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D20EF CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D20EF
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FF1F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,	2_2_00007FF8A92FF1F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D214E EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D214E
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9309440 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A9309440
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934545B CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A934545B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D195B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93214C0 CRYPTO_memcmp,	2_2_00007FF8A93214C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A92D105F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D13DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D13DE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A41
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1E6F ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A92D1E6F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933B4A0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933B4A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D11AE EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D11AE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9327310 CRYPTO_realloc,	2_2_00007FF8A9327310
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9343330 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	2_2_00007FF8A9343330
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1A23
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FD3A0 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	2_2_00007FF8A92FD3A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DD390 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FF8A92DD390
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D21F8 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	2_2_00007FF8A92D21F8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934B380 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A934B380
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9331390 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A9331390
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D21B7 CRYPTO_free,	2_2_00007FF8A92D21B7
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DF620 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92DF620
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1267 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A92D1267
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1398 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	2_2_00007FF8A92D1398
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1654 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FF8A92D1654
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D1B90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1677
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9327540 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9327540
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1D02 CRYPTO_zalloc,CRYPTO_zalloc,	2_2_00007FF8A92D1D02
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93335D0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A93335D0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2388 CRYPTO_free,	2_2_00007FF8A92D2388
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1992
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1483
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1846 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1846
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A92D1997
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DD8AF CRYPTO_free,	2_2_00007FF8A92DD8AF
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1555 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1555
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93158F0 CRYPTO_free,	2_2_00007FF8A93158F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D231F ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	2_2_00007FF8A92D231F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9333880 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A9333880
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1EE2 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D1EE2
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933B8B0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933B8B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FD730 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FF8A92FD730
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DD710 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92DD710
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2130 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2130
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1122 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FF8A92D1122
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9321730 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A9321730
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D20FE CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D20FE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9331786 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9331786
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92DB7C0 CRYPTO_clear_free,	2_2_00007FF8A92DB7C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B24EC4 ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,_Py_BuildValue_SizeT,ASN1_STRING_to_UTF8,_Py_Dealloc,_Py_BuildValue_SizeT,CRYPTO_free,	2_2_00007FF8B8B24EC4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B24C40 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,	2_2_00007FF8B8B24C40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE61B8 CRYPTO_memcmp,	2_2_00007FF8B8CE61B8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE18E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,	2_2_00007FF8B8CE18E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE8D0 CRYPTO_free,	21_2_00007FF8A7CDE8D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7C91B54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C923EC EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7C923EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD2890 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	21_2_00007FF8A7CD2890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB0880 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	21_2_00007FF8A7CB0880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD4880 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7CD4880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE870 CRYPTO_free,	21_2_00007FF8A7CDE870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9223E ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	21_2_00007FF8A7C9223E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF4780 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	21_2_00007FF8A7CF4780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA27B0 CRYPTO_THREAD_run_once,	21_2_00007FF8A7CA27B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C924DC CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	21_2_00007FF8A7C924DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C9198D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C926F8 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	21_2_00007FF8A7C926F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91893
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91AB4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE8700 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7CE8700
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAE72A CRYPTO_THREAD_write_lock,	21_2_00007FF8A7CAE72A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE731 CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CDE731
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAE72C CRYPTO_THREAD_write_lock,	21_2_00007FF8A7CAE72C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB26C0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	21_2_00007FF8A7CB26C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CC46B0 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7CC46B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE6B0 CRYPTO_free,	21_2_00007FF8A7CDE6B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91217 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7C91217
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9103C CRYPTO_malloc,COMP_expand_block,	21_2_00007FF8A7C9103C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91D98 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	21_2_00007FF8A7C91D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91EE7 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91EE7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C91AC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92059 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92059
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9E592 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	21_2_00007FF8A7C9E592
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C91488
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92036 CRYPTO_free,	21_2_00007FF8A7C92036
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C924FA CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C924FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C916A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C916A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBE4F0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7CBE4F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C918B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C918B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9E4A0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C9E4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91627 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,	21_2_00007FF8A7C91627
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C96460 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	21_2_00007FF8A7C96460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D08450 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_new,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7D08450
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C915E1 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C915E1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0A3A0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,	21_2_00007FF8A7D0A3A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91F5A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C91F5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAC3A0 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7CAC3A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF43A0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	21_2_00007FF8A7CF43A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91F41 CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91F41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFC370 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CFC370
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB2360 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	21_2_00007FF8A7CB2360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C94330 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C94330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C919DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,	21_2_00007FF8A7C919DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE8330 CRYPTO_memcmp,	21_2_00007FF8A7CE8330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91366 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,	21_2_00007FF8A7C91366
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA62F0 CRYPTO_THREAD_run_once,	21_2_00007FF8A7CA62F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB6290 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7CB6290
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C923FB CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7C923FB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9138E CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C9138E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C96233 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	21_2_00007FF8A7C96233
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE1D0 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7CDE1D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91CF3 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	21_2_00007FF8A7C91CF3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D06190 CRYPTO_memcmp,	21_2_00007FF8A7D06190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF6180 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7CF6180
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDE160 CRYPTO_free,	21_2_00007FF8A7CDE160
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9150A OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	21_2_00007FF8A7C9150A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C913D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,	21_2_00007FF8A7C913D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92694 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C92694
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91C58 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	21_2_00007FF8A7C91C58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C94130 CRYPTO_free,	21_2_00007FF8A7C94130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91181 _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C91181
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD90C0 CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7CD90C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91A32
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAD040 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CAD040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91186 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C91186
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92379 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C92379
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	21_2_00007FF8A7C91811
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C94FE0 CRYPTO_free,	21_2_00007FF8A7C94FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C917F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C917F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,	21_2_00007FF8A7C91460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D02F40 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7D02F40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	21_2_00007FF8A7C91A05
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9258B ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,	21_2_00007FF8A7C9258B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0AED0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	21_2_00007FF8A7D0AED0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91370 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91370
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD8E50 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7CD8E50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAEE43 CRYPTO_free,	21_2_00007FF8A7CAEE43
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C922E8 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C922E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C917E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C917E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91771 CRYPTO_free,	21_2_00007FF8A7C91771
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF6D90 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7CF6D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA4DB0 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CA4DB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA4D50 CRYPTO_get_ex_new_index,	21_2_00007FF8A7CA4D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF0D60 ERR_new,ERR_set_debug,CRYPTO_clear_free,	21_2_00007FF8A7CF0D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD8D10 OPENSSL_cleanse,CRYPTO_free,	21_2_00007FF8A7CD8D10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C914CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C914CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C917DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C917DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91CA8 CRYPTO_strdup,CRYPTO_free,	21_2_00007FF8A7C91CA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBEC90 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	21_2_00007FF8A7CBEC90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91154 CRYPTO_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91154
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD8C60 CRYPTO_free,	21_2_00007FF8A7CD8C60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDEC10 CRYPTO_free,	21_2_00007FF8A7CDEC10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C94C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C94C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD2C30 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,	21_2_00007FF8A7CD2C30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C91492
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C926C6 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	21_2_00007FF8A7C926C6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D02BC0 CRYPTO_memcmp,	21_2_00007FF8A7D02BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91212 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	21_2_00007FF8A7C91212
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAABB0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	21_2_00007FF8A7CAABB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDEBB0 CRYPTO_free,	21_2_00007FF8A7CDEBB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF4BB0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7CF4BB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C94B40 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C94B40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92383 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92383
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0AB20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7D0AB20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92432 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C92432
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C913A2 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C913A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91A0F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92608 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	21_2_00007FF8A7C92608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C98A60 CRYPTO_zalloc,CRYPTO_free,	21_2_00007FF8A7C98A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91F2D ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	21_2_00007FF8A7C91F2D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE89B0 CRYPTO_free,CRYPTO_strndup,	21_2_00007FF8A7CE89B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9218F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7C9218F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA4960 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	21_2_00007FF8A7CA4960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91CC1 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91CC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C91401
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91555 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91555
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91EE2 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C91EE2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD58F0 CRYPTO_free,	21_2_00007FF8A7CD58F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9231F ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	21_2_00007FF8A7C9231F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF3880 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	21_2_00007FF8A7CF3880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	21_2_00007FF8A7C91997
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFB8B0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CFB8B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9D8AF CRYPTO_free,	21_2_00007FF8A7C9D8AF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91846 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91846
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91483
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91992
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9B7C0 CRYPTO_clear_free,	21_2_00007FF8A7C9B7C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C920FE CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C920FE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF1786 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7CF1786
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92130 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92130
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91122 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	21_2_00007FF8A7C91122
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9D710 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C9D710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBD730 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	21_2_00007FF8A7CBD730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE1730 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7CE1730
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91267 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	21_2_00007FF8A7C91267
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91398 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	21_2_00007FF8A7C91398
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91654 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	21_2_00007FF8A7C91654
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9F620 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7C9F620
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF35D0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	21_2_00007FF8A7CF35D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92388 CRYPTO_free,	21_2_00007FF8A7C92388
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91D02 CRYPTO_zalloc,CRYPTO_zalloc,	21_2_00007FF8A7C91D02
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE7540 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CE7540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7C91B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	21_2_00007FF8A7C91677
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C913DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C913DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE14C0 CRYPTO_memcmp,	21_2_00007FF8A7CE14C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	21_2_00007FF8A7C9105F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91A41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,	21_2_00007FF8A7C9195B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91E6F ERR_new,ERR_set_debug,CRYPTO_clear_free,	21_2_00007FF8A7C91E6F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFB4A0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CFB4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CC9440 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7CC9440
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0545B CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7D0545B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C921B7 CRYPTO_free,	21_2_00007FF8A7C921B7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	21_2_00007FF8A7C91A23
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C921F8 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	21_2_00007FF8A7C921F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9D390 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	21_2_00007FF8A7C9D390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF1390 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	21_2_00007FF8A7CF1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0B380 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7D0B380
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBD3A0 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	21_2_00007FF8A7CBD3A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE7310 CRYPTO_realloc,	21_2_00007FF8A7CE7310
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D03330 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	21_2_00007FF8A7D03330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C911AE EVP_MAC_CTX_free,CRYPTO_free,	21_2_00007FF8A7C911AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CC52D8 EVP_MAC_CTX_free,CRYPTO_free,	21_2_00007FF8A7CC52D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD3270 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	21_2_00007FF8A7CD3270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB9274 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	21_2_00007FF8A7CB9274
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92121 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92121
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92478 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92478
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91F91 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91F91
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9214E EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	21_2_00007FF8A7C9214E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBF1F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,	21_2_00007FF8A7CBF1F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91113 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	21_2_00007FF8A7C91113
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D03160 CRYPTO_free,CRYPTO_strndup,	21_2_00007FF8A7D03160
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C920EF CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C920EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CAF100 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	21_2_00007FF8A7CAF100
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFB100 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7CFB100
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA40F0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7CA40F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92734 CRYPTO_free,CRYPTO_strdup,	21_2_00007FF8A7C92734
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB6080 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7CB6080
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA60B0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,	21_2_00007FF8A7CA60B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE80B0 CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CE80B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9107D CRYPTO_free,	21_2_00007FF8A7C9107D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA5FD0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,	21_2_00007FF8A7CA5FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92400 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C92400
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB5F90 CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CB5F90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9144C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	21_2_00007FF8A7C9144C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91D8E CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7C91D8E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C91B31
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CEFF50 CRYPTO_free,CRYPTO_strndup,	21_2_00007FF8A7CEFF50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C91ACD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C925A4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7C925A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF3F10 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7CF3F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA7F00 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	21_2_00007FF8A7CA7F00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,	21_2_00007FF8A7C91B18
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C93EE0 CRYPTO_free,	21_2_00007FF8A7C93EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF9E90 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7CF9E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C95E4A BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	21_2_00007FF8A7C95E4A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C919E7 CRYPTO_free,	21_2_00007FF8A7C919E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBDDC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	21_2_00007FF8A7CBDDC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9157D CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	21_2_00007FF8A7C9157D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C911E0 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	21_2_00007FF8A7C911E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB5DE0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7CB5DE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9108C ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7C9108C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE7DE0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CE7DE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C925EF CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	21_2_00007FF8A7C925EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9FDB0 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	21_2_00007FF8A7C9FDB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA9D50 CRYPTO_free,CRYPTO_strdup,	21_2_00007FF8A7CA9D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9176C CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	21_2_00007FF8A7C9176C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CEFCC0 CRYPTO_free,CRYPTO_memdup,	21_2_00007FF8A7CEFCC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92536 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7C92536
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA7CB0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	21_2_00007FF8A7CA7CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	21_2_00007FF8A7C91087
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD3C30 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CD3C30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CC3B10 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7CC3B10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9FB00 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	21_2_00007FF8A7C9FB00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDFB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	21_2_00007FF8A7CDFB00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C912D0 CRYPTO_THREAD_run_once,	21_2_00007FF8A7C912D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CF3A90 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	21_2_00007FF8A7CF3A90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA1AA0 CRYPTO_free,CRYPTO_strndup,	21_2_00007FF8A7CA1AA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	21_2_00007FF8A7C9193D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFD9E0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	21_2_00007FF8A7CFD9E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C91023
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C911C2 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	21_2_00007FF8A7C911C2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD99A0 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	21_2_00007FF8A7CD99A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CE1950 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,	21_2_00007FF8A7CE1950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDD960 RAND_bytes_ex,CRYPTO_malloc,memset,	21_2_00007FF8A7CDD960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A4C40 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,	21_2_00007FF8B61A4C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A4EC4 ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,_Py_BuildValue_SizeT,ASN1_STRING_to_UTF8,_Py_Dealloc,_Py_BuildValue_SizeT,CRYPTO_free,	21_2_00007FF8B61A4EC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D18E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,	21_2_00007FF8B61D18E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D61B8 CRYPTO_memcmp,	21_2_00007FF8B61D61B8

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3255036623.000001F6A91C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Blsvr.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 5664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 141.94.96.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44jrwaaoknn1r4rnu5deknqqugdcprxhva5savcaqj1fkzjavwepgvpknogdnrxhub9ba2jepmcxdfbpia8iofxk39pv8bk","pass":"koksal","agent":"xmrig/6.19.0 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: losestratum+tcp://
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: cryptonight/0
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: losestratum+tcp://
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: Q3pEXxmWAD.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3270612498.00007FF8B9843000.00000002.00000001.01000000.0000000A.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3270997706.00007FF8B9F70000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268531245.00007FF8B8CE7000.00000002.00000001.01000000.0000000E.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Q3pEXxmWAD.exe, 00000002.00000002.3265735287.00007FF8A9355000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Q3pEXxmWAD.exe, 00000002.00000002.3261455020.00007FF8A8802000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268916976.00007FF8B8F8C000.00000002.00000001.01000000.0000000C.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Q3pEXxmWAD.exe, 00000002.00000002.3261455020.00007FF8A8802000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268214204.00007FF8B8CD3000.00000002.00000001.01000000.00000011.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162702885.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268916976.00007FF8B8F8C000.00000002.00000001.01000000.0000000C.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3269818741.00007FF8B908D000.00000002.00000001.01000000.0000000B.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161613992.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2010863131.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161410649.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Q3pEXxmWAD.exe, 00000000.00000003.2010863131.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161410649.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162790530.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255187711.000002110AE10000.00000002.00000001.01000000.00000006.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3265735287.00007FF8A9355000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3262655733.00007FF8A8CDF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmp

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A285A0 FindFirstFileExW,FindClose,	0_2_00007FF615A285A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A279B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF615A279B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A40B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF615A40B84
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A285A0 FindFirstFileExW,FindClose,	2_2_00007FF615A285A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A279B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF615A279B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A40B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF615A40B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4385A0 FindFirstFileExW,FindClose,	20_2_00007FF66D4385A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4379B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF66D4379B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D450B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF66D450B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4385A0 FindFirstFileExW,FindClose,	21_2_00007FF66D4385A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4379B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF66D4379B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D450B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF66D450B84

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9062E70 memset,PyList_New,SetErrorMode,PyArg_ParseTuple,PyObject_IsTrue,PyEval_SaveThread,GetLogicalDriveStringsA,PyEval_RestoreThread,PyErr_SetFromWindowsErr,SetErrorMode,PyEval_SaveThread,GetDriveTypeA,PyEval_RestoreThread,GetVolumeInformationA,strcat_s,SetLastError,strcat_s,strcat_s,strcat_s,FindFirstVolumeMountPointA,strcpy_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,FindNextVolumeMountPointA,FindVolumeMountPointClose,strcat_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,strchr,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,_Py_Dealloc,_Py_Dealloc,

2_2_00007FF8B9062E70

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\migration\wtr	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\migration	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 141.94.96.195:3333

Source: Joe Sandbox View

IP Address: 141.94.96.195 141.94.96.195

Source: Joe Sandbox View

ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B93C5B08 memset,recvfrom,

2_2_00007FF8B93C5B08

Source: global traffic

DNS traffic detected: DNS query: pool.supportxmr.com

Source: Q3pEXxmWAD.exe, 00000002.00000002.3258134310.000002110BBD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2176734040.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C3F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2016023054.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000002.3253770420.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC78000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2176734040.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C3F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2016023054.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000002.3253770420.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C3F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2016023054.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000002.3253770420.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC78000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2176734040.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258134310.000002110BBD0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046398537.000002110B7EB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047467606.000002110B6BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5D6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B5D6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3254796752.000002110AB10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C3F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2016023054.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000002.3253770420.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C3F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2016023054.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000002.3253770420.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC78000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2176734040.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Q3pEXxmWAD.exe, 00000002.00000003.2032571621.000002110B005000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110AFBE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032872948.000002110B020000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110B01C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032628407.000002110AFB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2014285116.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2018413031.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2015456056.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2164541880.0000014F8DC7E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2166260023.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046106394.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Q3pEXxmWAD.exe, 00000002.00000003.2032571621.000002110B005000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032872948.000002110B020000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110B01C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032721249.000002110ADB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Q3pEXxmWAD.exe, 00000002.00000003.2032571621.000002110B005000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110AFBE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032872948.000002110B020000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110B01C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032628407.000002110AFB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B4C0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046398537.000002110B7EB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047467606.000002110B6BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B4E9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257848021.000002110B9C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042702957.000002110B778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.tele
Source: Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.teleg
Source: Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bot
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#Chatshared
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#addstickertoset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#animation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#answercallbackquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#answerinlinequery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#answerprecheckoutquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#answershippingquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#answerwebappquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#approvechatjoinrequest
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#audio
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundfill
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040460336.000002110B5C8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundfillfreeformgradient
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundfillgradient
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundfillsolid
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundtype
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundtypechattheme
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040460336.000002110B5C8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundtypefill
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundtypepattern
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#backgroundtypewallpaper
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#banchatmember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#banchatsenderchat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#birthdate
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommand
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopeallchatadministrators
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopeallgroupchats
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopeallprivatechats
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopechat
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5BF000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopechatadministrators
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopechatmember
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botcommandscopedefault
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botdescription
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botname
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#botshortdescription
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businessconnection
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businessintro
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businesslocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businessmessagesdeleted
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businessopeninghours
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#businessopeninghoursinterval
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#callbackquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatadministratorrights
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatbackground
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboost
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostadded
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostremoved
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostsource
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostsourcegiftcode
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostsourcegiveaway
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostsourcepremium
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatboostupdated
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatfullinfo
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatinvitelink
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatjoinrequest
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatlocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberadministrator
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberbanned
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberleft
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmembermember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberowner
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberrestricted
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatmemberupdated
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatpermissions
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#chatphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#choseninlineresult
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#close
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#closeforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AF70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#closegeneralforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#contact
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#copymessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#copymessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#createchatinvitelink
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#createforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#createinvoicelink
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#createnewstickerset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#declinechatjoinrequest
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletechatphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletechatstickerset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deleteforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletemessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletemessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletemycommands
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletestickerfromset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#deletewebhook
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#dice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#document
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editchatinvitelink
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editgeneralforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editmessagecaption
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editmessagelivelocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editmessagemedia
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editmessagereplymarkup
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#editmessagetext
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#exportchatinvitelink
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#externalreplyinfo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#file
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forcereply
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forumtopicclosed
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forumtopiccreated
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forumtopicedited
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forumtopicreopened
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forwardmessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#forwardmessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#game
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#gamehighscore
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#generalforumtopichidden
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#generalforumtopicunhidden
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AF70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getbusinessconnection
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getchat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getchatadministrators
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getchatmember
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getchatmembercount
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getchatmenubutton
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getfile
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getforumtopiciconstickers
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getgamehighscores
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getme
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getmycommands
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getmydefaultadministratorrights
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getmydescription
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getmyname
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getmyshortdescription
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getstickerset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getupdates
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getuserchatboosts
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getuserprofilephotos
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AF72000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AF70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#getwebhookinfo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#giveaway
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#giveawaycompleted
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B6AD000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056170973.000002110B6A3000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B6A3000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047852039.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B6A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#giveawaywinners
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#hidegeneralforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inaccessiblemessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinekeyboardbutton
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinekeyboardmarkup
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresult
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultarticle
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultaudio
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedaudio
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcacheddocument
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedgif
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedmpeg4gif
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedsticker
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedvideo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcachedvoice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultcontact
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultdocument
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultgame
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultgif
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultlocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultmpeg4gif
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultsbutton
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultvenue
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultvideo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inlinequeryresultvoice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputcontactmessagecontent
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputinvoicemessagecontent
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputlocationmessagecontent
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputmediaanimation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputmediaaudio
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputmediadocument
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputmediaphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputmediavideo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047852039.000002110B631000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputpolloption
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputtextmessagecontent
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#inputvenuemessagecontent
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#invoice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#keyboardbutton
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#keyboardbuttonpolltype
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#keyboardbuttonrequestchat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#keyboardbuttonrequestusers
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#labeledprice
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#leavechat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#linkpreviewoptions
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#location
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#loginurl
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#logout
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#maskposition
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#menubuttoncommands
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#menubuttondefault
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#menubuttonwebapp
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#message
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messageautodeletetimerchanged
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messageentity
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messageid
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messageorigin
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AF70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messagereactioncountupdated
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#messagereactionupdated
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#orderinfo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#photosize
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#pinchatmessage
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#poll
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047852039.000002110B631000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#pollanswer
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#polloption
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#precheckoutquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#promotechatmember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#proximityalerttriggered
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reactioncount
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reactiontype
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reactiontypecustomemoji
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reactiontypeemoji
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reopenforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#reopengeneralforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#replaceStickerInSet
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#replykeyboardmarkup
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#replykeyboardremove
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B69C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#replyparameters
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#restrictchatmember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#revokech
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#revokechatinvitelink
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendanimation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendaudio
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendchataction
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendcontact
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#senddice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#senddocument
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendgame
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendinvoice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendlocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendmediagroup
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendmessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendpoll
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendsticker
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendvenue
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendvideo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendvideonote
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sendvoice
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sentwebappmessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatadministratorcustomtitle
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039174913.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatdescription
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatmenubutton
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatpermissions
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatphoto
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchatstickerset
Source: Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039174913.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B58A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setchattitle
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setgamescore
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmessagereaction
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmycommands
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmydefaultadministratorrights
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmydescription
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmyname
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setmyshortdescription
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setstickerpositioninset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setstickersetthumb
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setstickersetthumbnail
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#setwebhook
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#shareduser
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#shippingaddress
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#shippingoption
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#shippingquery
Source: Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#sticker
Source: Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#stickerset
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#stopmessagelivelocation
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#stoppoll
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#story
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B69C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#successfulpayment
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#textquote
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unbanchatmember
Source: Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFE9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unbanchatsenderchat
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unhidegeneralforumtopic
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unpinAllGeneralForumTopicMessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unpinallchatmessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFE9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unpinallforumtopicmessages
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#unpinchatmessage
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#update
Source: Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#uploadsticke/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#uploadstickerfile
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#user
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#userchatboosts
Source: Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#userprofilephotos
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#usersshared
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#venue
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#video
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#videochatended
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#videochatparticipantsinvited
Source: Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#videochatscheduled
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109040000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#videonote
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#voice
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#webappdata
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#webappinfo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#webhookinfo
Source: Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/api#writeaccessallowed
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042772871.000002110B71B000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042702957.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/bots/payments#supported-currencies
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/stickers
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/stickers#animated-sticker-requirements
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://core.telegram.org/stickers#video-sticker-requirements
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035168608.000002110B07A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2034810962.000002110B073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109078000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031692203.0000021109090000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B4C0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/eternnoir/pyTelegramBotAPI/tree/master/examples
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033859203.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036239728.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033818312.000002110B06A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035118346.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3254414115.000002110A948000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109078000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031692203.0000021109090000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Q3pEXxmWAD.exe, 00000002.00000003.2035347309.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036287140.000002110B07A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036375396.000002110B0FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035246765.000002110B0FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109078000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031692203.0000021109090000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046217740.000002110B7BF000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2048600214.000002110B7C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046217740.000002110B7BF000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2048600214.000002110B7C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2048600214.000002110B7C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258134310.000002110BCA4000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B88A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B6A3000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B4C0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B6A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258134310.000002110BBD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031865432.000002110ADF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3262655733.00007FF8A8CDF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0506/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BD18000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033859203.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036239728.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033818312.000002110B06A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035118346.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org)
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046217740.000002110B7BF000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2048600214.000002110B7C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
Source: Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3262012178.00007FF8A8943000.00000002.00000001.01000000.0000000F.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3265969350.00007FF8A9390000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B7B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Q3pEXxmWAD.exe, 00000002.00000002.3254414115.000002110A8C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Q3pEXxmWAD.exe, 00000002.00000002.3263139397.00007FF8A8D7D000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: Blsvr.exe PID: 1352, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9061E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,	2_2_00007FF8B9061E90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9065850 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	2_2_00007FF8B9065850
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9064D40 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	2_2_00007FF8B9064D40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9066640 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,	2_2_00007FF8B9066640
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9065760 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,	2_2_00007FF8B9065760
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9066290 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,	2_2_00007FF8B9066290
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9062480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,	2_2_00007FF8B9062480
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9067480 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,	2_2_00007FF8B9067480
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9066E80 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,	2_2_00007FF8B9066E80
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9064AB0 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,	2_2_00007FF8B9064AB0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B90646C0 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,	2_2_00007FF8B90646C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9066AE0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,	2_2_00007FF8B9066AE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F1E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,	21_2_00007FF8B77F1E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F2480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,	21_2_00007FF8B77F2480
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F7480 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,	21_2_00007FF8B77F7480
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F6E80 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,	21_2_00007FF8B77F6E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F6290 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,	21_2_00007FF8B77F6290
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F4AB0 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,	21_2_00007FF8B77F4AB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F46C0 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,	21_2_00007FF8B77F46C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F6AE0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,	21_2_00007FF8B77F6AE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F4D40 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	21_2_00007FF8B77F4D40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F6640 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,	21_2_00007FF8B77F6640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F5850 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	21_2_00007FF8B77F5850
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F5760 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,	21_2_00007FF8B77F5760

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9062B00: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle,

2_2_00007FF8B9062B00

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A44F10	0_2_00007FF615A44F10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A21000	0_2_00007FF615A21000
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A45C74	0_2_00007FF615A45C74
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A45728	0_2_00007FF615A45728
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A31F30	0_2_00007FF615A31F30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A3FBD8	0_2_00007FF615A3FBD8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A42F20	0_2_00007FF615A42F20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A30E70	0_2_00007FF615A30E70
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A295FB	0_2_00007FF615A295FB
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A3CD6C	0_2_00007FF615A3CD6C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A328C0	0_2_00007FF615A328C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A31074	0_2_00007FF615A31074
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A35040	0_2_00007FF615A35040
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A3D880	0_2_00007FF615A3D880
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A29FCD	0_2_00007FF615A29FCD
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A2979B	0_2_00007FF615A2979B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A28B20	0_2_00007FF615A28B20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A30A60	0_2_00007FF615A30A60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A48A38	0_2_00007FF615A48A38
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A37AAC	0_2_00007FF615A37AAC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A31280	0_2_00007FF615A31280
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A3D200	0_2_00007FF615A3D200
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A391B0	0_2_00007FF615A391B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A4518C	0_2_00007FF615A4518C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A32CC4	0_2_00007FF615A32CC4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A30C64	0_2_00007FF615A30C64
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A31484	0_2_00007FF615A31484
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A373F4	0_2_00007FF615A373F4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A3FBD8	0_2_00007FF615A3FBD8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A433BC	0_2_00007FF615A433BC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A40B84	0_2_00007FF615A40B84
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A21000	2_2_00007FF615A21000
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A45C74	2_2_00007FF615A45C74
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A45728	2_2_00007FF615A45728
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A31F30	2_2_00007FF615A31F30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A3FBD8	2_2_00007FF615A3FBD8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A42F20	2_2_00007FF615A42F20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A44F10	2_2_00007FF615A44F10
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A30E70	2_2_00007FF615A30E70
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A295FB	2_2_00007FF615A295FB
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A3CD6C	2_2_00007FF615A3CD6C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A328C0	2_2_00007FF615A328C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A31074	2_2_00007FF615A31074
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A35040	2_2_00007FF615A35040
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A3D880	2_2_00007FF615A3D880
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A29FCD	2_2_00007FF615A29FCD
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A2979B	2_2_00007FF615A2979B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A28B20	2_2_00007FF615A28B20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A30A60	2_2_00007FF615A30A60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A48A38	2_2_00007FF615A48A38
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A37AAC	2_2_00007FF615A37AAC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A31280	2_2_00007FF615A31280
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A3D200	2_2_00007FF615A3D200
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A391B0	2_2_00007FF615A391B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A4518C	2_2_00007FF615A4518C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A32CC4	2_2_00007FF615A32CC4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A30C64	2_2_00007FF615A30C64
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A31484	2_2_00007FF615A31484
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A373F4	2_2_00007FF615A373F4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A3FBD8	2_2_00007FF615A3FBD8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A433BC	2_2_00007FF615A433BC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A40B84	2_2_00007FF615A40B84
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9308AA0	2_2_00007FF8A9308AA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1A0F	2_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1CC1	2_2_00007FF8A92D1CC1
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D16FE	2_2_00007FF8A92D16FE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D8BE0	2_2_00007FF8A92D8BE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D143D	2_2_00007FF8A92D143D
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A933CDA0	2_2_00007FF8A933CDA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2716	2_2_00007FF8A92D2716
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1181	2_2_00007FF8A92D1181
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1613	2_2_00007FF8A92D1613
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D262B	2_2_00007FF8A92D262B
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D17F8	2_2_00007FF8A92D17F8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9310F90	2_2_00007FF8A9310F90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F6290	2_2_00007FF8A92F6290
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1AD7	2_2_00007FF8A92D1AD7
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1EE7	2_2_00007FF8A92D1EE7
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1D98	2_2_00007FF8A92D1D98
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1B54	2_2_00007FF8A92D1B54
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A934A740	2_2_00007FF8A934A740
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1172	2_2_00007FF8A92D1172
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1FE6	2_2_00007FF8A92D1FE6
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931D960	2_2_00007FF8A931D960
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A93199A0	2_2_00007FF8A93199A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A931DE30	2_2_00007FF8A931DE30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1541	2_2_00007FF8A92D1541
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1591	2_2_00007FF8A92D1591
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9315DC0	2_2_00007FF8A9315DC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92FBD80	2_2_00007FF8A92FBD80
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D21F3	2_2_00007FF8A92D21F3
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D24EB	2_2_00007FF8A92D24EB
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D149C	2_2_00007FF8A92D149C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D13DE	2_2_00007FF8A92D13DE
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A9343330	2_2_00007FF8A9343330
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92E7630	2_2_00007FF8A92E7630
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D21D5	2_2_00007FF8A92D21D5
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1C12	2_2_00007FF8A92D1C12
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1555	2_2_00007FF8A92D1555
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B7DE18A0	2_2_00007FF8B7DE18A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8AFBDA0	2_2_00007FF8B8AFBDA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8AFFDC0	2_2_00007FF8B8AFFDC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B289E0	2_2_00007FF8B8B289E0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B2576C	2_2_00007FF8B8B2576C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B2A0FC	2_2_00007FF8B8B2A0FC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B28324	2_2_00007FF8B8B28324
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B29ABC	2_2_00007FF8B8B29ABC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B296C4	2_2_00007FF8B8B296C4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B2B6D0	2_2_00007FF8B8B2B6D0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B2A448	2_2_00007FF8B8B2A448
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE18E0	2_2_00007FF8B8CE18E0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE12B0	2_2_00007FF8B8CE12B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE1000	2_2_00007FF8B8CE1000
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F76E4C	2_2_00007FF8B8F76E4C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F712B0	2_2_00007FF8B8F712B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F72520	2_2_00007FF8B8F72520
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F75C90	2_2_00007FF8B8F75C90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F7F8CC	2_2_00007FF8B8F7F8CC
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F78CE0	2_2_00007FF8B8F78CE0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F75360	2_2_00007FF8B8F75360
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F71BA0	2_2_00007FF8B8F71BA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F72FD0	2_2_00007FF8B8F72FD0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9061E90	2_2_00007FF8B9061E90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9062B00	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9064E30	2_2_00007FF8B9064E30
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9066640	2_2_00007FF8B9066640
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9069A40	2_2_00007FF8B9069A40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9062E70	2_2_00007FF8B9062E70
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9063970	2_2_00007FF8B9063970
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9068FA0	2_2_00007FF8B9068FA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9081000	2_2_00007FF8B9081000
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B908C788	2_2_00007FF8B908C788
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9083E80	2_2_00007FF8B9083E80
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9082EC0	2_2_00007FF8B9082EC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9083BF0	2_2_00007FF8B9083BF0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B93C1060	2_2_00007FF8B93C1060
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9F62E40	2_2_00007FF8B9F62E40
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8BA247CA0	2_2_00007FF8BA247CA0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8BFAB27A0	2_2_00007FF8BFAB27A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8BFAB39F0	2_2_00007FF8BFAB39F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D454F10	20_2_00007FF66D454F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D431000	20_2_00007FF66D431000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D455C74	20_2_00007FF66D455C74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D44FBD8	20_2_00007FF66D44FBD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D440E70	20_2_00007FF66D440E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D455728	20_2_00007FF66D455728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D441F30	20_2_00007FF66D441F30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D44FBD8	20_2_00007FF66D44FBD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D452F20	20_2_00007FF66D452F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D44CD6C	20_2_00007FF66D44CD6C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4395FB	20_2_00007FF66D4395FB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D44D880	20_2_00007FF66D44D880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D445040	20_2_00007FF66D445040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D441074	20_2_00007FF66D441074
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4428C0	20_2_00007FF66D4428C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D43979B	20_2_00007FF66D43979B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D439FCD	20_2_00007FF66D439FCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D441280	20_2_00007FF66D441280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D447AAC	20_2_00007FF66D447AAC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D458A38	20_2_00007FF66D458A38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D440A60	20_2_00007FF66D440A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D438B20	20_2_00007FF66D438B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D45518C	20_2_00007FF66D45518C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4491B0	20_2_00007FF66D4491B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D44D200	20_2_00007FF66D44D200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D441484	20_2_00007FF66D441484
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D440C64	20_2_00007FF66D440C64
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D442CC4	20_2_00007FF66D442CC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D450B84	20_2_00007FF66D450B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4533BC	20_2_00007FF66D4533BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4473F4	20_2_00007FF66D4473F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D431000	21_2_00007FF66D431000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D455C74	21_2_00007FF66D455C74
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D440E70	21_2_00007FF66D440E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D454F10	21_2_00007FF66D454F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D455728	21_2_00007FF66D455728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D441F30	21_2_00007FF66D441F30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D44FBD8	21_2_00007FF66D44FBD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D452F20	21_2_00007FF66D452F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D44CD6C	21_2_00007FF66D44CD6C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4395FB	21_2_00007FF66D4395FB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D44D880	21_2_00007FF66D44D880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D445040	21_2_00007FF66D445040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D441074	21_2_00007FF66D441074
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4428C0	21_2_00007FF66D4428C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D43979B	21_2_00007FF66D43979B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D439FCD	21_2_00007FF66D439FCD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D441280	21_2_00007FF66D441280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D447AAC	21_2_00007FF66D447AAC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D458A38	21_2_00007FF66D458A38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D440A60	21_2_00007FF66D440A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D438B20	21_2_00007FF66D438B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D45518C	21_2_00007FF66D45518C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4491B0	21_2_00007FF66D4491B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D44D200	21_2_00007FF66D44D200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D441484	21_2_00007FF66D441484
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D440C64	21_2_00007FF66D440C64
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D442CC4	21_2_00007FF66D442CC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D450B84	21_2_00007FF66D450B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4533BC	21_2_00007FF66D4533BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4473F4	21_2_00007FF66D4473F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D44FBD8	21_2_00007FF66D44FBD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91B54	21_2_00007FF8A7C91B54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91172	21_2_00007FF8A7C91172
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D0A740	21_2_00007FF8A7D0A740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91D98	21_2_00007FF8A7C91D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91EE7	21_2_00007FF8A7C91EE7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB6290	21_2_00007FF8A7CB6290
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91AD7	21_2_00007FF8A7C91AD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91181	21_2_00007FF8A7C91181
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92716	21_2_00007FF8A7C92716
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD0F90	21_2_00007FF8A7CD0F90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C917F8	21_2_00007FF8A7C917F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9262B	21_2_00007FF8A7C9262B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91613	21_2_00007FF8A7C91613
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9143D	21_2_00007FF8A7C9143D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CFCDA0	21_2_00007FF8A7CFCDA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C98BE0	21_2_00007FF8A7C98BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C916FE	21_2_00007FF8A7C916FE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CC8AA0	21_2_00007FF8A7CC8AA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91A0F	21_2_00007FF8A7C91A0F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91CC1	21_2_00007FF8A7C91CC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91555	21_2_00007FF8A7C91555
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C921D5	21_2_00007FF8A7C921D5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91C12	21_2_00007FF8A7C91C12
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CA7630	21_2_00007FF8A7CA7630
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C913DE	21_2_00007FF8A7C913DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D03330	21_2_00007FF8A7D03330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C924EB	21_2_00007FF8A7C924EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C9149C	21_2_00007FF8A7C9149C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C921F3	21_2_00007FF8A7C921F3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91541	21_2_00007FF8A7C91541
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91591	21_2_00007FF8A7C91591
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDDE30	21_2_00007FF8A7CDDE30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD5DC0	21_2_00007FF8A7CD5DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CBBD80	21_2_00007FF8A7CBBD80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91FE6	21_2_00007FF8A7C91FE6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CD99A0	21_2_00007FF8A7CD99A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CDD960	21_2_00007FF8A7CDD960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D618A0	21_2_00007FF8A7D618A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B617BDA0	21_2_00007FF8B617BDA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B617FDC0	21_2_00007FF8B617FDC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A8324	21_2_00007FF8B61A8324
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61AA0FC	21_2_00007FF8B61AA0FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A576C	21_2_00007FF8B61A576C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A89E0	21_2_00007FF8B61A89E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61AA448	21_2_00007FF8B61AA448
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A96C4	21_2_00007FF8B61A96C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A9ABC	21_2_00007FF8B61A9ABC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61AB6D0	21_2_00007FF8B61AB6D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D1000	21_2_00007FF8B61D1000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D12B0	21_2_00007FF8B61D12B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D18E0	21_2_00007FF8B61D18E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F5360	21_2_00007FF8B61F5360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F1BA0	21_2_00007FF8B61F1BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F2FD0	21_2_00007FF8B61F2FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F5C90	21_2_00007FF8B61F5C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F8CE0	21_2_00007FF8B61F8CE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61FF8CC	21_2_00007FF8B61FF8CC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F2520	21_2_00007FF8B61F2520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F6E4C	21_2_00007FF8B61F6E4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61F12B0	21_2_00007FF8B61F12B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F1E90	21_2_00007FF8B77F1E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F8FA0	21_2_00007FF8B77F8FA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F2B00	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F4E30	21_2_00007FF8B77F4E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F6640	21_2_00007FF8B77F6640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F9A40	21_2_00007FF8B77F9A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F2E70	21_2_00007FF8B77F2E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F3970	21_2_00007FF8B77F3970
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B781C788	21_2_00007FF8B781C788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7813E80	21_2_00007FF8B7813E80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7812EC0	21_2_00007FF8B7812EC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7813BF0	21_2_00007FF8B7813BF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7811000	21_2_00007FF8B7811000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7831060	21_2_00007FF8B7831060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7FE2E40	21_2_00007FF8B7FE2E40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8007CA0	21_2_00007FF8B8007CA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB2ED0	21_2_00007FF8B8CB2ED0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB39F0	21_2_00007FF8B8CB39F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB32E0	21_2_00007FF8B8CB32E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB27A0	21_2_00007FF8B8CB27A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB3F50	21_2_00007FF8B8CB3F50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB1F50	21_2_00007FF8B8CB1F50

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll 4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd AB34B804DA5B8E814B2178754D095A4E8AEAD77EEFD3668DA188769392CDB5F4

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B6173700 appears 51 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0D545 appears 39 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0D551 appears 69 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0CE79 appears 49 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0CF69 appears 31 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0CDA1 appears 1190 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF66D432760 appears 36 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7C9132A appears 473 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B77F1070 appears 43 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF66D4325F0 appears 100 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B77F1D70 appears 39 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0CD8F appears 331 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B6173770 appears 96 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A7D0CD9B appears 39 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B9061D70 appears 39 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934CD8F appears 331 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B8AF3770 appears 96 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934CD9B appears 39 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B8AF3700 appears 51 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF615A22760 appears 36 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934CE79 appears 49 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934D545 appears 39 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934D551 appears 69 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934CF69 appears 31 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF615A225F0 appears 100 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8B9061070 appears 43 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A92D132A appears 473 times
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: String function: 00007FF8A934CDA1 appears 1190 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Blsvr.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: Blsvr.exe.20.dr	Static PE information: Number of sections : 11 > 10

Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.20.dr	Static PE information: No import functions for PE file found

Source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2015648892.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011460255.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011241403.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2012314473.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2010863131.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe	Binary or memory string: OriginalFilename vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3262012178.00007FF8A8943000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3268332330.00007FF8B8CD6000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3270760465.00007FF8B9846000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3265353837.00007FF8A8F1D000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3265969350.00007FF8A9390000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3268675265.00007FF8B8CEE000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3255187711.000002110AE10000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3269150936.00007FF8B8F95000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3269933758.00007FF8B9092000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000002.00000002.3271125547.00007FF8B9F7D000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2161410649.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2161613992.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162702885.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162240783.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162790530.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162921981.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2161831068.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Q3pEXxmWAD.exe
Source: Q3pEXxmWAD.exe	Binary or memory string: OriginalFilename vs Q3pEXxmWAD.exe

Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 25.2.Blsvr.exe.7ff667860000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 25.2.Blsvr.exe.7ff66787e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 25.2.Blsvr.exe.7ff66787e900.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 5.2.Blsvr.exe.7ff758a7e900.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 5.2.Blsvr.exe.7ff758a7e900.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 5.2.Blsvr.exe.7ff758a60000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: Blsvr.exe PID: 1352, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: classification engine

Classification label: mal100.adwa.spyw.evad.mine.winEXE@67/73@1/1

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A229E0 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF615A229E0

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9067E20 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,FindCloseChangeNotification,		2_2_00007FF8B9067E20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77F7E20 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,FindCloseChangeNotification,		21_2_00007FF8B77F7E20

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9062A30 PyArg_ParseTuple,PyUnicode_AsWideCharString,PyEval_SaveThread,GetDiskFreeSpaceExW,PyEval_RestoreThread,PyMem_Free,PyExc_OSError,PyErr_SetExcFromWindowsErrWithFilenameObject,Py_BuildValue,

2_2_00007FF8B9062A30

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9064E30 PyList_New,PyArg_ParseTuple,CreateToolhelp32Snapshot,_Py_Dealloc,CloseHandle,CloseHandle,Thread32First,OpenThread,GetThreadTimes,Py_BuildValue,PyList_Append,_Py_Dealloc,CloseHandle,Thread32Next,CloseHandle,_Py_Dealloc,

2_2_00007FF8B9064E30

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9068B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

2_2_00007FF8B9068B10

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\hmnpullauvvpicnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:120:WilError_03

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI50042

Jump to behavior

Source: Q3pEXxmWAD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Q3pEXxmWAD.exe	ReversingLabs: Detection: 36%
Source: Q3pEXxmWAD.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File read: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Q3pEXxmWAD.exe "C:\Users\user\Desktop\Q3pEXxmWAD.exe"
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Users\user\Desktop\Q3pEXxmWAD.exe "C:\Users\user\Desktop\Q3pEXxmWAD.exe"
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"
Source: C:\Windows\System32\sc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Users\user\Desktop\Q3pEXxmWAD.exe "C:\Users\user\Desktop\Q3pEXxmWAD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Q3pEXxmWAD.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Q3pEXxmWAD.exe

Static file information: File size 12945034 > 1048576

Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Q3pEXxmWAD.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Q3pEXxmWAD.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Q3pEXxmWAD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2019779670.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3270612498.00007FF8B9843000.00000002.00000001.01000000.0000000A.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179334176.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2020000570.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2179620332.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3270997706.00007FF8B9F70000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011704965.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268531245.00007FF8B8CE7000.00000002.00000001.01000000.0000000E.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162439227.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Q3pEXxmWAD.exe, 00000002.00000002.3265735287.00007FF8A9355000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Q3pEXxmWAD.exe, 00000002.00000002.3261455020.00007FF8A8802000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268916976.00007FF8B8F8C000.00000002.00000001.01000000.0000000C.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Q3pEXxmWAD.exe, 00000002.00000002.3261455020.00007FF8A8802000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2012028458.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268214204.00007FF8B8CD3000.00000002.00000001.01000000.00000011.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162702885.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Blsvr.exe, 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011882505.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3268916976.00007FF8B8F8C000.00000002.00000001.01000000.0000000C.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162572053.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2011057798.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3269818741.00007FF8B908D000.00000002.00000001.01000000.0000000B.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161613992.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2010863131.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161410649.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Q3pEXxmWAD.exe, 00000000.00000003.2010863131.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2161410649.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2012157129.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2162790530.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Q3pEXxmWAD.exe, 00000000.00000003.2017725547.0000011C08C33000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255187711.000002110AE10000.00000002.00000001.01000000.00000006.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2171482969.0000014F8DC72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3265735287.00007FF8A9355000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3262655733.00007FF8A8CDF000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Q3pEXxmWAD.exe, 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmp

Source: Q3pEXxmWAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Q3pEXxmWAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Q3pEXxmWAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Q3pEXxmWAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Q3pEXxmWAD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: Blsvr.exe.0.dr	Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: uyfkrbdwixpr.tmp.5.dr	Static PE information: section name: _RANDOMX
Source: uyfkrbdwixpr.tmp.5.dr	Static PE information: section name: _TEXT_CN
Source: uyfkrbdwixpr.tmp.5.dr	Static PE information: section name: _TEXT_CN
Source: uyfkrbdwixpr.tmp.5.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.20.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.20.dr	Static PE information: section name: .00cfg
Source: python311.dll.20.dr	Static PE information: section name: PyRuntim
Source: Blsvr.exe.20.dr	Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.20.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92F4541 push rcx; ret	2_2_00007FF8A92F4542
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D1D7B push rcx; retf	2_2_00007FF8A92D1D7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7CB4541 push rcx; ret	21_2_00007FF8A7CB4542
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C91D7B push rcx; retf	21_2_00007FF8A7C91D7C

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	21_2_00007FF8B77F2B00

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: "C:\Users\user\Desktop\Q3pEXxmWAD.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	File created: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	File created: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63882\_socket.pyd	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	2_2_00007FF8B9062B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	21_2_00007FF8B77F2B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	21_2_00007FF8B77F2B00

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B9068B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

2_2_00007FF8B9068B10

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UYFKRBDWIXPR.TMP

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A26EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF615A26EA0

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: conhost.exe, 00000011.00000002.3255582203.000001F6AABF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KZJAVWEPGVPKNOGDNRXHUB9BA2JEPMCXDFBPIA8IOFXK39PV8BK" --PASS="KOKSAL" --CPU-MAX-THREADS-HINT=30 --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.2.0" --CINIT-IDLE-WAIT=15 --CINIT-IDLE-CPU=80 --CINIT-ID="HMNPULLAUVVPICNK"
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: --CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONHOST.EXE--ALGO=RX/0--URL=POOL.SUPPORTXMR.COM:3333--USER=44JRWAAOKNN1R4RNU5DEKNQQUGDCPRXHVA5SAVCAQJ1FKZJAVWEPGVPKNOGDNRXHUB9BA2JEPMCXDFBPIA8IOFXK39PV8BK--PASS=KOKSAL--CPU-MAX-THREADS-HINT=30--CINIT-STEALTH-TARGETS=TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE--CINIT-VERSION=3.2.0--CINIT-IDLE-WAIT=15--CINIT-IDLE-CPU=80--CINIT-ID=HMNPULLAUVVPICNK
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000011.00000002.3255582203.000001F6AABF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KZJAVWEPGVPKNOGDNRXHUB9BA2JEPMCXDFBPIA8IOFXK39PV8BK" --PASS="KOKSAL" --CPU-MAX-THREADS-HINT=30 --CINIT-STEALTH-TARGETS="TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE" --CINIT-VERSION="3.2.0" --CINIT-IDLE-WAIT=15 --CINIT-IDLE-CPU=80 --CINIT-ID="HMNPULLAUVVPICNK"ZZ

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,		2_2_00007FF8B90681E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,		21_2_00007FF8B77F81E0

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63882\_socket.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-17188
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	API coverage: 0.8 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	API coverage: 0.8 %

Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A285A0 FindFirstFileExW,FindClose,	0_2_00007FF615A285A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A279B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF615A279B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A40B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF615A40B84
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A285A0 FindFirstFileExW,FindClose,	2_2_00007FF615A285A0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A279B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF615A279B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A40B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF615A40B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4385A0 FindFirstFileExW,FindClose,	20_2_00007FF66D4385A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D4379B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	20_2_00007FF66D4379B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D450B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_00007FF66D450B84
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4385A0 FindFirstFileExW,FindClose,	21_2_00007FF66D4385A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D4379B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	21_2_00007FF66D4379B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D450B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	21_2_00007FF66D450B84

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

2_2_00007FF8B9062E70

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 2_2_00007FF8B90618C0 PyModule_Create2,getenv,RtlGetVersion,GetSystemInfo,InitializeCriticalSection,PyModule_GetState,PyErr_NewException,_Py_Dealloc,PyErr_NewException,PyModule_AddObject,PyErr_NewException,PyModule_AddObject,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,

2_2_00007FF8B90618C0

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\migration\wtr	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\migration	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices	Jump to behavior

Source: Q3pEXxmWAD.exe, 00000000.00000003.2013077494.0000011C08C2F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000014.00000003.2163575792.0000014F8DC70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDB4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A91C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDC8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: Q3pEXxmWAD.exe, 00000002.00000003.2033859203.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036416769.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2034276392.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2034810962.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035347309.000002110B031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDC8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDC8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fesmicrosoft-hyper-v-drivers-migration-replacement.mantion-plugin
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDB4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fesmicrosoft-hyper-v-migration-replacement.mann0'
Source: Q3pEXxmWAD.exe, 00000002.00000002.3258371309.000002110BDC8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-client-migration-replacement.mande0
Source: Blsvr.exe, 00000005.00000000.2061975106.00007FF758A7B000.00000008.00000001.01000000.00000016.sdmp	Binary or memory string: uvMci{
Source: conhost.exe, 00000011.00000002.3255036623.000001F6A9169000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A39924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF615A39924

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A42790 GetProcessHeap,

0_2_00007FF615A42790

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A2C62C SetUnhandledExceptionFilter,	0_2_00007FF615A2C62C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A39924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF615A39924
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A2C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF615A2C44C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 0_2_00007FF615A2BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF615A2BBC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A2C62C SetUnhandledExceptionFilter,	2_2_00007FF615A2C62C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A39924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF615A39924
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A2C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF615A2C44C
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF615A2BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF615A2BBC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8A92D2135 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A92D2135
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B7DE3058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B7DE3058
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B7DE2A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B7DE2A90
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B02E70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8B02E70
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B03438 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8B03438
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B225B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8B225B0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8B22FF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8B22FF8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CC1A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8CC1A00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CC1430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8CC1430
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CD1AC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8CD1AC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CD14F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8CD14F0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE4640 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8CE4640
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8CE4070 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8CE4070
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F83690 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B8F83690
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B8F83C60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B8F83C60
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B906A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B906A0C0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B906A9E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B906A9E8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B908A050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B908A050
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B908AA98 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B908AA98
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B93C2600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B93C2600
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B93C2BC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B93C2BC0
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9841B00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B9841B00
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9841530 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B9841530
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9F65D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B9F65D20
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B9F662C4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B9F662C4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8BA250AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8BA250AA8
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8BFAB52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8BFAB52F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D43C62C SetUnhandledExceptionFilter,	20_2_00007FF66D43C62C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D449924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF66D449924
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D43C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00007FF66D43C44C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 20_2_00007FF66D43BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF66D43BBC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D43C62C SetUnhandledExceptionFilter,	21_2_00007FF66D43C62C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D449924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF66D449924
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D43C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF66D43C44C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF66D43BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF66D43BBC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7C92135 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8A7C92135
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D63058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8A7D63058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8A7D62A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8A7D62A90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B6182E70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B6182E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B6183438 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B6183438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A25B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B61A25B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61A2FF8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B61A2FF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D4070 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B61D4070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B61D4640 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B61D4640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B6203C60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B6203C60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B6203690 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B6203690
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77FA0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B77FA0C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B77FA9E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B77FA9E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B781AA98 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B781AA98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B781A050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B781A050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7832BC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B7832BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7832600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B7832600
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7FE5D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B7FE5D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B7FE62C4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B7FE62C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8010AA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B8010AA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8791A00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B8791A00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8791430 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B8791430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8831AC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B8831AC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B88314F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B88314F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8C11B00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B8C11B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8C11530 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B8C11530
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FF8B8CB52F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B8CB4D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF8B8CB4D20

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	NtQuerySystemInformation: Direct from: 0x7FF66786613E			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	NtQuerySystemInformation: Direct from: 0x7FF758A6613E			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Section loaded: NULL target: C:\Windows\System32\conhost.exe protection: readonly

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Thread register set: target process: 5664

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Memory written: C:\Windows\System32\conhost.exe base: 684B254010

Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Users\user\Desktop\Q3pEXxmWAD.exe "C:\Users\user\Desktop\Q3pEXxmWAD.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0	Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A48880 cpuid

0_2_00007FF615A48880

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\EFOYFBOLXA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\NVWZAPQSQL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\boot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\boot\en-gb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\boot\fonts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\efi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\efi\microsoft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\efi\microsoft\boot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\efi\microsoft\boot\fonts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\efi\microsoft\boot\resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwcompat.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwcompat.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwcompatPE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwcompatPE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwcompatPE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexclude.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexclude.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexclude.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexcludePE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexcludePE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\hwexcludePE.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\idwbinfo.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\idwbinfo.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\idwbinfo.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\idwbinfo.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-bluetooth-config VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-complus-setup-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-dtc-setup-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-dhcpservermigplugin-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-directoryservices-adam-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-internet-naming-service-runtime VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-msmq-messagingcoreservice VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasserver-migplugin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-licenseserver VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\microsoft-windows-winsock-core-infrastructure-upgrade VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\dlmanifests\networking-mpssvc-svc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\en-gb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\en-gb\erofflps.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\en-gb\erofflps.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\en-gb\erofflps.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\en-gb\erofflps.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\etwproviders VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\etwproviders\en-gb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\inf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\migration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\migration\wtr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\replacementmanifests\hwvid-migration-2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-webservices VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\en-gb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-pnpmigration VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\sources\uup\metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\support VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: \Device\CdRom0\support\logging VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\Desktop\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\libcrypto-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\libssl-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\python3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\python311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A2C330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF615A2C330

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

Code function: 0_2_00007FF615A44F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF615A44F10

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe

2_2_00007FF8B90618C0

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0	Jump to behavior

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Source: conhost.exe, 00000011.00000002.3255036623.000001F6A922E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procexp.exe

Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B93C45E4 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,	2_2_00007FF8B93C45E4
Source: C:\Users\user\Desktop\Q3pEXxmWAD.exe	Code function: 2_2_00007FF8B93C55F8 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,	2_2_00007FF8B93C55F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B78345E4 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,	21_2_00007FF8B78345E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe	Code function: 21_2_00007FF8B78355F8 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,	21_2_00007FF8B78355F8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	12 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Service Execution	12 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	12 Windows Service	2 Obfuscated Files or Information	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	311 Process Injection	11 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Q3pEXxmWAD.exe	37%	ReversingLabs	Win64.Trojan.Molotov
Q3pEXxmWAD.exe	44%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe	79%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe	79%	ReversingLabs	Win64.Trojan.Whisperer
C:\Users\user\AppData\Local\Temp\_MEI63882\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md.cp311-win_amd64.pyd	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
pool-fr.supportxmr.com	3%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
pool.supportxmr.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://core.telegram.org/bots/api#sendvenue	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#sendvideo	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#botname	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatmemberowner	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#getchatadministrators	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatpermissions	0%	Avira URL Cloud	safe
https://github.com/giampaolo/psutil/issues/875.	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#getchatadministrators	0%	Virustotal		Browse
https://core.telegram.org/bots/api#sendvideo	0%	Virustotal		Browse
https://core.telegram.org/bots/api#botname	0%	Virustotal		Browse
https://core.telegram.org/bots/api#inputmediaaudio	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#unhidegeneralforumtopic	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatpermissions	0%	Virustotal		Browse
https://core.telegram.org/bots/api#sendvenue	0%	Virustotal		Browse
https://github.com/giampaolo/psutil/issues/875.	0%	Virustotal		Browse
https://core.telegram.org/bots/api#setstickersetthumb	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#getstickerset	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inputmediaaudio	0%	Virustotal		Browse
https://core.telegram.org/bots/api#unhidegeneralforumtopic	0%	Virustotal		Browse
https://core.telegram.org/bots/api#chatmemberowner	0%	Virustotal		Browse
https://core.telegram.org/bots/api#forumtopiccreated	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresult	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#replykeyboardmarkup	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatfullinfo	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresult	0%	Virustotal		Browse
https://core.telegram.org/bots/api#sendmediagroup	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#backgroundfill	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#replykeyboardmarkup	0%	Virustotal		Browse
https://core.telegram.org/bots/api#forumtopiccreated	0%	Virustotal		Browse
https://core.telegram.org/bots/api#setstickersetthumb	0%	Virustotal		Browse
https://core.telegram.org/bots/api#chatfullinfo	0%	Virustotal		Browse
https://core.telegram.org/bots/api#getchatmembercount	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#getstickerset	0%	Virustotal		Browse
https://core.telegram.org/bots/api#messagereactioncountupdated	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#revokechatinvitelink	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#backgroundfill	0%	Virustotal		Browse
https://core.telegram.org/bots/api#sendphoto	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#sendmediagroup	0%	Virustotal		Browse
https://core.telegram.org/bots/api#forcereply	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#messagereactioncountupdated	0%	Virustotal		Browse
https://core.telegram.org/bots/api#revokechatinvitelink	0%	Virustotal		Browse
https://core.telegram.org/bots/api#getchatmembercount	0%	Virustotal		Browse
https://core.telegram.org/bots/api#inlinequeryresultcachedsticker	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#sendphoto	0%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://core.telegram.org/bots/api#getchatmember	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#forcereply	0%	Virustotal		Browse
http://goo.gl/zeJZl.	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#forumtopic	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultcachedsticker	0%	Virustotal		Browse
https://core.telegram.org/bots/api#inlinequeryresultcacheddocument	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#replyparameters	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatadministratorrights	0%	Avira URL Cloud	safe
http://goo.gl/zeJZl.	0%	Virustotal		Browse
https://core.telegram.org/bots/api#getchatmember	0%	Virustotal		Browse
https://core.telegram.org/bots/api#proximityalerttriggered	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultcacheddocument	0%	Virustotal		Browse
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatadministratorrights	0%	Virustotal		Browse
https://core.telegram.org/bots/api#businesslocation	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#forumtopic	0%	Virustotal		Browse
https://core.telegram.org/bots/api#messageautodeletetimerchanged	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#proximityalerttriggered	0%	Virustotal		Browse
https://core.telegram.org/bots/api#replyparameters	0%	Virustotal		Browse
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Virustotal		Browse
https://core.telegram.org/bots/api#businesslocation	0%	Virustotal		Browse
https://core.telegram.org/bots/api#birthdate	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#messageautodeletetimerchanged	0%	Virustotal		Browse
https://core.telegram.org/bots/api#shippingaddress	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#closeforumtopic	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#shippingaddress	0%	Virustotal		Browse
https://core.telegram.org/bots/api#externalreplyinfo	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#birthdate	0%	Virustotal		Browse
https://core.telegram.org/bots/api#editmessagecaption	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatlocation	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#stopmessagelivelocation	0%	Avira URL Cloud	safe
http://curl.haxx.se/rfc/cookie_spec.html	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#closeforumtopic	0%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultcontact	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultcachedvideo	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#setmyname	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultaudio	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#successfulpayment	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#backgroundtypechattheme	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#setchatmenubutton	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#document	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#copymessages	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#inlinequeryresultvenue	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#hidegeneralforumtopic	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
https://github.com/python/cpython/issues/86361.	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#keyboardbuttonpolltype	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#backgroundtypefill	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#setmessagereaction	0%	Avira URL Cloud	safe
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#chatmemberupdated	0%	Avira URL Cloud	safe
https://core.telegram.org/bots/api#setchatphoto	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool-fr.supportxmr.com	141.94.96.195	true	true	3%, Virustotal, Browse	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
pool.supportxmr.com	unknown	unknown	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://core.telegram.org/bots/api#botname	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatmemberowner	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendvenue	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getchatadministrators	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendvideo	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatpermissions	Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/giampaolo/psutil/issues/875.	Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033859203.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036239728.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2033818312.000002110B06A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035118346.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inputmediaaudio	Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#unhidegeneralforumtopic	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setstickersetthumb	Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getstickerset	Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#forumtopiccreated	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresult	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#replykeyboardmarkup	Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatfullinfo	Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendmediagroup	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#backgroundfill	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getchatmembercount	Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#messagereactioncountupdated	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AF70000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043771893.000002110AF70000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#revokechatinvitelink	Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendphoto	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109078000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031692203.0000021109090000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#forcereply	Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcachedsticker	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getchatmember	Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://goo.gl/zeJZl.	Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#forumtopic	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcacheddocument	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#replyparameters	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B69C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatadministratorrights	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#proximityalerttriggered	Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035168608.000002110B07A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2034810962.000002110B073000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#businesslocation	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#messageautodeletetimerchanged	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#birthdate	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#shippingaddress	Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#closeforumtopic	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#externalreplyinfo	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#editmessagecaption	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#stopmessagelivelocation	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatlocation	Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	Q3pEXxmWAD.exe, 00000002.00000002.3258134310.000002110BBD0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B6A6000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046398537.000002110B7EB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047467606.000002110B6BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcontact	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcachedvideo	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setmyname	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultaudio	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#successfulpayment	Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B69C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#backgroundtypechattheme	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setchatmenubutton	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#document	Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B510000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B50D000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#copymessages	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultvenue	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#hidegeneralforumtopic	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Q3pEXxmWAD.exe, 00000002.00000002.3253737288.0000021109078000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031692203.0000021109090000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2031195401.00000211090A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/issues/86361.	Q3pEXxmWAD.exe, 00000002.00000003.2035347309.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036287140.000002110B07A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036375396.000002110B0FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2035246765.000002110B0FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#keyboardbuttonpolltype	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#backgroundtypefill	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040460336.000002110B5C8000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B5B9000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B5BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setmessagereaction	Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110AFF2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFEB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFF0000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110AFF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3254796752.000002110AB10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatmemberupdated	Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042802217.000002110B66E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040054615.000002110B124000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setchatphoto	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	Q3pEXxmWAD.exe, 00000002.00000003.2048600214.000002110B7C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#createinvoicelink	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcachedphoto	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#restrictchatmember	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Q3pEXxmWAD.exe, 00000002.00000003.2032571621.000002110B005000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110AFBE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032872948.000002110B020000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110B01C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032628407.000002110AFB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultcachedgif	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendanimation	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getmyshortdescription	Q3pEXxmWAD.exe, 00000002.00000002.3255643308.000002110B140000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#banchatmember	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#userprofilephotos	Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255779775.000002110B280000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#createchatinvitelink	Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255008842.000002110AD10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inputmediaanimation	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054691134.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B6FA000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#animation	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#maskposition	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#menubuttoncommands	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255930055.000002110B3B0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#linkpreviewoptions	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#setstickerpositioninset	Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110AFAB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110AF98000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038179352.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AFA2000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110AF93000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110AFDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	Q3pEXxmWAD.exe, 00000002.00000002.3257991414.000002110BAD0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#backgroundtypewallpaper	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#getforumtopiciconstickers	Q3pEXxmWAD.exe, 00000002.00000002.3255214542.000002110AE40000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inputlocationmessagecontent	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#sendinvoice	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.tele	Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#botdescription	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110AF40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Q3pEXxmWAD.exe, 00000002.00000003.2032571621.000002110B005000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110AFBE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032872948.000002110B020000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032762840.000002110B01C000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2032628407.000002110AFB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#backgroundfillsolid	Q3pEXxmWAD.exe, 00000002.00000003.2039903383.000002110B8CE000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3257675506.000002110B8C0000.00000004.00001000.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#copymessage	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultmpeg4gif	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinekeyboardmarkup	Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B65E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043861852.000002110B50E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#unpinallchatmessages	Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2038825071.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036990859.000002110B0B4000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.	Q3pEXxmWAD.exe, 00000002.00000003.2046437795.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2044723333.000002110B778000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B758000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B758000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#chatinvitelink	Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040081091.000002110B514000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2045494816.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2054533904.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041008281.000002110B58A000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043082947.000002110B636000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#deletechatstickerset	Q3pEXxmWAD.exe, 00000002.00000003.2037522955.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039291619.000002110B073000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2036870636.000002110B4C1000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255362338.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://core.telegram.org/bots/api#inlinequeryresultvideo	Q3pEXxmWAD.exe, 00000002.00000003.2053122954.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2046801194.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3256115360.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2042184831.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2056356906.000002110B11F000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043569177.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2047533967.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2043412066.000002110B60E000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2039967491.000002110B5AB000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000002.3255597757.000002110B120000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2040326494.000002110B606000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2055776137.000002110B031000.00000004.00000020.00020000.00000000.sdmp, Q3pEXxmWAD.exe, 00000002.00000003.2041925607.000002110B031000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.94.96.195	pool-fr.supportxmr.com	Germany		680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1479908
Start date and time:	2024-07-24 10:57:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Q3pEXxmWAD.exe renamed because original name is a hash value
Original Sample Name:	f468ae483026819d6977e2a5e34ea52a.exe
Detection:	MAL
Classification:	mal100.adwa.spyw.evad.mine.winEXE@67/73@1/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 20.3.187.198, 20.166.126.56
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Blsvr.exe, PID 1352 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:58:04	API Interceptor	2x Sleep call for process: Blsvr.exe modified
10:58:05	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.94.96.195	http://pool.supportxmr.com	Get hash	malicious	Unknown	Browse	pool.supportxmr.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool-fr.supportxmr.com	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar, Xmrig	Browse	141.94.96.71
	kWYLtJ0Cn1.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.195
	updater.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	xjSglbp263.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	gwRQinPOHB.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	FieroHack.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	FieroHack.exe	Get hash	malicious	LummaC, Xmrig	Browse	141.94.96.195
	gVRqUej0ci.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	h2UFp4aCRq.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.144
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	141.94.96.71
bg.microsoft.map.fastly.net	Building Made Easy Proposal .pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://www.equilibriumwaste.co.za	Get hash	malicious	Unknown	Browse	199.232.210.172
	VeNObWIHOOHWfIx.exe	Get hash	malicious	FormBook	Browse	199.232.214.172
	1721804764a66192ba8849c107aecf73332780289e57101d88022de3de452c4d4afc349344344.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172
	INV-23072024.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.214.172
	WLF-PO240724.exe	Get hash	malicious	FormBook	Browse	199.232.214.172
	Cheque.js	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.25959.6491.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.girisim.io/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/securpass.html	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	83M0VAEEuh.exe	Get hash	malicious	WhiteSnake Stealer	Browse	131.188.40.189
	wAO7F8FbEz.elf	Get hash	malicious	Unknown	Browse	141.32.67.218
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	130.183.202.80
	0GJSC4Ua2K.elf	Get hash	malicious	Unknown	Browse	141.41.31.138
	kWYLtJ0Cn1.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.144
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	137.248.101.131
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	139.6.220.162
	updater.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	http://nys-ns.com/	Get hash	malicious	Unknown	Browse	141.95.124.137
	http://nys-ns.com/	Get hash	malicious	Unknown	Browse	141.95.124.137

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	SecuriteInfo.com.Win64.Malware-gen.26781.23689.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.12911.13114.exe	Get hash	malicious	Unknown	Browse
	ip_new.exe	Get hash	malicious	Unknown	Browse
	tool.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.30979.22180.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.71496926.20240.16491.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.20299.21858.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.35370.10650.6262.exe	Get hash	malicious	Luna Logger	Browse
	QuackMod.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	PqeSvE23O1.exe	Get hash	malicious	Unknown	Browse
	botShell9.exe	Get hash	malicious	Unknown	Browse
	pharaoh.exe	Get hash	malicious	Unknown	Browse
	PDFv_82526614.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.29709.21053.exe	Get hash	malicious	Unknown	Browse
	Built.exe	Get hash	malicious	Blank Grabber	Browse
	Hy8tOvpeSV.exe	Get hash	malicious	Unknown	Browse
	Antilose 2.0.exe	Get hash	malicious	XWorm	Browse
	https://github.com/AccentuSoft/LinkScope_Client/releases/download/v1.6.2/LinkScope_Installer.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.6791.6790.exe	Get hash	malicious	Python Stealer, CStealer, Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5701632
Entropy (8bit):	7.7339181361147675
Encrypted:	false
SSDEEP:	98304:MC1R5Ydjykb9bMC9HLoR0OV/rLu4zFEuifdcpUaRMHt:M8kb9AClufpwfdcWaRMH
MD5:	4781C53D9BB1CB237B653C687028203D
SHA1:	16A27B614D5EB2500C1CBE0AA25048D27363598F
SHA-256:	2B6AE672822198B68503B3D37D12025C9D4FC1B7E24ED833F349ECC6FBBFC655
SHA-512:	6D7B70CBD775598674D85F01B69F3BE038B4BF95C8F222C2B7C38E1EC7D379CD747B37DBF50DF0440DBB771A85D67C2324B80682CF569F0AA41703D03054AD94
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Jd...............&......V................@..............................W.......W...`... ...............................................W.4....@W..-....V.\|............pW.0........................... .V.(.....................W.P............................text...............................`..`.data.....T.......T.................@....rdata...7....V..8...dV.............@..@.pdata..\|.....V.......V.............@..@.xdata........V.......V.............@..@.bss..........V..........................idata..4.....W.......V.............@....CRT....`.... W.......V.............@....tls.........0W.......V.............@....rsrc....-...@W.......V.............@....reloc..0....pW.......V.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PqeSvE23O1.exe, Detection: malicious, Browse Filename: botShell9.exe, Detection: malicious, Browse Filename: pharaoh.exe, Detection: malicious, Browse Filename: PDFv_82526614.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.29709.21053.exe, Detection: malicious, Browse Filename: Built.exe, Detection: malicious, Browse Filename: Hy8tOvpeSV.exe, Detection: malicious, Browse Filename: Antilose 2.0.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.6791.6790.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5692755156011025
Encrypted:	false
SSDEEP:	1536:cfz7OThu5JLlHRGxlDAwGzzVXU8dhkb48UlIyCVJ7SyMxD:cfzSFlDlCHdhkmlIyCVJU
MD5:	AFAA11704FDA2ED686389080B6FFCB11
SHA1:	9A9C83546C2E3B3CCF823E944D5FD07D22318A1B
SHA-256:	AB34B804DA5B8E814B2178754D095A4E8AEAD77EEFD3668DA188769392CDB5F4
SHA-512:	DE23BB50F1D416CF4716A5D25FE12F4B66E6226BB39E964D0DE0FEF1724D35B48C681809589C731D3061A97C62B4DC7B9B7DFE2978F196F2D82CCCE286BE8A2A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win64.Malware-gen.26781.23689.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.12911.13114.exe, Detection: malicious, Browse Filename: ip_new.exe, Detection: malicious, Browse Filename: tool.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.30979.22180.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.71496926.20240.16491.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.20299.21858.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Stealer.35370.10650.6262.exe, Detection: malicious, Browse Filename: QuackMod.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....(ne.........." ...%.....^...............................................P.......i....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text...7........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.043702317006711
Encrypted:	false
SSDEEP:	3072:DJMe7jc823LQHUlYsNZfLIbKV6pJfJIyLPKZ:DWeoL0GNZfLIbCcJfi
MD5:	78DF76AA0FF8C17EDC60376724D206CD
SHA1:	9818BD514D3D0FC1749B2D5EF9E4D72D781B51DD
SHA-256:	B75560DB79BA6FB56C393A4886EEDD72E60DF1E2F7F870FE2E356D08155F367B
SHA-512:	6189C1BD56DB5B7A9806960BC27742D97D2794ACEBC32E0A5F634FE0FF863E1775DCF90224504D5E2920A1192A3C1511FB84D41D7A2B69C67D3BDFBAB2F968FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X...X...X...Q.*.^...M...Z...M...T...M...P...M...\...b...Z.......Y.......^.......[...X.......b...^...b...Y...b.F.Y...b...Y...RichX...........PE..d....'ne.........." ...%.............\..............................................\.....`..........................................Q.......Q..................P......../..............T...........................`...@............................................text............................... ..`.rdata..2m.......n..................@..@.data...$=...p...8...`..............@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.556660448912721
Encrypted:	false
SSDEEP:	6144:JFrhZMm47r6aA2MQbPS4ELT4zH2n9qWM53pLW1A+tARs4:JFrhV4qaA2ffEozWa0ARD
MD5:	33F721F1CBB413CD4F26FE0ED4A597E7
SHA1:	476D5FAB7B2DB3F53B90B7CC6099D5541E72883E
SHA-256:	080D0FBBFF68D17B670110C95210347BE7B8AB7C385F956F123A66DC2F434AB3
SHA-512:	8FBC82AF0FE063C4EB8FDEFAE5650924AC607BE54B81C4D51064CA720BB85BFC9E1705BA93DF5BE6ADD156A6B360DD1F700618862877E28DE7C13E21B470B507
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....'ne.........." ...%.x...<............................................................`..........................................T..P....T..................`'......./......P.......T...........................p...@............................................text...5w.......x.................. ..`.rdata...............\|..............@..@.data....*...p...$...T..............@....pdata..`'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.25487370026842
Encrypted:	false
SSDEEP:	1536:nuY1lTorKn+zF9G0pLOjWNBgdIyOI8f7SyxxUx:nuY+9GIOjiBgdIyOI8fY
MD5:	534902BE1D8A57974EFD025AFF4F11EF
SHA1:	1179C6153DC52F72C29FE1591DC9A889C2E229E9
SHA-256:	30ADFB86513282E59D7E27968E1FF6686E43B8559994A50C17BE66D0789F82B3
SHA-512:	7F0CDCF8576FAF30FC8104B9BC9586D85AD50B7803074A7BCAA192EED05B1E2BD988A91873554FB63F204FCAD86C667E95755C5FF13C43F96DC334EF3EA37240
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>@j.P.j.P.j.P.c...n.P...Q.h.P...U.f.P...T.b.P...S.i.P.PaQ.h.P.!.Q.h.P...Q.i.P.j.Q...P.Pa].k.P.PaP.k.P.Pa..k.P.PaR.k.P.Richj.P.........PE..d... (ne.........." ...%.T...~......0@..............................................a_....`.............................................P................................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata..rO...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.852849132106876
Encrypted:	false
SSDEEP:	3072:Bl2grSWcJSEoLSHK/znfU9mNo2s2AaK5VlIyZ1Zxzp:Blh2nJ9a8YO2u7rp
MD5:	2AE2464BFCC442083424BC05ED9BE7D2
SHA1:	F64B100B59713E51D90D2E016B1FE573B6507B5D
SHA-256:	64BA475A28781DCA81180A1B8722A81893704F8D8FAC0B022C846FDCF95B15B9
SHA-512:	6C3ACD3DCAE733452AD68477417693AF64A7D79558E8EC9F0581289903C2412E2F29195B90E396BFDCD765337A6DEA9632E4B8D936AC39B1351CD593CB12CE27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH...)t..)t..)t..Q...)t..Vu..)t..Vq..)t..Vp..)t..Vw..)t.,.u..)t.]Qu..)t..)u.p)t.,.y.,)t.,.t..)t.,....)t.,.v..)t.Rich.)t.................PE..d...#(ne.........." ...%.b..........P6....................................................`..........................................%..L...L%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.445663619180805
Encrypted:	false
SSDEEP:	768:y+yFV6rXzmxU9JIyQUM5YiSyvKtp/AMxkEj:y+wEXzWU9JIyQU27Sy4xH
MD5:	DBD3C2C0A348A44A96D76100690C606D
SHA1:	04E901EAC1161255ADB16155459AC50F124B30A6
SHA-256:	2BFD8459BA01C741D676F79EE96802FB2C29CB30F50301D67FDE8BBCE8E7E7D4
SHA-512:	99FEE97C272BFFF4515407D588B2761AF7BE39A83BE070E01128FBA71FF75404FBAD6352BCDBE5465786CE86A6550F47B177D022CCB53F32F5A482DB61BEE3B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.X.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.TSa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.................PE..d....'ne.........." ...%.....8...........................................................`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.288109761411876
Encrypted:	false
SSDEEP:	1536:sRbflgPFXDclujZ9/s+S+pzpGkTFVf7KJIyLw57SyCxz7:sDm1EujZ9/sT+pz0KFVTKJIyLw567
MD5:	11B7936A5BD929CC76AC3F4F137B5236
SHA1:	09CB712FA43DC008EB5185481A5080997AFF82AB
SHA-256:	8956B11C07D08D289425E7240B8FA37841A27C435617DBBD02BFE3F9405F422B
SHA-512:	7B050DF283A0AD4295A5BE47B99D7361F49A3CFD20691E201C5DA5349A9EB8F5710AB3A26A66D194567539660ED227411485F4EDF2269567A55A6B8CCFD71096
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h...............q.......v.......v.......v.......v.......................q........................l.............Rich....................PE..d....(ne.........." ...%.l...........%.......................................P............`.............................................P............0....... ..x......../...@..........T...............................@............................................text....k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.956358505915276
Encrypted:	false
SSDEEP:	3072:hjIQQj5DC1z/39/2uXU6XjXylB9d43Olh59YL48PMrN/WgAlNiVlIyC7WN:Kj5mRPxbU6XjK4TLiVL
MD5:	0E9E6D6839D74AD40BB9F16CC6601B13
SHA1:	6671039088793F4BA42F5BD4409C26B1283CEAFA
SHA-256:	BCA1F490C9F7BA25CBBB4B39785DDA8AA651123E22D4E7EDC299B218C8157A81
SHA-512:	CB8742AE5DB83487C21BA17D9EFACA736DF49F8F3C4A72355EDE119717B83E0B4C6D94BD1C75A992ABAF4AB89502A805F81B2529E85FD6A656600D6E7B0C90F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L..VL...L...M...L...M...L...M...L...M...L.f.M...Lc..M...L...L4..L..M...L.f.M...L.f.M...L.f:L...L.f.M...LRich...L........PE..d...#(ne.........." ...%............l+..............................................Y.....`.........................................0...d................................/......\|...P...T...............................@............................................text.............................. ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1442277
Entropy (8bit):	5.590680301756823
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfb6/X0iwhmdmzNPFa0HHp:mQR5pE/RJvG
MD5:	81CD6D012885629791A9E3D9320C444E
SHA1:	53268184FDBDDF8909C349ED3C6701ABE8884C31
SHA-256:	A18892E4F2F2EC0DEE5714429F73A5ADD4E355D10A7BA51593AFC730F77C51DD
SHA-512:	D5BF47FAD8B1F5C7DCAA6BEF5D4553E461F46E6C334B33D8ADC93689CF89365C318F03E961A5D33994730B72DC8BDE62209BACA015D0D2D08A081D82DF7DFD73
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI50042\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.673454313041419
Encrypted:	false
SSDEEP:	96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
MD5:	723EC2E1404AE1047C3EF860B9840C29
SHA1:	8FC869B92863FB6D2758019DD01EDBEF2A9A100A
SHA-256:	790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
SHA-512:	2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	5.872097486056729
Encrypted:	false
SSDEEP:	1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
MD5:	9EA8098D31ADB0F9D928759BDCA39819
SHA1:	E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
SHA-256:	3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
SHA-512:	86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%...........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X)......................... ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\py.typed

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.9265716511782736
Encrypted:	false
SSDEEP:	3:SZeW0FOoc:SZeRFHc
MD5:	48734178084EF7F5C250997C28F8BDEE
SHA1:	4D7BB7A1D9B08B32C6FFBAFCE440959D0BC19788
SHA-256:	6D67B0F661E0332F0BA8CBBB46EA905C55CB071876091C747546D2C7EDF0138F
SHA-512:	A227E9E2B7FC025767B4363544B4C4A675A123A853E68C740E659E662C354030F655B8FDA1D6CDF57B58CCA32A4757195F76D7A4A93048D334F047E7693F3335
Malicious:	false
Preview:	# Marker file for PEP 561..

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\chinese_simplified.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.097279386012455
Encrypted:	false
SSDEEP:	192:RC/PE+flkDFk4kVOAUAIXYP9laqCFd5zJ007:R4E65uYPVCFLzJ
MD5:	0C5517AB8EDB22EA7A61E44B28E96DA7
SHA1:	F902EE7E96CE48DE6404ADF644FA40E260D949FF
SHA-256:	5C5942792BD8340CB8B27CD592F1015EDF56A8C5B26276EE18A482428E7C5726
SHA-512:	F5B6D696A6B75BDEEACD0E0742D31EAA06CD683BB3C149052D82E0D47039534B23C82FC47FB193C86FF2B7C2B22F73CCC48CC500F09ABC5E228998D9BC413EF7
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\chinese_traditional.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.099678321615091
Encrypted:	false
SSDEEP:	192:UPmINi9ODjMzdZmIBI3C8+o95uECRdDGrRPY2+PDv:Ucfz7lqyHo9RCz2wLPDv
MD5:	00D0909E346B52006D1E9EF680B5A5FC
SHA1:	33E401BEA63F83A5EA84D78DDC7161809EF77F0B
SHA-256:	417B26B3D8500A4AE3D59717D7011952DB6FC2FB84B807F3F94AC734E89C1B5F
SHA-512:	1E2689A48317A12A6B4A6A74DE2241380FEF57B250FAFE6AB00A479DB85D12661F8C33749240C9CEC6535ACD7F91E71DCBA0BB8A27D1D32A3B76FE34797CAD5B
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\czech.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14945
Entropy (8bit):	4.229683397391918
Encrypted:	false
SSDEEP:	384:6kfPbFvdXqyyLlY3fIVKj7KyvKxv/FjZ305yyRvQcR5bJw:lbrXqyyLS31/Kyviv/FaAyttR59w
MD5:	38FD5E100D4604C2A844BB9BB9305975
SHA1:	33A09B9BC987AAA8560FFEF8A17459C99C63ED4A
SHA-256:	7E80E161C3E93D9554C2EFB78D4E3CEBF8FC727E9C52E03B83B94406BDCC95FC
SHA-512:	3D56A9D507B5B07A99B9D9924D8540944DD226D4B5050852027F09309A85513DB2E57C9186F70B8F8226C342C28EFCEDD1E8EDD507E1D39F8DA693CFAC0C39CA
Malicious:	false
Preview:	abdikace.abeceda.adresa.agrese.akce.aktovka.alej.alkohol.amputace.ananas.andulka.anekdota.anketa.antika.anulovat.archa.arogance.asfalt.asistent.aspirace.astma.astronom.atlas.atletika.atol.autobus.azyl.babka.bachor.bacil.baculka.badatel.bageta.bagr.bahno.bakterie.balada.baletka.balkon.balonek.balvan.balza.bambus.bankomat.barbar.baret.barman.baroko.barva.baterka.batoh.bavlna.bazalka.bazilika.bazuka.bedna.beran.beseda.bestie.beton.bezinka.bezmoc.beztak.bicykl.bidlo.biftek.bikiny.bilance.biograf.biolog.bitva.bizon.blahobyt.blatouch.blecha.bledule.blesk.blikat.blizna.blokovat.bloudit.blud.bobek.bobr.bodlina.bodnout.bohatost.bojkot.bojovat.bokorys.bolest.borec.borovice.bota.boubel.bouchat.bouda.boule.bourat.boxer.bradavka.brambora.branka.bratr.brepta.briketa.brko.brloh.bronz.broskev.brunetka.brusinka.brzda.brzy.bublina.bubnovat.buchta.buditel.budka.budova.bufet.bujarost.bukvice.buldok.bulva.bunda.bunkr.burza.butik.buvol.buzola.bydlet.bylina.bytovka.bzukot.capart.carevna.cedr.cedule.cejch.cej

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\english.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13116
Entropy (8bit):	4.2192956006819475
Encrypted:	false
SSDEEP:	192:DAvLtKog3W8jiD1/oLpsExUKqlyjn6SybkSoxIFg/7mSX30hB8OnqdE5HpF2gS2:MvLAog/I1wdsExXxigaSUvRj5r
MD5:	F23506956964FA69C98FA3FB5C8823B5
SHA1:	B2D5241AE027A0E40F06A33D909809A190F210FE
SHA-256:	2F5EED53A4727B4BF8880D8F3F199EFC90E58503646D9FF8EFF3A2ED3B24DBDA
SHA-512:	416C71BA30018EA292BB36CDC23C9329673485A8D8933266A9D9A7CC72153B8BAED3D430F52EAB4F5D3ADDF6583611B3777A50454599F1E42716F5F879621123
Malicious:	false
Preview:	abandon.ability.able.about.above.absent.absorb.abstract.absurd.abuse.access.accident.account.accuse.achieve.acid.acoustic.acquire.across.act.action.actor.actress.actual.adapt.add.addict.address.adjust.admit.adult.advance.advice.aerobic.affair.afford.afraid.again.age.agent.agree.ahead.aim.air.airport.aisle.alarm.album.alcohol.alert.alien.all.alley.allow.almost.alone.alpha.already.also.alter.always.amateur.amazing.among.amount.amused.analyst.anchor.ancient.anger.angle.angry.animal.ankle.announce.annual.another.answer.antenna.antique.anxiety.any.apart.apology.appear.apple.approve.april.arch.arctic.area.arena.argue.arm.armed.armor.army.around.arrange.arrest.arrive.arrow.art.artefact.artist.artwork.ask.aspect.assault.asset.assist.assume.asthma.athlete.atom.attack.attend.attitude.attract.auction.audit.august.aunt.author.auto.autumn.average.avocado.avoid.awake.aware.away.awesome.awful.awkward.axis.baby.bachelor.bacon.badge.bag.balance.balcony.ball.bamboo.banana.banner.bar.barely.bargain.barre

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\french.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	16777
Entropy (8bit):	4.213242727095934
Encrypted:	false
SSDEEP:	384:6J+AAri16KDuR4ckw3ezywsNB7CJEu4XjooTiOPMk8YTCm:6IAYi16muR4GezyhNB7r0HG8EP
MD5:	F5905FD22FD0DEB0BE40F356204BA3FB
SHA1:	BCD81ED81906BDAB57D9700A23413A7E22487D0E
SHA-256:	EBC3959AB7801A1DF6BAC4FA7D970652F1DF76B683CD2F4003C941C63D517E59
SHA-512:	001B2E7D1D17416776FA5306E4F7EC5812F3F35CC26FDE46800A7DAB1412870AC8B779B0C2FEC1D75C24B80868E55BC5BFB88C8DED50C84040248B76A2C5332D
Malicious:	false
Preview:	abaisser.abandon.abdiquer.abeille.abolir.aborder.aboutir.aboyer.abrasif.abreuver.abriter.abroger.abrupt.absence.absolu.absurde.abusif.abyssal.acade.mie.acajou.acarien.accabler.accepter.acclamer.accolade.accroche.accuser.acerbe.achat.acheter.aciduler.acier.acompte.acque.rir.acronyme.acteur.actif.actuel.adepte.ade.quat.adhe.sif.adjectif.adjuger.admettre.admirer.adopter.adorer.adoucir.adresse.adroit.adulte.adverbe.ae.rer.ae.ronef.affaire.affecter.affiche.affreux.affubler.agacer.agencer.agile.agiter.agrafer.agre.able.agrume.aider.aiguille.ailier.aimable.aisance.ajouter.ajuster.alarmer.alchimie.alerte.alge.bre.algue.alie.ner.aliment.alle.ger.alliage.allouer.allumer.alourdir.alpaga.altesse.alve.ole.amateur.ambigu.ambre.ame.nager.amertume.amidon.amiral.amorcer.amour.amovible.amphibie.ampleur.amusant.analyse.anaphore.anarchie.anatomie.ancien.ane.antir.angle.angoisse.anguleux.animal.annexer.annonce.annuel.anodin.anomalie.anonyme.anormal.antenne.antidote.anxieux.apaiser.ape.ritif.a

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\italian.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16033
Entropy (8bit):	4.007887655086134
Encrypted:	false
SSDEEP:	384:7TRlelKQfV+XsNs6d6NN5Qd3kR72+ImtKlhT3sdHy1WVO0iiG:7TmBtP7dwN5Qpi4lG1VO0a
MD5:	FBE635509A2859B7B6DE2C0F16F15ED8
SHA1:	C6214EB1CEC7B1EE8CBA1F317AC612C51881448A
SHA-256:	D392C49FDB700A24CD1FCEB237C1F65DCC128F6B34A8AACB58B59384B5C648C2
SHA-512:	D3DCA24CF03F04EEA1872D98C91748A8AA7AEAC6E2C885A99F2D452904A75FFCF271506DB369335726C0E3F7C8A6454935782586414B9AFFD2FE0EB004223DA1
Malicious:	false
Preview:	abaco.abbaglio.abbinato.abete.abisso.abolire.abrasivo.abrogato.accadere.accenno.accusato.acetone.achille.acido.acqua.acre.acrilico.acrobata.acuto.adagio.addebito.addome.adeguato.aderire.adipe.adottare.adulare.affabile.affetto.affisso.affranto.aforisma.afoso.africano.agave.agente.agevole.aggancio.agire.agitare.agonismo.agricolo.agrumeto.aguzzo.alabarda.alato.albatro.alberato.albo.albume.alce.alcolico.alettone.alfa.algebra.aliante.alibi.alimento.allagato.allegro.allievo.allodola.allusivo.almeno.alogeno.alpaca.alpestre.altalena.alterno.alticcio.altrove.alunno.alveolo.alzare.amalgama.amanita.amarena.ambito.ambrato.ameba.america.ametista.amico.ammasso.ammenda.ammirare.ammonito.amore.ampio.ampliare.amuleto.anacardo.anagrafe.analista.anarchia.anatra.anca.ancella.ancora.andare.andrea.anello.angelo.angolare.angusto.anima.annegare.annidato.anno.annuncio.anonimo.anticipo.anzi.apatico.apertura.apode.apparire.appetito.appoggio.approdo.appunto.aprile.arabica.arachide.aragosta.araldica.arancio.aratur

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\japanese.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	26423
Entropy (8bit):	3.554983747162495
Encrypted:	false
SSDEEP:	768:OwUkxkf27FkrH9tW/JgODfFFuHgFFqfw8QCBdqLMCl:Ogxkf27FkrdtW/JgOD9FuHgFFqfwLidW
MD5:	C71FCA9FD3FE9F85514CB38A58859DE2
SHA1:	A4EC1DA6C11A8C251195C7AD90817DDA6FE64488
SHA-256:	2EED0AEF492291E061633D7AD8117F1A2B03EB80A29D0E4E3117AC2528D05FFD
SHA-512:	3FAF87F7E48EB6635F7D7B18A34E7DACBC2C43A1CF6AA9C96015B2A3549710B8B7A0961E5D2E32D7E369099DB89A874C4D761A8384FB558744C7F47CA8CB0772
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\korean.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	37832
Entropy (8bit):	3.7380887691649907
Encrypted:	false
SSDEEP:	384:m57ktAhYlpH/gN8G3Ufyy7+Lp5vx5fBECMLJbnSTyKeeHjbnHeRigUuVyS+sOpVl:MSWhGES2O/r6
MD5:	EC271D4926B82EF5C02AEFA7DD2DAAF4
SHA1:	6C5C5F38E75673D1CEA20F2700468ADC163D869B
SHA-256:	9E95F86C167DE88F450F0AAF89E87F6624A57F973C67B516E338E8E8B8897F60
SHA-512:	E645A1E0F26F2727A8FB7605D3B59668A670C9DF04D07576FE473D844A23D0192020AEDC286FBB9B1F64709AD30E6ACB825803CF9F872954C1324AEFD4977710
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\portuguese.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15671
Entropy (8bit):	4.053540036444415
Encrypted:	false
SSDEEP:	384:XM3AG0Qk5DN0Wf3MmmzpjbdU5nTEHkYk0h3Vcf+VDG:c3AQMJ0Wf3HWby5QHkY9Vcf+tG
MD5:	05EE6FDE129776830351BBACD5B0DCFB
SHA1:	472727867B394A1C9168690C415B0094DC3A3383
SHA-256:	2685E9C194C82AE67E10BA59D9EA5345A23DC093E92276FC5361F6667D79CD3F
SHA-512:	0E6AA42870C6F9A77BDA0931EA9423FEBFFEFBEB49E9DBDA5FA732FC3479942629050517FEF57BB1A76026195E16785186C0CFE26261C8FCC31F52FE69BEDA0F
Malicious:	false
Preview:	abacate.abaixo.abalar.abater.abduzir.abelha.aberto.abismo.abotoar.abranger.abreviar.abrigar.abrupto.absinto.absoluto.absurdo.abutre.acabado.acalmar.acampar.acanhar.acaso.aceitar.acelerar.acenar.acervo.acessar.acetona.achatar.acidez.acima.acionado.acirrar.aclamar.aclive.acolhida.acomodar.acoplar.acordar.acumular.acusador.adaptar.adega.adentro.adepto.adequar.aderente.adesivo.adeus.adiante.aditivo.adjetivo.adjunto.admirar.adorar.adquirir.adubo.adverso.advogado.aeronave.afastar.aferir.afetivo.afinador.afivelar.aflito.afluente.afrontar.agachar.agarrar.agasalho.agenciar.agilizar.agiota.agitado.agora.agradar.agreste.agrupar.aguardar.agulha.ajoelhar.ajudar.ajustar.alameda.alarme.alastrar.alavanca.albergue.albino.alcatra.aldeia.alecrim.alegria.alertar.alface.alfinete.algum.alheio.aliar.alicate.alienar.alinhar.aliviar.almofada.alocar.alpiste.alterar.altitude.alucinar.alugar.aluno.alusivo.alvo.amaciar.amador.amarelo.amassar.ambas.ambiente.ameixa.amenizar.amido.amistoso.amizade.amolador.amontoar.a

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\russian.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	26538
Entropy (8bit):	3.827508989563015
Encrypted:	false
SSDEEP:	384:ou+5yukI02DpvaXhg8CnLOTsPsyOB7lanqA1p6tut/Mf2:H+5SIjDpvaXhrUSTsPsBBpand7xxMf2
MD5:	8950901A308B43D263E31A377306D987
SHA1:	7792B55B1838FAA8928C2528D304C2044ECD87BF
SHA-256:	07F11AF3F07FD13D8D74859F4448D8BCA8F1D9D336DC4842531ECEA083103A26
SHA-512:	5B747B7345E23F34DAFB35AFD9C2CB66AAD51456A7ACCBD9BF9CA7C285498A74C50647DA4D553AF763505935E1519F61204DB87D998B09583CC2585C91833B6B
Malicious:	false
Preview:	.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\spanish.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	13996
Entropy (8bit):	4.187487403267613
Encrypted:	false
SSDEEP:	384:7SvbJ9E182qrUD0py4gnW6ji3Jl3ggHQqy8:s9ET1DsyXnne3xX
MD5:	5171EE312F7709BEC7660BC9AC07351A
SHA1:	B99205D24970E0ADA8E2182A1A68F1EB439C95A1
SHA-256:	46846A5A0139D1E3CB77293E521C2865F7BCDB82C44E8D0A06A2CD0ECBA48C0B
SHA-512:	0E838229265DE6C80505088682D2DC9510147C3AB1713B556B594D09529B493CC3A7E391AD690DDA2052D4E11C56572F8A215A7FFFDB2630B13B4637329F3C31
Malicious:	false
Preview:	a.baco.abdomen.abeja.abierto.abogado.abono.aborto.abrazo.abrir.abuelo.abuso.acabar.academia.acceso.accio.n.aceite.acelga.acento.aceptar.a.cido.aclarar.acne..acoger.acoso.activo.acto.actriz.actuar.acudir.acuerdo.acusar.adicto.admitir.adoptar.adorno.aduana.adulto.ae.reo.afectar.aficio.n.afinar.afirmar.a.gil.agitar.agoni.a.agosto.agotar.agregar.agrio.agua.agudo.a.guila.aguja.ahogo.ahorro.aire.aislar.ajedrez.ajeno.ajuste.alacra.n.alambre.alarma.alba.a.lbum.alcalde.aldea.alegre.alejar.alerta.aleta.alfiler.alga.algodo.n.aliado.aliento.alivio.alma.almeja.almi.bar.altar.alteza.altivo.alto.altura.alumno.alzar.amable.amante.amapola.amargo.amasar.a.mbar.a.mbito.ameno.amigo.amistad.amor.amparo.amplio.ancho.anciano.ancla.andar.ande.n.anemia.a.ngulo.anillo.a.nimo.ani.s.anotar.antena.antiguo.antojo.anual.anular.anuncio.an.adir.an.ejo.an.o.apagar.aparato.apetito.apio.aplicar.apodo.aporte.apoyo.aprender.aprobar.apuesta.apuro.arado.aran.a.arar.a.rbitro.a.rbol.arbusto.archivo.arc

C:\Users\user\AppData\Local\Temp\_MEI50042\mnemonic\wordlist\turkish.txt

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	15324
Entropy (8bit):	4.562888468144625
Encrypted:	false
SSDEEP:	384:RyHE73AnXs3FzmzZIPXJBmqM0yHvnWMGRUIHF3N09GU:RWE7QnX6PPX7M0yPnvGHl3N0GU
MD5:	BA9ADCC5210C101DF4B26871504F253D
SHA1:	C0AEDCD8297FB58456C0A60854E04B547DFC9576
SHA-256:	A7DC9C77913726106C7B8BAA022B7E17601D118ACF40AA60AB1FBC9C91B383AC
SHA-512:	D16BADD39006E06FC5AD03AA7AA622ED19A19271E300061183BFA7A2F913919E8A0C831BC74FA3E6DEE1EC35AF01AC904D2617EC3EF7DFA3FADE6EBEF788E218
Malicious:	false
Preview:	abajur.abak.s.abart..abdal.abdest.abiye.abluka.abone.absorbe.abs.rt.acayip.acele.acemi.a..kg.z.adalet.adam.adezyon.adisyon.adliye.adres.afacan.afili.afi..afiyet.aforizm.afra.a.a..a..r.ahbap.ahkam.ahlak.ahtapot.aidat.aile.ajan.akademi.akarsu.akba..akci.er.akdeniz.ak.bet.ak.l.ak.nt..akide.akrep.akrobasi.aksiyon.ak.am.aktif.akt.r.aktris.akustik.alaca.alb.m.al.ak.aldanma.aleni.alet.alfabe.alg.lama.al.ngan.alk...alkol.alpay.alperen.alt.n.alt.st.altyap..alyuvar.amade.amat.r.amazon.ambalaj.amblem.ambulans.amca.amel.amigo.amir.amiyane.amorti.ampul.anadolu.anahtar.anakonda.anaokul.anapara.anar.i.anatomi.anayasa.anekdot.anestezi.angaje.anka.anket.anlaml..anne.anomali.anonim.anten.antla.ma.apse.araba.arac..araf.arbede.arda.arefe.arena.argo.arg.man.arkada..armoni.aroma.arsa.ars.z.art..artist.aruz.asans.r.asayi..asfalt.asgari.asil.asker.ask..aslan.asosyal.astsubay.asya.a....a..r..a.ure.atabey.ataman.ate..atmaca.atmosfer.atom.at.lye.avc..avdet.avize.

C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909510426434191
Encrypted:	false
SSDEEP:	1536:aJsHmR02IvVxv7WCyKm7c5Th4MBHTOvyyaZE:apIvryCyKx5Th4M5OvyyO
MD5:	3E579844160DE8322D574501A0F91516
SHA1:	C8DE193854F7FC94F103BD4AC726246981264508
SHA-256:	95F01CE7E37F6B4B281DBC76E9B88F28A03CB02D41383CC986803275A1CD6333
SHA-512:	EE2A026E8E70351D395329C78A07ACB1B9440261D2557F639E817A8149BA625173EF196AED3D1C986577D78DC1A7EC9FED759C19346C51511474FE6D235B1817
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d.....qf.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	6.146958413069333
Encrypted:	false
SSDEEP:	768:Hw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJSG:Q/5k8cnzeJlJIyL0T7Sydix3
MD5:	FF319D24153238249ADEA18D8A3E54A7
SHA1:	0474FAA64826A48821B7A82AD256525AA9C5315E
SHA-256:	A462A21B5F0C05F0F7EC030C4FDE032A13B34A8576D661A8E66F9AD23767E991
SHA-512:	0E63FE4D5568CD2C54304183A29C7469F769816F517CD2D5B197049AA966C310CC13A7790560EF2EDC36B9B6D99FF586698886F906E19645FAEB89B0E65ADFDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d....'ne.........." ...%............................................................r.....`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\python311.dll

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5785880
Entropy (8bit):	6.090091140780886
Encrypted:	false
SSDEEP:	98304:0asy3088wAPo8yN4yl57G+160THIM1uFvvBnTfDyY:hsy3088wAPo8pyl57G81GrOY
MD5:	86E0AD6BA8A9052D1729DB2C015DAF1C
SHA1:	48112072903FFF2EC5726CCA19CC09E42D6384C7
SHA-256:	5ECDA62F6FD2822355C560412F6D90BE46A7F763F0FFEEC9854177904632AC2D
SHA-512:	5D6E32F9FF90A9A584183DAD1583AEA2327B4AEA32184B0EBBEC3DF41B0B833E6BB3CD40822DD64D1033125F52255812B17E4FA0ADD38FCDA6BAB1724DFAA2EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b..\|...\|...\|.......\|.......\|.......\|.......\|.......\|.......\|......\|...\|..}.......\|.......\|.......\|.......\|..Rich.\|..........................PE..d....'ne.........." ...%..%..L7......u.......................................0]......X...`...........................................@.......A.......[.......W..2....X../....[.tD.....T.............................*.@.............%..............................text....%.......%................. ..`.rdata........%.......%.............@..@.data... #....A..T....A.............@....pdata...2....W..4....R.............@..@PyRuntim.....@Y......>T.............@....rsrc.........[.......V.............@..@.reloc..tD....[..F....V.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.584716253229207
Encrypted:	false
SSDEEP:	384:aEeecReGLnUC0HqGn57AvB0NJIyQGdHQIYiSy1pCQUNIeAM+o/8E9VF0NylE3X:SeUeW4HqIG+JIyQGB5YiSyv2AMxkEg3X
MD5:	0B55F18218F4C8F30105DB9F179AFB2C
SHA1:	F1914831CF0A1AF678970824F1C4438CC05F5587
SHA-256:	E7FE45BAEF9CEE192C65FCFCE1790CCB6F3F9B81E86DF82C08F838E86275AF02
SHA-512:	428EE25E99F882AF5AD0DEDF1CCDBEB1B4022AC286AF23B209947A910BF02AE18A761F3152990C84397649702D8208FED269AA3E3A3C65770E21EE1EEC064CC1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d....'ne.........." ...%.....2.......................................................-....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435101785627634
Encrypted:	false
SSDEEP:	12288:3YPYbfjwR6nbkonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eDqLo:3aYbMR0IDJcjEwPgPOG6Xyd46qLo
MD5:	D4323AC0BAAB59AED34C761F056D50A9
SHA1:	843687689D21EDE9818C6FC5F3772BCF914F8A6E
SHA-256:	71D27537EB1E6DE76FD145DA4FDCBC379DC54DE7854C99B2E61AAE00109C13D0
SHA-512:	E31D071CE920B3E83C89505DFA22B2D0F09D43C408FCADBC910F021481C4A53C47919FCE0215AE61F00956DCB7171449EABDA8EEF63A6FDD47AA13C7158577BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L..L..L..E.q.J..Y..N..Y..A..Y..D..Y..O..vE.O.....N..L.....vE.M..vE.M..vE..M..vE..M..RichL..........................PE..d....'ne.........." ...%.@..........P*....................................................`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5701632
Entropy (8bit):	7.7339181361147675
Encrypted:	false
SSDEEP:	98304:MC1R5Ydjykb9bMC9HLoR0OV/rLu4zFEuifdcpUaRMHt:M8kb9AClufpwfdcWaRMH
MD5:	4781C53D9BB1CB237B653C687028203D
SHA1:	16A27B614D5EB2500C1CBE0AA25048D27363598F
SHA-256:	2B6AE672822198B68503B3D37D12025C9D4FC1B7E24ED833F349ECC6FBBFC655
SHA-512:	6D7B70CBD775598674D85F01B69F3BE038B4BF95C8F222C2B7C38E1EC7D379CD747B37DBF50DF0440DBB771A85D67C2324B80682CF569F0AA41703D03054AD94
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Jd...............&......V................@..............................W.......W...`... ...............................................W.4....@W..-....V.\|............pW.0........................... .V.(.....................W.P............................text...............................`..`.data.....T.......T.................@....rdata...7....V..8...dV.............@..@.pdata..\|.....V.......V.............@..@.xdata........V.......V.............@..@.bss..........V..........................idata..4.....W.......V.............@....CRT....`.... W.......V.............@....tls.........0W.......V.............@....rsrc....-...@W.......V.............@....reloc..0....pW.......V.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5692755156011025
Encrypted:	false
SSDEEP:	1536:cfz7OThu5JLlHRGxlDAwGzzVXU8dhkb48UlIyCVJ7SyMxD:cfzSFlDlCHdhkmlIyCVJU
MD5:	AFAA11704FDA2ED686389080B6FFCB11
SHA1:	9A9C83546C2E3B3CCF823E944D5FD07D22318A1B
SHA-256:	AB34B804DA5B8E814B2178754D095A4E8AEAD77EEFD3668DA188769392CDB5F4
SHA-512:	DE23BB50F1D416CF4716A5D25FE12F4B66E6226BB39E964D0DE0FEF1724D35B48C681809589C731D3061A97C62B4DC7B9B7DFE2978F196F2D82CCCE286BE8A2A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....(ne.........." ...%.....^...............................................P.......i....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text...7........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.043702317006711
Encrypted:	false
SSDEEP:	3072:DJMe7jc823LQHUlYsNZfLIbKV6pJfJIyLPKZ:DWeoL0GNZfLIbCcJfi
MD5:	78DF76AA0FF8C17EDC60376724D206CD
SHA1:	9818BD514D3D0FC1749B2D5EF9E4D72D781B51DD
SHA-256:	B75560DB79BA6FB56C393A4886EEDD72E60DF1E2F7F870FE2E356D08155F367B
SHA-512:	6189C1BD56DB5B7A9806960BC27742D97D2794ACEBC32E0A5F634FE0FF863E1775DCF90224504D5E2920A1192A3C1511FB84D41D7A2B69C67D3BDFBAB2F968FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X...X...X...Q.*.^...M...Z...M...T...M...P...M...\...b...Z.......Y.......^.......[...X.......b...^...b...Y...b.F.Y...b...Y...RichX...........PE..d....'ne.........." ...%.............\..............................................\.....`..........................................Q.......Q..................P......../..............T...........................`...@............................................text............................... ..`.rdata..2m.......n..................@..@.data...$=...p...8...`..............@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.556660448912721
Encrypted:	false
SSDEEP:	6144:JFrhZMm47r6aA2MQbPS4ELT4zH2n9qWM53pLW1A+tARs4:JFrhV4qaA2ffEozWa0ARD
MD5:	33F721F1CBB413CD4F26FE0ED4A597E7
SHA1:	476D5FAB7B2DB3F53B90B7CC6099D5541E72883E
SHA-256:	080D0FBBFF68D17B670110C95210347BE7B8AB7C385F956F123A66DC2F434AB3
SHA-512:	8FBC82AF0FE063C4EB8FDEFAE5650924AC607BE54B81C4D51064CA720BB85BFC9E1705BA93DF5BE6ADD156A6B360DD1F700618862877E28DE7C13E21B470B507
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....'ne.........." ...%.x...<............................................................`..........................................T..P....T..................`'......./......P.......T...........................p...@............................................text...5w.......x.................. ..`.rdata...............\|..............@..@.data....*...p...$...T..............@....pdata..`'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.25487370026842
Encrypted:	false
SSDEEP:	1536:nuY1lTorKn+zF9G0pLOjWNBgdIyOI8f7SyxxUx:nuY+9GIOjiBgdIyOI8fY
MD5:	534902BE1D8A57974EFD025AFF4F11EF
SHA1:	1179C6153DC52F72C29FE1591DC9A889C2E229E9
SHA-256:	30ADFB86513282E59D7E27968E1FF6686E43B8559994A50C17BE66D0789F82B3
SHA-512:	7F0CDCF8576FAF30FC8104B9BC9586D85AD50B7803074A7BCAA192EED05B1E2BD988A91873554FB63F204FCAD86C667E95755C5FF13C43F96DC334EF3EA37240
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>@j.P.j.P.j.P.c...n.P...Q.h.P...U.f.P...T.b.P...S.i.P.PaQ.h.P.!.Q.h.P...Q.i.P.j.Q...P.Pa].k.P.PaP.k.P.Pa..k.P.PaR.k.P.Richj.P.........PE..d... (ne.........." ...%.T...~......0@..............................................a_....`.............................................P................................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata..rO...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.852849132106876
Encrypted:	false
SSDEEP:	3072:Bl2grSWcJSEoLSHK/znfU9mNo2s2AaK5VlIyZ1Zxzp:Blh2nJ9a8YO2u7rp
MD5:	2AE2464BFCC442083424BC05ED9BE7D2
SHA1:	F64B100B59713E51D90D2E016B1FE573B6507B5D
SHA-256:	64BA475A28781DCA81180A1B8722A81893704F8D8FAC0B022C846FDCF95B15B9
SHA-512:	6C3ACD3DCAE733452AD68477417693AF64A7D79558E8EC9F0581289903C2412E2F29195B90E396BFDCD765337A6DEA9632E4B8D936AC39B1351CD593CB12CE27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH...)t..)t..)t..Q...)t..Vu..)t..Vq..)t..Vp..)t..Vw..)t.,.u..)t.]Qu..)t..)u.p)t.,.y.,)t.,.t..)t.,....)t.,.v..)t.Rich.)t.................PE..d...#(ne.........." ...%.b..........P6....................................................`..........................................%..L...L%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.445663619180805
Encrypted:	false
SSDEEP:	768:y+yFV6rXzmxU9JIyQUM5YiSyvKtp/AMxkEj:y+wEXzWU9JIyQU27Sy4xH
MD5:	DBD3C2C0A348A44A96D76100690C606D
SHA1:	04E901EAC1161255ADB16155459AC50F124B30A6
SHA-256:	2BFD8459BA01C741D676F79EE96802FB2C29CB30F50301D67FDE8BBCE8E7E7D4
SHA-512:	99FEE97C272BFFF4515407D588B2761AF7BE39A83BE070E01128FBA71FF75404FBAD6352BCDBE5465786CE86A6550F47B177D022CCB53F32F5A482DB61BEE3B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.X.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.TSa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.................PE..d....'ne.........." ...%.....8...........................................................`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.288109761411876
Encrypted:	false
SSDEEP:	1536:sRbflgPFXDclujZ9/s+S+pzpGkTFVf7KJIyLw57SyCxz7:sDm1EujZ9/sT+pz0KFVTKJIyLw567
MD5:	11B7936A5BD929CC76AC3F4F137B5236
SHA1:	09CB712FA43DC008EB5185481A5080997AFF82AB
SHA-256:	8956B11C07D08D289425E7240B8FA37841A27C435617DBBD02BFE3F9405F422B
SHA-512:	7B050DF283A0AD4295A5BE47B99D7361F49A3CFD20691E201C5DA5349A9EB8F5710AB3A26A66D194567539660ED227411485F4EDF2269567A55A6B8CCFD71096
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h...............q.......v.......v.......v.......v.......................q........................l.............Rich....................PE..d....(ne.........." ...%.l...........%.......................................P............`.............................................P............0....... ..x......../...@..........T...............................@............................................text....k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.956358505915276
Encrypted:	false
SSDEEP:	3072:hjIQQj5DC1z/39/2uXU6XjXylB9d43Olh59YL48PMrN/WgAlNiVlIyC7WN:Kj5mRPxbU6XjK4TLiVL
MD5:	0E9E6D6839D74AD40BB9F16CC6601B13
SHA1:	6671039088793F4BA42F5BD4409C26B1283CEAFA
SHA-256:	BCA1F490C9F7BA25CBBB4B39785DDA8AA651123E22D4E7EDC299B218C8157A81
SHA-512:	CB8742AE5DB83487C21BA17D9EFACA736DF49F8F3C4A72355EDE119717B83E0B4C6D94BD1C75A992ABAF4AB89502A805F81B2529E85FD6A656600D6E7B0C90F5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L..VL...L...M...L...M...L...M...L...M...L.f.M...Lc..M...L...L4..L..M...L.f.M...L.f.M...L.f:L...L.f.M...LRich...L........PE..d...#(ne.........." ...%............l+..............................................Y.....`.........................................0...d................................/......\|...P...T...............................@............................................text.............................. ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1442277
Entropy (8bit):	5.590680301756823
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfb6/X0iwhmdmzNPFa0HHp:mQR5pE/RJvG
MD5:	81CD6D012885629791A9E3D9320C444E
SHA1:	53268184FDBDDF8909C349ED3C6701ABE8884C31
SHA-256:	A18892E4F2F2EC0DEE5714429F73A5ADD4E355D10A7BA51593AFC730F77C51DD
SHA-512:	D5BF47FAD8B1F5C7DCAA6BEF5D4553E461F46E6C334B33D8ADC93689CF89365C318F03E961A5D33994730B72DC8BDE62209BACA015D0D2D08A081D82DF7DFD73
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI63882\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292541
Entropy (8bit):	6.048162209044241
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
MD5:	D3E74C9D33719C8AB162BAA4AE743B27
SHA1:	EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
SHA-256:	7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
SHA-512:	E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.673454313041419
Encrypted:	false
SSDEEP:	96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
MD5:	723EC2E1404AE1047C3EF860B9840C29
SHA1:	8FC869B92863FB6D2758019DD01EDBEF2A9A100A
SHA-256:	790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
SHA-512:	2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	5.872097486056729
Encrypted:	false
SSDEEP:	1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
MD5:	9EA8098D31ADB0F9D928759BDCA39819
SHA1:	E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
SHA-256:	3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
SHA-512:	86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%...........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X)......................... ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\py.typed

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.9265716511782736
Encrypted:	false
SSDEEP:	3:SZeW0FOoc:SZeRFHc
MD5:	48734178084EF7F5C250997C28F8BDEE
SHA1:	4D7BB7A1D9B08B32C6FFBAFCE440959D0BC19788
SHA-256:	6D67B0F661E0332F0BA8CBBB46EA905C55CB071876091C747546D2C7EDF0138F
SHA-512:	A227E9E2B7FC025767B4363544B4C4A675A123A853E68C740E659E662C354030F655B8FDA1D6CDF57B58CCA32A4757195F76D7A4A93048D334F047E7693F3335
Malicious:	false
Preview:	# Marker file for PEP 561..

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\chinese_simplified.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.097279386012455
Encrypted:	false
SSDEEP:	192:RC/PE+flkDFk4kVOAUAIXYP9laqCFd5zJ007:R4E65uYPVCFLzJ
MD5:	0C5517AB8EDB22EA7A61E44B28E96DA7
SHA1:	F902EE7E96CE48DE6404ADF644FA40E260D949FF
SHA-256:	5C5942792BD8340CB8B27CD592F1015EDF56A8C5B26276EE18A482428E7C5726
SHA-512:	F5B6D696A6B75BDEEACD0E0742D31EAA06CD683BB3C149052D82E0D47039534B23C82FC47FB193C86FF2B7C2B22F73CCC48CC500F09ABC5E228998D9BC413EF7
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\chinese_traditional.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.099678321615091
Encrypted:	false
SSDEEP:	192:UPmINi9ODjMzdZmIBI3C8+o95uECRdDGrRPY2+PDv:Ucfz7lqyHo9RCz2wLPDv
MD5:	00D0909E346B52006D1E9EF680B5A5FC
SHA1:	33E401BEA63F83A5EA84D78DDC7161809EF77F0B
SHA-256:	417B26B3D8500A4AE3D59717D7011952DB6FC2FB84B807F3F94AC734E89C1B5F
SHA-512:	1E2689A48317A12A6B4A6A74DE2241380FEF57B250FAFE6AB00A479DB85D12661F8C33749240C9CEC6535ACD7F91E71DCBA0BB8A27D1D32A3B76FE34797CAD5B
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\czech.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14945
Entropy (8bit):	4.229683397391918
Encrypted:	false
SSDEEP:	384:6kfPbFvdXqyyLlY3fIVKj7KyvKxv/FjZ305yyRvQcR5bJw:lbrXqyyLS31/Kyviv/FaAyttR59w
MD5:	38FD5E100D4604C2A844BB9BB9305975
SHA1:	33A09B9BC987AAA8560FFEF8A17459C99C63ED4A
SHA-256:	7E80E161C3E93D9554C2EFB78D4E3CEBF8FC727E9C52E03B83B94406BDCC95FC
SHA-512:	3D56A9D507B5B07A99B9D9924D8540944DD226D4B5050852027F09309A85513DB2E57C9186F70B8F8226C342C28EFCEDD1E8EDD507E1D39F8DA693CFAC0C39CA
Malicious:	false
Preview:	abdikace.abeceda.adresa.agrese.akce.aktovka.alej.alkohol.amputace.ananas.andulka.anekdota.anketa.antika.anulovat.archa.arogance.asfalt.asistent.aspirace.astma.astronom.atlas.atletika.atol.autobus.azyl.babka.bachor.bacil.baculka.badatel.bageta.bagr.bahno.bakterie.balada.baletka.balkon.balonek.balvan.balza.bambus.bankomat.barbar.baret.barman.baroko.barva.baterka.batoh.bavlna.bazalka.bazilika.bazuka.bedna.beran.beseda.bestie.beton.bezinka.bezmoc.beztak.bicykl.bidlo.biftek.bikiny.bilance.biograf.biolog.bitva.bizon.blahobyt.blatouch.blecha.bledule.blesk.blikat.blizna.blokovat.bloudit.blud.bobek.bobr.bodlina.bodnout.bohatost.bojkot.bojovat.bokorys.bolest.borec.borovice.bota.boubel.bouchat.bouda.boule.bourat.boxer.bradavka.brambora.branka.bratr.brepta.briketa.brko.brloh.bronz.broskev.brunetka.brusinka.brzda.brzy.bublina.bubnovat.buchta.buditel.budka.budova.bufet.bujarost.bukvice.buldok.bulva.bunda.bunkr.burza.butik.buvol.buzola.bydlet.bylina.bytovka.bzukot.capart.carevna.cedr.cedule.cejch.cej

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\english.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13116
Entropy (8bit):	4.2192956006819475
Encrypted:	false
SSDEEP:	192:DAvLtKog3W8jiD1/oLpsExUKqlyjn6SybkSoxIFg/7mSX30hB8OnqdE5HpF2gS2:MvLAog/I1wdsExXxigaSUvRj5r
MD5:	F23506956964FA69C98FA3FB5C8823B5
SHA1:	B2D5241AE027A0E40F06A33D909809A190F210FE
SHA-256:	2F5EED53A4727B4BF8880D8F3F199EFC90E58503646D9FF8EFF3A2ED3B24DBDA
SHA-512:	416C71BA30018EA292BB36CDC23C9329673485A8D8933266A9D9A7CC72153B8BAED3D430F52EAB4F5D3ADDF6583611B3777A50454599F1E42716F5F879621123
Malicious:	false
Preview:	abandon.ability.able.about.above.absent.absorb.abstract.absurd.abuse.access.accident.account.accuse.achieve.acid.acoustic.acquire.across.act.action.actor.actress.actual.adapt.add.addict.address.adjust.admit.adult.advance.advice.aerobic.affair.afford.afraid.again.age.agent.agree.ahead.aim.air.airport.aisle.alarm.album.alcohol.alert.alien.all.alley.allow.almost.alone.alpha.already.also.alter.always.amateur.amazing.among.amount.amused.analyst.anchor.ancient.anger.angle.angry.animal.ankle.announce.annual.another.answer.antenna.antique.anxiety.any.apart.apology.appear.apple.approve.april.arch.arctic.area.arena.argue.arm.armed.armor.army.around.arrange.arrest.arrive.arrow.art.artefact.artist.artwork.ask.aspect.assault.asset.assist.assume.asthma.athlete.atom.attack.attend.attitude.attract.auction.audit.august.aunt.author.auto.autumn.average.avocado.avoid.awake.aware.away.awesome.awful.awkward.axis.baby.bachelor.bacon.badge.bag.balance.balcony.ball.bamboo.banana.banner.bar.barely.bargain.barre

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\french.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	16777
Entropy (8bit):	4.213242727095934
Encrypted:	false
SSDEEP:	384:6J+AAri16KDuR4ckw3ezywsNB7CJEu4XjooTiOPMk8YTCm:6IAYi16muR4GezyhNB7r0HG8EP
MD5:	F5905FD22FD0DEB0BE40F356204BA3FB
SHA1:	BCD81ED81906BDAB57D9700A23413A7E22487D0E
SHA-256:	EBC3959AB7801A1DF6BAC4FA7D970652F1DF76B683CD2F4003C941C63D517E59
SHA-512:	001B2E7D1D17416776FA5306E4F7EC5812F3F35CC26FDE46800A7DAB1412870AC8B779B0C2FEC1D75C24B80868E55BC5BFB88C8DED50C84040248B76A2C5332D
Malicious:	false
Preview:	abaisser.abandon.abdiquer.abeille.abolir.aborder.aboutir.aboyer.abrasif.abreuver.abriter.abroger.abrupt.absence.absolu.absurde.abusif.abyssal.acade.mie.acajou.acarien.accabler.accepter.acclamer.accolade.accroche.accuser.acerbe.achat.acheter.aciduler.acier.acompte.acque.rir.acronyme.acteur.actif.actuel.adepte.ade.quat.adhe.sif.adjectif.adjuger.admettre.admirer.adopter.adorer.adoucir.adresse.adroit.adulte.adverbe.ae.rer.ae.ronef.affaire.affecter.affiche.affreux.affubler.agacer.agencer.agile.agiter.agrafer.agre.able.agrume.aider.aiguille.ailier.aimable.aisance.ajouter.ajuster.alarmer.alchimie.alerte.alge.bre.algue.alie.ner.aliment.alle.ger.alliage.allouer.allumer.alourdir.alpaga.altesse.alve.ole.amateur.ambigu.ambre.ame.nager.amertume.amidon.amiral.amorcer.amour.amovible.amphibie.ampleur.amusant.analyse.anaphore.anarchie.anatomie.ancien.ane.antir.angle.angoisse.anguleux.animal.annexer.annonce.annuel.anodin.anomalie.anonyme.anormal.antenne.antidote.anxieux.apaiser.ape.ritif.a

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\italian.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16033
Entropy (8bit):	4.007887655086134
Encrypted:	false
SSDEEP:	384:7TRlelKQfV+XsNs6d6NN5Qd3kR72+ImtKlhT3sdHy1WVO0iiG:7TmBtP7dwN5Qpi4lG1VO0a
MD5:	FBE635509A2859B7B6DE2C0F16F15ED8
SHA1:	C6214EB1CEC7B1EE8CBA1F317AC612C51881448A
SHA-256:	D392C49FDB700A24CD1FCEB237C1F65DCC128F6B34A8AACB58B59384B5C648C2
SHA-512:	D3DCA24CF03F04EEA1872D98C91748A8AA7AEAC6E2C885A99F2D452904A75FFCF271506DB369335726C0E3F7C8A6454935782586414B9AFFD2FE0EB004223DA1
Malicious:	false
Preview:	abaco.abbaglio.abbinato.abete.abisso.abolire.abrasivo.abrogato.accadere.accenno.accusato.acetone.achille.acido.acqua.acre.acrilico.acrobata.acuto.adagio.addebito.addome.adeguato.aderire.adipe.adottare.adulare.affabile.affetto.affisso.affranto.aforisma.afoso.africano.agave.agente.agevole.aggancio.agire.agitare.agonismo.agricolo.agrumeto.aguzzo.alabarda.alato.albatro.alberato.albo.albume.alce.alcolico.alettone.alfa.algebra.aliante.alibi.alimento.allagato.allegro.allievo.allodola.allusivo.almeno.alogeno.alpaca.alpestre.altalena.alterno.alticcio.altrove.alunno.alveolo.alzare.amalgama.amanita.amarena.ambito.ambrato.ameba.america.ametista.amico.ammasso.ammenda.ammirare.ammonito.amore.ampio.ampliare.amuleto.anacardo.anagrafe.analista.anarchia.anatra.anca.ancella.ancora.andare.andrea.anello.angelo.angolare.angusto.anima.annegare.annidato.anno.annuncio.anonimo.anticipo.anzi.apatico.apertura.apode.apparire.appetito.appoggio.approdo.appunto.aprile.arabica.arachide.aragosta.araldica.arancio.aratur

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\japanese.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	26423
Entropy (8bit):	3.554983747162495
Encrypted:	false
SSDEEP:	768:OwUkxkf27FkrH9tW/JgODfFFuHgFFqfw8QCBdqLMCl:Ogxkf27FkrdtW/JgOD9FuHgFFqfwLidW
MD5:	C71FCA9FD3FE9F85514CB38A58859DE2
SHA1:	A4EC1DA6C11A8C251195C7AD90817DDA6FE64488
SHA-256:	2EED0AEF492291E061633D7AD8117F1A2B03EB80A29D0E4E3117AC2528D05FFD
SHA-512:	3FAF87F7E48EB6635F7D7B18A34E7DACBC2C43A1CF6AA9C96015B2A3549710B8B7A0961E5D2E32D7E369099DB89A874C4D761A8384FB558744C7F47CA8CB0772
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\korean.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	37832
Entropy (8bit):	3.7380887691649907
Encrypted:	false
SSDEEP:	384:m57ktAhYlpH/gN8G3Ufyy7+Lp5vx5fBECMLJbnSTyKeeHjbnHeRigUuVyS+sOpVl:MSWhGES2O/r6
MD5:	EC271D4926B82EF5C02AEFA7DD2DAAF4
SHA1:	6C5C5F38E75673D1CEA20F2700468ADC163D869B
SHA-256:	9E95F86C167DE88F450F0AAF89E87F6624A57F973C67B516E338E8E8B8897F60
SHA-512:	E645A1E0F26F2727A8FB7605D3B59668A670C9DF04D07576FE473D844A23D0192020AEDC286FBB9B1F64709AD30E6ACB825803CF9F872954C1324AEFD4977710
Malicious:	false
Preview:	..................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\portuguese.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15671
Entropy (8bit):	4.053540036444415
Encrypted:	false
SSDEEP:	384:XM3AG0Qk5DN0Wf3MmmzpjbdU5nTEHkYk0h3Vcf+VDG:c3AQMJ0Wf3HWby5QHkY9Vcf+tG
MD5:	05EE6FDE129776830351BBACD5B0DCFB
SHA1:	472727867B394A1C9168690C415B0094DC3A3383
SHA-256:	2685E9C194C82AE67E10BA59D9EA5345A23DC093E92276FC5361F6667D79CD3F
SHA-512:	0E6AA42870C6F9A77BDA0931EA9423FEBFFEFBEB49E9DBDA5FA732FC3479942629050517FEF57BB1A76026195E16785186C0CFE26261C8FCC31F52FE69BEDA0F
Malicious:	false
Preview:	abacate.abaixo.abalar.abater.abduzir.abelha.aberto.abismo.abotoar.abranger.abreviar.abrigar.abrupto.absinto.absoluto.absurdo.abutre.acabado.acalmar.acampar.acanhar.acaso.aceitar.acelerar.acenar.acervo.acessar.acetona.achatar.acidez.acima.acionado.acirrar.aclamar.aclive.acolhida.acomodar.acoplar.acordar.acumular.acusador.adaptar.adega.adentro.adepto.adequar.aderente.adesivo.adeus.adiante.aditivo.adjetivo.adjunto.admirar.adorar.adquirir.adubo.adverso.advogado.aeronave.afastar.aferir.afetivo.afinador.afivelar.aflito.afluente.afrontar.agachar.agarrar.agasalho.agenciar.agilizar.agiota.agitado.agora.agradar.agreste.agrupar.aguardar.agulha.ajoelhar.ajudar.ajustar.alameda.alarme.alastrar.alavanca.albergue.albino.alcatra.aldeia.alecrim.alegria.alertar.alface.alfinete.algum.alheio.aliar.alicate.alienar.alinhar.aliviar.almofada.alocar.alpiste.alterar.altitude.alucinar.alugar.aluno.alusivo.alvo.amaciar.amador.amarelo.amassar.ambas.ambiente.ameixa.amenizar.amido.amistoso.amizade.amolador.amontoar.a

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\russian.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	26538
Entropy (8bit):	3.827508989563015
Encrypted:	false
SSDEEP:	384:ou+5yukI02DpvaXhg8CnLOTsPsyOB7lanqA1p6tut/Mf2:H+5SIjDpvaXhrUSTsPsBBpand7xxMf2
MD5:	8950901A308B43D263E31A377306D987
SHA1:	7792B55B1838FAA8928C2528D304C2044ECD87BF
SHA-256:	07F11AF3F07FD13D8D74859F4448D8BCA8F1D9D336DC4842531ECEA083103A26
SHA-512:	5B747B7345E23F34DAFB35AFD9C2CB66AAD51456A7ACCBD9BF9CA7C285498A74C50647DA4D553AF763505935E1519F61204DB87D998B09583CC2585C91833B6B
Malicious:	false
Preview:	.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\spanish.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	13996
Entropy (8bit):	4.187487403267613
Encrypted:	false
SSDEEP:	384:7SvbJ9E182qrUD0py4gnW6ji3Jl3ggHQqy8:s9ET1DsyXnne3xX
MD5:	5171EE312F7709BEC7660BC9AC07351A
SHA1:	B99205D24970E0ADA8E2182A1A68F1EB439C95A1
SHA-256:	46846A5A0139D1E3CB77293E521C2865F7BCDB82C44E8D0A06A2CD0ECBA48C0B
SHA-512:	0E838229265DE6C80505088682D2DC9510147C3AB1713B556B594D09529B493CC3A7E391AD690DDA2052D4E11C56572F8A215A7FFFDB2630B13B4637329F3C31
Malicious:	false
Preview:	a.baco.abdomen.abeja.abierto.abogado.abono.aborto.abrazo.abrir.abuelo.abuso.acabar.academia.acceso.accio.n.aceite.acelga.acento.aceptar.a.cido.aclarar.acne..acoger.acoso.activo.acto.actriz.actuar.acudir.acuerdo.acusar.adicto.admitir.adoptar.adorno.aduana.adulto.ae.reo.afectar.aficio.n.afinar.afirmar.a.gil.agitar.agoni.a.agosto.agotar.agregar.agrio.agua.agudo.a.guila.aguja.ahogo.ahorro.aire.aislar.ajedrez.ajeno.ajuste.alacra.n.alambre.alarma.alba.a.lbum.alcalde.aldea.alegre.alejar.alerta.aleta.alfiler.alga.algodo.n.aliado.aliento.alivio.alma.almeja.almi.bar.altar.alteza.altivo.alto.altura.alumno.alzar.amable.amante.amapola.amargo.amasar.a.mbar.a.mbito.ameno.amigo.amistad.amor.amparo.amplio.ancho.anciano.ancla.andar.ande.n.anemia.a.ngulo.anillo.a.nimo.ani.s.anotar.antena.antiguo.antojo.anual.anular.anuncio.an.adir.an.ejo.an.o.apagar.aparato.apetito.apio.aplicar.apodo.aporte.apoyo.aprender.aprobar.apuesta.apuro.arado.aran.a.arar.a.rbitro.a.rbol.arbusto.archivo.arc

C:\Users\user\AppData\Local\Temp\_MEI63882\mnemonic\wordlist\turkish.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	15324
Entropy (8bit):	4.562888468144625
Encrypted:	false
SSDEEP:	384:RyHE73AnXs3FzmzZIPXJBmqM0yHvnWMGRUIHF3N09GU:RWE7QnX6PPX7M0yPnvGHl3N0GU
MD5:	BA9ADCC5210C101DF4B26871504F253D
SHA1:	C0AEDCD8297FB58456C0A60854E04B547DFC9576
SHA-256:	A7DC9C77913726106C7B8BAA022B7E17601D118ACF40AA60AB1FBC9C91B383AC
SHA-512:	D16BADD39006E06FC5AD03AA7AA622ED19A19271E300061183BFA7A2F913919E8A0C831BC74FA3E6DEE1EC35AF01AC904D2617EC3EF7DFA3FADE6EBEF788E218
Malicious:	false
Preview:	abajur.abak.s.abart..abdal.abdest.abiye.abluka.abone.absorbe.abs.rt.acayip.acele.acemi.a..kg.z.adalet.adam.adezyon.adisyon.adliye.adres.afacan.afili.afi..afiyet.aforizm.afra.a.a..a..r.ahbap.ahkam.ahlak.ahtapot.aidat.aile.ajan.akademi.akarsu.akba..akci.er.akdeniz.ak.bet.ak.l.ak.nt..akide.akrep.akrobasi.aksiyon.ak.am.aktif.akt.r.aktris.akustik.alaca.alb.m.al.ak.aldanma.aleni.alet.alfabe.alg.lama.al.ngan.alk...alkol.alpay.alperen.alt.n.alt.st.altyap..alyuvar.amade.amat.r.amazon.ambalaj.amblem.ambulans.amca.amel.amigo.amir.amiyane.amorti.ampul.anadolu.anahtar.anakonda.anaokul.anapara.anar.i.anatomi.anayasa.anekdot.anestezi.angaje.anka.anket.anlaml..anne.anomali.anonim.anten.antla.ma.apse.araba.arac..araf.arbede.arda.arefe.arena.argo.arg.man.arkada..armoni.aroma.arsa.ars.z.art..artist.aruz.asans.r.asayi..asfalt.asgari.asil.asker.ask..aslan.asosyal.astsubay.asya.a....a..r..a.ure.atabey.ataman.ate..atmaca.atmosfer.atom.at.lye.avc..avdet.avize.

C:\Users\user\AppData\Local\Temp\_MEI63882\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909510426434191
Encrypted:	false
SSDEEP:	1536:aJsHmR02IvVxv7WCyKm7c5Th4MBHTOvyyaZE:apIvryCyKx5Th4M5OvyyO
MD5:	3E579844160DE8322D574501A0F91516
SHA1:	C8DE193854F7FC94F103BD4AC726246981264508
SHA-256:	95F01CE7E37F6B4B281DBC76E9B88F28A03CB02D41383CC986803275A1CD6333
SHA-512:	EE2A026E8E70351D395329C78A07ACB1B9440261D2557F639E817A8149BA625173EF196AED3D1C986577D78DC1A7EC9FED759C19346C51511474FE6D235B1817
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d.....qf.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	6.146958413069333
Encrypted:	false
SSDEEP:	768:Hw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJSG:Q/5k8cnzeJlJIyL0T7Sydix3
MD5:	FF319D24153238249ADEA18D8A3E54A7
SHA1:	0474FAA64826A48821B7A82AD256525AA9C5315E
SHA-256:	A462A21B5F0C05F0F7EC030C4FDE032A13B34A8576D661A8E66F9AD23767E991
SHA-512:	0E63FE4D5568CD2C54304183A29C7469F769816F517CD2D5B197049AA966C310CC13A7790560EF2EDC36B9B6D99FF586698886F906E19645FAEB89B0E65ADFDD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d....'ne.........." ...%............................................................r.....`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\python311.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5785880
Entropy (8bit):	6.090091140780886
Encrypted:	false
SSDEEP:	98304:0asy3088wAPo8yN4yl57G+160THIM1uFvvBnTfDyY:hsy3088wAPo8pyl57G81GrOY
MD5:	86E0AD6BA8A9052D1729DB2C015DAF1C
SHA1:	48112072903FFF2EC5726CCA19CC09E42D6384C7
SHA-256:	5ECDA62F6FD2822355C560412F6D90BE46A7F763F0FFEEC9854177904632AC2D
SHA-512:	5D6E32F9FF90A9A584183DAD1583AEA2327B4AEA32184B0EBBEC3DF41B0B833E6BB3CD40822DD64D1033125F52255812B17E4FA0ADD38FCDA6BAB1724DFAA2EB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b..\|...\|...\|.......\|.......\|.......\|.......\|.......\|.......\|......\|...\|..}.......\|.......\|.......\|.......\|..Rich.\|..........................PE..d....'ne.........." ...%..%..L7......u.......................................0]......X...`...........................................@.......A.......[.......W..2....X../....[.tD.....T.............................*.@.............%..............................text....%.......%................. ..`.rdata........%.......%.............@..@.data... #....A..T....A.............@....pdata...2....W..4....R.............@..@PyRuntim.....@Y......>T.............@....rsrc.........[.......V.............@..@.reloc..tD....[..F....V.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.584716253229207
Encrypted:	false
SSDEEP:	384:aEeecReGLnUC0HqGn57AvB0NJIyQGdHQIYiSy1pCQUNIeAM+o/8E9VF0NylE3X:SeUeW4HqIG+JIyQGB5YiSyv2AMxkEg3X
MD5:	0B55F18218F4C8F30105DB9F179AFB2C
SHA1:	F1914831CF0A1AF678970824F1C4438CC05F5587
SHA-256:	E7FE45BAEF9CEE192C65FCFCE1790CCB6F3F9B81E86DF82C08F838E86275AF02
SHA-512:	428EE25E99F882AF5AD0DEDF1CCDBEB1B4022AC286AF23B209947A910BF02AE18A761F3152990C84397649702D8208FED269AA3E3A3C65770E21EE1EEC064CC1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d....'ne.........." ...%.....2.......................................................-....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI63882\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435101785627634
Encrypted:	false
SSDEEP:	12288:3YPYbfjwR6nbkonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eDqLo:3aYbMR0IDJcjEwPgPOG6Xyd46qLo
MD5:	D4323AC0BAAB59AED34C761F056D50A9
SHA1:	843687689D21EDE9818C6FC5F3772BCF914F8A6E
SHA-256:	71D27537EB1E6DE76FD145DA4FDCBC379DC54DE7854C99B2E61AAE00109C13D0
SHA-512:	E31D071CE920B3E83C89505DFA22B2D0F09D43C408FCADBC910F021481C4A53C47919FCE0215AE61F00956DCB7171449EABDA8EEF63A6FDD47AA13C7158577BE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L..L..L..E.q.J..Y..N..Y..A..Y..D..Y..O..vE.O.....N..L.....vE.M..vE.M..vE..M..vE..M..RichL..........................PE..d....'ne.........." ...%.@..........P*....................................................`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5536256
Entropy (8bit):	6.689058470432344
Encrypted:	false
SSDEEP:	98304:VJuCqT8q5Jt3eM2UIDLeIY3I7LMHrPZF6OhgIDxDjP5ysRAwRCVYFufw6:zulp5JtBF6Oh3DxxysRFkRw6
MD5:	8FA2F1BA9B9A7EA2B3C4DD627C627CEC
SHA1:	358E3800286E5D4C5662366AD7311BC5A51BA497
SHA-256:	78A452A6E1A3951DC367F57ACE90711202C824B68835C5DB86814F5B41486947
SHA-512:	74EDD438B806E086A3FACBE8FB98E235068C0D3F8572C6A3A937649CA0E9A6BCB9F0B42E5562E1CBE3576B011AB83730FC622B1496CC448DD3C296284671E775
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\uyfkrbdwixpr.tmp, Author: ditekSHen
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$................................................................i..............C..Q....i.....i.....i........}....i.....Rich...........PE..d.....(d..........".......9...D.......6........@..............................~...........`.................................................\|.P......P~.......{..............`~......AM......................BM.(... AM.8.............9..............................text...^.9.......9................. ..`.rdata........9.......9.............@..@.data.....+...P.......P.............@....pdata........{.......Q.............@..@_RANDOMXV.....}.......S.............@..`_TEXT_CN.&....}..(....S.............@..`_TEXT_CN..... ~.......S.............@..`_RDATA.......@~.......S.............@..@.rsrc........P~.......S.............@..@.reloc.......`~.......S.............@..B........................................

C:\Users\user\AppData\Roaming\Google\Libs\WR64.sys

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe

Download File

Process:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12945034
Entropy (8bit):	7.987991966548952
Encrypted:	false
SSDEEP:	393216:szuRUAwf7vLF4NkW+eGQR6n/ikWMWfogBIv:szuRIx1W+e5R4qPDXe
MD5:	F468AE483026819D6977E2A5E34EA52A
SHA1:	BDCD08269C84863EACE14DC54D64C6F0AF41F332
SHA-256:	578778FA4D79588A14D0830D4E52DC55AEAD1CA8BF99C9672CBDAF6C7B58EB5C
SHA-512:	EA2056F8D41CE4DB455F9CACC7AC91919A8B35BB351BAFC08F5DF9F076B45369917DC06DFC944A83DC3AA99F535A680644F5EA97CFC4EB8DBBCCCE83D24590BD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc...[hc..`.Qhc..g.Ihc..f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d....7.f.........."....(.......................@..........................................`.................................................l...x........+...`..."..............h.......................................@...............P............................text............................... ..`.rdata..B&.......(..................@..@.data....s..........................@....pdata..."...`...$..................@..@.rsrc....+.......,..................@..@.reloc..h...........................@..B........................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.987991966548952
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Q3pEXxmWAD.exe
File size:	12'945'034 bytes
MD5:	f468ae483026819d6977e2a5e34ea52a
SHA1:	bdcd08269c84863eace14dc54d64c6f0af41f332
SHA256:	578778fa4d79588a14d0830d4e52dc55aead1ca8bf99c9672cbdaf6c7b58eb5c
SHA512:	ea2056f8d41ce4db455f9cacc7ac91919a8b35bb351bafc08f5df9f076b45369917dc06dfc944a83dc3aa99f535a680644f5ea97cfc4eb8dbbccce83d24590bd
SSDEEP:	393216:szuRUAwf7vLF4NkW+eGQR6n/ikWMWfogBIv:szuRIx1W+e5R4qPDXe
TLSH:	28D6338693E49DF2FCBA523C96854069E2B1742003F4C98F9BBD81A61F533E15E3FA51
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

File Icon


Icon Hash:	0e9313214080a157

Static PE Info

General

Entrypoint:	0x14000c0d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A037E4 [Tue Jul 23 23:08:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	456e8615ad4320c9f54e50319a19df9c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F251C95CE4Ch
dec eax
add esp, 28h
jmp 00007F251C95CA6Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F251C95D218h
test eax, eax
je 00007F251C95CC13h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F251C95CBF7h
dec eax
cmp ecx, eax
je 00007F251C95CC06h
xor eax, eax
dec eax
cmpxchg dword ptr [0003843Ch], ecx
jne 00007F251C95CBE0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F251C95CBE9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F251C95CBF9h
mov byte ptr [00038425h], 00000001h
call 00007F251C95C345h
call 00007F251C95D630h
test al, al
jne 00007F251C95CBF6h
xor al, al
jmp 00007F251C95CC06h
call 00007F251C96A13Fh
test al, al
jne 00007F251C95CBFBh
xor ecx, ecx
call 00007F251C95D640h
jmp 00007F251C95CBDCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000383ECh], 00000000h
mov ebx, ecx
jne 00007F251C95CC59h
cmp ecx, 01h
jnbe 00007F251C95CC5Ch
call 00007F251C95D18Eh
test eax, eax
je 00007F251C95CC1Ah
test ebx, ebx
jne 00007F251C95CC16h
dec eax
lea ecx, dword ptr [000383D6h]
call 00007F251C969F32h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x2bb4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46000	0x2208	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0x768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39dc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39c80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x450	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29210	0x29400	aca64598002ecff9eefbc96554edf015	False	0.5511067708333334	data	6.4784482217419175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12642	0x12800	48bdefaa3a3979f85de906447e67a69f	False	0.5245460304054054	data	5.750853782659358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x73d8	0xe00	d0a288978c66419b180b35f625b6dce7	False	0.13532366071428573	data	1.8378139998458343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x46000	0x2208	0x2400	74cf3ea22e0a1756984435d6f80f7da5	False	0.4671223958333333	data	5.259201915045256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0x2bb4	0x2c00	e29fd86a5b73bf6fb312f4fd0e85b0b6	False	0.13893821022727273	data	2.837433433937152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c000	0x768	0x800	71de9271648326ec88350e903470cf3e	False	0.5576171875	data	5.283119454571673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x490e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.08143153526970955
RT_GROUP_ICON	0x4b690	0x14	data	1.15
RT_MANIFEST	0x4b6a4	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T10:58:06.272680+0200	UDP	2047928	ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)	55678	53	192.168.2.5	1.1.1.1
2024-07-24T10:57:57.586154+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49705	3333	192.168.2.5	141.94.96.195

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 10:58:06.284548998 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:06.289634943 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:06.289731026 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:06.289949894 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:06.294751883 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:06.921200037 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:06.976597071 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:12.683777094 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:12.684612036 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:12.684792042 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:19.532948971 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:19.756608963 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:19.756670952 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:26.747989893 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:26.945508957 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:29.724639893 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:29.961143970 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:39.981369972 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:40.054764986 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:58:50.242831945 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:58:50.461102962 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:00.500911951 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:00.648510933 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:10.619055986 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:10.757894993 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:20.661617041 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:20.757911921 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:26.805582047 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:26.961030006 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:35.373286009 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:35.422254086 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:45.626724005 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:45.758022070 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 10:59:55.627650976 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 10:59:55.757946014 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 11:00:03.001919985 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 11:00:03.148566961 CEST	49705	3333	192.168.2.5	141.94.96.195
Jul 24, 2024 11:00:08.053011894 CEST	3333	49705	141.94.96.195	192.168.2.5
Jul 24, 2024 11:00:08.101684093 CEST	49705	3333	192.168.2.5	141.94.96.195

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 10:58:06.272680044 CEST	55678	53	192.168.2.5	1.1.1.1
Jul 24, 2024 10:58:06.280405998 CEST	53	55678	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 10:58:06.272680044 CEST	192.168.2.5	1.1.1.1	0x64ee	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 10:58:06.280405998 CEST	1.1.1.1	192.168.2.5	0x64ee	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 24, 2024 10:58:06.280405998 CEST	1.1.1.1	192.168.2.5	0x64ee	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
Jul 24, 2024 10:58:06.280405998 CEST	1.1.1.1	192.168.2.5	0x64ee	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
Jul 24, 2024 10:58:06.280405998 CEST	1.1.1.1	192.168.2.5	0x64ee	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
Jul 24, 2024 10:58:18.401381969 CEST	1.1.1.1	192.168.2.5	0x9553	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 24, 2024 10:58:18.401381969 CEST	1.1.1.1	192.168.2.5	0x9553	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:57:58
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Q3pEXxmWAD.exe"
Imagebase:	0x7ff615a20000
File size:	12'945'034 bytes
MD5 hash:	F468AE483026819D6977E2A5E34EA52A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	04:58:00
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Q3pEXxmWAD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Q3pEXxmWAD.exe"
Imagebase:	0x7ff615a20000
File size:	12'945'034 bytes
MD5 hash:	F468AE483026819D6977E2A5E34EA52A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:58:03
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
Imagebase:	0x7ff627cb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:58:03
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:58:03
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe
Imagebase:	0x7ff758a60000
File size:	5'701'632 bytes
MD5 hash:	4781C53D9BB1CB237B653C687028203D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000005.00000002.2072346669.00007FF758A7B000.00000004.00000001.01000000.00000016.sdmp, Author: unknown
Antivirus matches:	Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff627cb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff6d64d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.3255036623.000001F6A91A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.3255036623.000001F6A91C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	04:58:04
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:58:05
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:58:13
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"
Imagebase:	0x7ff66d430000
File size:	12'945'034 bytes
MD5 hash:	F468AE483026819D6977E2A5E34EA52A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	04:58:15
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3pEXxmWAD.exe"
Imagebase:	0x7ff66d430000
File size:	12'945'034 bytes
MD5 hash:	F468AE483026819D6977E2A5E34EA52A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe
Imagebase:	0x7ff627cb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\_MEI63882\Blsvr.exe
Imagebase:	0x7ff667860000
File size:	5'701'632 bytes
MD5 hash:	4781C53D9BB1CB237B653C687028203D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000019.00000002.2223523433.00007FF66787B000.00000004.00000001.01000000.0000002C.sdmp, Author: unknown
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Imagebase:	0x7ff627cb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:58:19
Start date:	24/07/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff7cd0f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:58:20
Start date:	24/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff627cb0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	04:58:20
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	04:58:20
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	04:58:20
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	04:58:21
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	04:58:21
Start date:	24/07/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff65ad60000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	04:58:45
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 00007FF615A21000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ERROR: failed to remove temporary directory: %s, xrefs: 00007FF615A23A12
MEI, xrefs: 00007FF615A2374E
pyi-runtime-tmpdir, xrefs: 00007FF615A235D3
Failed to start splash screen!, xrefs: 00007FF615A23933
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF615A23820
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF615A2391A
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF615A23905
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF615A2378C
Could not create temporary directory!, xrefs: 00007FF615A23838
pyi-disable-windowed-traceback, xrefs: 00007FF615A2361D
_MEIPASS2, xrefs: 00007FF615A236A2, 00007FF615A236AE, 00007FF615A239AC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF615A236FC
pkg, xrefs: 00007FF615A237CF
Failed to convert DLL search path!, xrefs: 00007FF615A238A3
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF615A23653
pyi-contents-directory, xrefs: 00007FF615A235F8
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF615A237EF
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF615A23A31

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: 98a1407e1212bc01630d5b0d8fce5349cac854e442e4d7151f8ecb5b7dc5412d
Instruction ID: 9d1c5aa427aabfb24a793a5885fabce4f7225c3c0af4c8d99338ae2c7c1b221d
Opcode Fuzzy Hash: 98a1407e1212bc01630d5b0d8fce5349cac854e442e4d7151f8ecb5b7dc5412d
Instruction Fuzzy Hash: 56F18221A8CE8291FB18DB72D5562F9A651AF55FA0F844232DA1DC36F6EF2CED54C300

Function 00007FF615A44F10 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF615A44F55

Part of subcall function 00007FF615A448A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A448BC

Part of subcall function 00007FF615A39C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C6E
Part of subcall function 00007FF615A39C58: GetLastError.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C78

Part of subcall function 00007FF615A39C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF615A39BEF,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A39C19
Part of subcall function 00007FF615A39C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF615A39BEF,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A39C3E

_get_daylight.LIBCMT ref: 00007FF615A44F44

Part of subcall function 00007FF615A44908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A4491C

_get_daylight.LIBCMT ref: 00007FF615A451BA
_get_daylight.LIBCMT ref: 00007FF615A451CB
_get_daylight.LIBCMT ref: 00007FF615A451DC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF615A4541C), ref: 00007FF615A45203

Strings

Eastern Standard Time, xrefs: 00007FF615A452A9
Eastern Summer Time, xrefs: 00007FF615A452C1

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1458651798-239921721
Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction ID: d898e1631a2a89432eea7d3e42ac775ccf009769dcaf6f6c091879ddfa03a7c9
Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction Fuzzy Hash: 3DD1C426E48A424AE720EF66D4511B9A791FF88FA4F484235EA4DC7AA5DF3CEC41C740

Function 00007FF615A45C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A459E9
Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45A67
Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45AB8

CreateFileW.KERNELBASE ref: 00007FF615A45D7A
CreateFileW.KERNEL32 ref: 00007FF615A45DCA
GetLastError.KERNEL32 ref: 00007FF615A45DFA
GetFileType.KERNELBASE ref: 00007FF615A45E0F
GetLastError.KERNEL32 ref: 00007FF615A45E19
CloseHandle.KERNEL32 ref: 00007FF615A45E4C
CloseHandle.KERNEL32 ref: 00007FF615A45FAF
CreateFileW.KERNEL32 ref: 00007FF615A45FE4
GetLastError.KERNEL32 ref: 00007FF615A45FF3

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: 95feed0c779c36a7a1ba4d80d35574e93c85faadfbfbd27e0ce93f4ff7b6b122
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: D8C1BF36B28E4586EB50CFA8C4816AC7761FB89FA8B055335DE6E977A4CF38D851C300

Function 00007FF615A4518C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF615A451BA

Part of subcall function 00007FF615A44908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A4491C

_get_daylight.LIBCMT ref: 00007FF615A451CB

Part of subcall function 00007FF615A448A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A448BC

_get_daylight.LIBCMT ref: 00007FF615A451DC

Part of subcall function 00007FF615A448D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A448EC

Part of subcall function 00007FF615A39C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C6E
Part of subcall function 00007FF615A39C58: GetLastError.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C78

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF615A4541C), ref: 00007FF615A45203

Strings

Eastern Standard Time, xrefs: 00007FF615A452A9
Eastern Summer Time, xrefs: 00007FF615A452C1

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2248164782-239921721
Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction ID: a094e3e2b588b8ff431da259cdaffdf9467e5c1ebdd541d45befb227f407a37a
Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction Fuzzy Hash: C6516332A58E8286E750DF65E4915A9A760FF48FA4F484235DA8DC7AA5DF3CE8408740

Function 00007FF615A285A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF615A285D3
FindClose.KERNELBASE ref: 00007FF615A285E2

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: c9cafafdc66f99a65d3c69a8019079e40aeb429c65858f50282e42242ab94f87
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 64F0C822A5CB4686F7608F64B449766B390BF44F38F044335EA6D42AE4CF3CD4588A00

Function 00007FF615A218F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A276A0: _fread_nolock.LIBCMT ref: 00007FF615A2774A

_fread_nolock.LIBCMT ref: 00007FF615A219B4

Part of subcall function 00007FF615A22760: MessageBoxW.USER32 ref: 00007FF615A2283B

Strings

Error on file., xrefs: 00007FF615A21B0A
Could not read full TOC!, xrefs: 00007FF615A21AD4
Could not allocate buffer for TOC!, xrefs: 00007FF615A21AA1
MEI, xrefs: 00007FF615A21931
malloc, xrefs: 00007FF615A21AA8
fseek, xrefs: 00007FF615A21990
Failed to read cookie!, xrefs: 00007FF615A219BF
Could not allocate memory for archive structure!, xrefs: 00007FF615A219EE
fread, xrefs: 00007FF615A219C6, 00007FF615A21ADB
calloc, xrefs: 00007FF615A219F5
Failed to seek to cookie position!, xrefs: 00007FF615A21989

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: a6f04debec555d8a18033318380368f2fbad5bddebec4760a8997b65da40e7af
Instruction ID: f7a4a0deadb81fe3a89be8279d37a16d76d36532af825da770577c4b51b9e83c
Opcode Fuzzy Hash: a6f04debec555d8a18033318380368f2fbad5bddebec4760a8997b65da40e7af
Instruction Fuzzy Hash: 5971C635A48E8685EB20CB36E4422B9A3A1FF84FA4F444235D98DC7769EF3CED448700

Function 00007FF615A215C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A21785
Failed to extract %s: failed to open target file!, xrefs: 00007FF615A21617
malloc, xrefs: 00007FF615A216F6
Failed to create symbolic link %s!, xrefs: 00007FF615A215E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A2168E
fopen, xrefs: 00007FF615A2161E
fseek, xrefs: 00007FF615A21695
fwrite, xrefs: 00007FF615A2177C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF615A216EF
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF615A21775
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A2165B
fread, xrefs: 00007FF615A2178C

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: af8b7429004319750d72b952c51bd94534bb30147a7dbef4d2610a6a95fc15fa
Instruction ID: 8044ba69abeedbc48344e310307dd9983709b5ff3c1d05428fdda127b8b2418c
Opcode Fuzzy Hash: af8b7429004319750d72b952c51bd94534bb30147a7dbef4d2610a6a95fc15fa
Instruction Fuzzy Hash: 82519E65B88E4792EA109B26E9421B9A3A1BF44FB4F444331ED1C877B6EF3CF9558700

Function 00007FF615A27FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF615A239C0), ref: 00007FF615A2800A
GetStartupInfoW.KERNEL32(?,00007FF615A239C0), ref: 00007FF615A2802B

Part of subcall function 00007FF615A3978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A397A0

Part of subcall function 00007FF615A37A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A37A93

GetCommandLineW.KERNEL32(?,00007FF615A239C0), ref: 00007FF615A280CD
CreateProcessW.KERNELBASE ref: 00007FF615A2810F
WaitForSingleObject.KERNEL32(?,00007FF615A239C0), ref: 00007FF615A28123
GetExitCodeProcess.KERNEL32 ref: 00007FF615A28133

Strings

Failed to create child process!, xrefs: 00007FF615A2813F
CreateProcessW, xrefs: 00007FF615A28146

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: 21e0d8856f46b200aead352495c28527fbee306bae12f0438bdac556f93d849e
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 6A415F31A48B8682DA60DB64F4452AAF7A1FF84B74F540335E6AD837E5DF7CD8448B40

Function 00007FF615A211F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF615A212C3
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF615A21295
malloc, xrefs: 00007FF615A2129C, 00007FF615A212CA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF615A21256
1.3.1, xrefs: 00007FF615A21229
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF615A213EE

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 037f3093d73a47c1094b0f469115e0436c81e2300c38a90b229c8b60b32e4b09
Instruction ID: a22e92a38c2824d56ef444bfd9ff73625bc3ae78b804c4956e9f44256b7a2129
Opcode Fuzzy Hash: 037f3093d73a47c1094b0f469115e0436c81e2300c38a90b229c8b60b32e4b09
Instruction Fuzzy Hash: B451D462A48E4241EA649B66A4413BAA291BF44FA4F484335EE4DC7BE5EF3CED01C700

Function 00007FF615A27C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF615A23834), ref: 00007FF615A27CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF615A23834), ref: 00007FF615A27D2C

Part of subcall function 00007FF615A27E10: GetEnvironmentVariableW.KERNEL32(00007FF615A2365F), ref: 00007FF615A27E47
Part of subcall function 00007FF615A27E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF615A27E69

Part of subcall function 00007FF615A37548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A37561

Part of subcall function 00007FF615A226C0: MessageBoxW.USER32 ref: 00007FF615A22736

Strings

TMP, xrefs: 00007FF615A27CA2
_MEI%d, xrefs: 00007FF615A27CF2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF615A27D5E
TMP, xrefs: 00007FF615A27C7C, 00007FF615A27D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF615A27CBC

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
Instruction ID: be94050d777a4d4a21f6fd4696003296b52779a66f80746dea986d263dfa14e7
Opcode Fuzzy Hash: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
Instruction Fuzzy Hash: 1141C211B99E4241EA60EB72A8562F9E691AF45FA4F444331ED0DC77B6EF3CEE048740

Function 00007FF615A3AD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3B199

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction ID: 33264224313a5734f1e0c87458eb5b21de11d44e87ae9996d1b21e6b0ff3bd42
Opcode Fuzzy Hash: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction Fuzzy Hash: 09C1D122A4CF8A91EAA0DB1594442BDB791EF91FA8F154331DA4E837B1CFBCEC558300

Function 00007FF615A27B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF615A27B70
OpenProcessToken.ADVAPI32 ref: 00007FF615A27B83
GetTokenInformation.KERNELBASE ref: 00007FF615A27BA8
GetLastError.KERNEL32 ref: 00007FF615A27BB2
GetTokenInformation.KERNELBASE ref: 00007FF615A27BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF615A27C0E
CloseHandle.KERNEL32 ref: 00007FF615A27C26

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
Instruction ID: 8e419ae138d69277bb370e5adbc97dfa9dfbcf23099c54d02e17684b2e096992
Opcode Fuzzy Hash: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
Instruction Fuzzy Hash: E1212D21A4CE4642EB609BB6E44523AE7A1EF85FB4F140335EA6D83AF4DF6CDD458700

Function 00007FF615A233E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF615A23534), ref: 00007FF615A23411

Part of subcall function 00007FF615A229E0: GetLastError.KERNEL32(?,?,?,00007FF615A2342E,?,00007FF615A23534), ref: 00007FF615A22A14
Part of subcall function 00007FF615A229E0: FormatMessageW.KERNEL32(?,?,?,00007FF615A2342E), ref: 00007FF615A22A7D
Part of subcall function 00007FF615A229E0: MessageBoxW.USER32 ref: 00007FF615A22ACF

Strings

Failed to obtain executable path., xrefs: 00007FF615A2341B
GetModuleFileNameW, xrefs: 00007FF615A23422
\\?\, xrefs: 00007FF615A23482
Failed to convert executable path to UTF-8., xrefs: 00007FF615A234B8
Failed to resolve full path to executable %ls., xrefs: 00007FF615A23461

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 434bb14bfbe818b65a19d164a90e83b2f6ab42f9d93d1c9a3e9892e9ca8fe901
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: FF219511B58E4291FA219B36E8163B9E290BF49FA5F804337E65DC65F5EF2CDD048700

Function 00007FF615A28400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A27B50: GetCurrentProcess.KERNEL32 ref: 00007FF615A27B70
Part of subcall function 00007FF615A27B50: OpenProcessToken.ADVAPI32 ref: 00007FF615A27B83
Part of subcall function 00007FF615A27B50: GetTokenInformation.KERNELBASE ref: 00007FF615A27BA8
Part of subcall function 00007FF615A27B50: GetLastError.KERNEL32 ref: 00007FF615A27BB2
Part of subcall function 00007FF615A27B50: GetTokenInformation.KERNELBASE ref: 00007FF615A27BF2
Part of subcall function 00007FF615A27B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF615A27C0E
Part of subcall function 00007FF615A27B50: CloseHandle.KERNEL32 ref: 00007FF615A27C26

LocalFree.KERNEL32(?,00007FF615A23814), ref: 00007FF615A2848C
LocalFree.KERNEL32(?,00007FF615A23814), ref: 00007FF615A28495

Strings

S-1-3-4, xrefs: 00007FF615A28441
D:(A;;FA;;;%s), xrefs: 00007FF615A28477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF615A284A3
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF615A28462

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction ID: 7b5cf6fa5f92dc4fd0008c22c3e10c592ddc2a631b3f09ecfdba447d433c7f61
Opcode Fuzzy Hash: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
Instruction Fuzzy Hash: B5212121A48F4682F650AB61E5163F9A6A1FF84FA0F844635EA4DC37A6DF3CDD44C780

Function 00007FF615A27530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF615A2324C,?,?,00007FF615A23964), ref: 00007FF615A27642

Strings

%s%c, xrefs: 00007FF615A275B4
\, xrefs: 00007FF615A275A7
%.*s, xrefs: 00007FF615A275FB

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 2c89eec29aeb9772413d30908ff664029992db9044f6d674e1a207c7a7cb4ecf
Instruction ID: 17574696a9398ab5107095a1c6b0caa85406194f44ab9c6295fc76f5612d3c56
Opcode Fuzzy Hash: 2c89eec29aeb9772413d30908ff664029992db9044f6d674e1a207c7a7cb4ecf
Instruction Fuzzy Hash: D431D621A59EC585EA219B36E4117AAA254FF84FF0F444331EE6D83BE9DF3CDA018700

Function 00007FF615A3C270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF615A3C25B), ref: 00007FF615A3C38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF615A3C25B), ref: 00007FF615A3C417

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: 04c255fff7bb5eaa6f8043a002e2f83c261623722f9ac037346ea70ff1d52706
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: A891B422E88A5185F790DF66D8542BDABA0BF54FACF144235DE0E97AA5DF3CD8418300

Function 00007FF615A3EC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF615A3ED8C
_get_daylight.LIBCMT ref: 00007FF615A3ED9D
_get_daylight.LIBCMT ref: 00007FF615A3EDAE
_isindst.LIBCMT ref: 00007FF615A3EE79

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction ID: 8194dcb094c018e055558d1bdce0ec2b7ff10f883fbc6cdf647aa4118506b846
Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction Fuzzy Hash: 3451F372F44A529AEB54DF6499456BCA7A1AF00F7CF240335DE1E92AF5DF38AC058700

Function 00007FF615A34A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF615A34ABF
GetFileInformationByHandle.KERNELBASE ref: 00007FF615A34B21
GetLastError.KERNEL32 ref: 00007FF615A34BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF615A349C4), ref: 00007FF615A34BFE

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: d10f65dc59bbd875d03e086bba487bc4645c30025490cac2eb26a574eddcf909
Instruction ID: b2120f59c8ea866e3b3003eaf469c98949765640c21da30300b471ef4337d05d
Opcode Fuzzy Hash: d10f65dc59bbd875d03e086bba487bc4645c30025490cac2eb26a574eddcf909
Instruction Fuzzy Hash: E2517B26E48B418AFB94CFB1D4543BDA7A1EF48F6CF148635DE09876A8DF38D8818740

Function 00007FF615A34938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A34965
CreateFileW.KERNELBASE ref: 00007FF615A349A4
CloseHandle.KERNEL32 ref: 00007FF615A349D9

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
Instruction ID: ec32103ba5c952ee524e886234061cf783d406dd014e49015af9a18ca01c7717
Opcode Fuzzy Hash: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
Instruction Fuzzy Hash: 4A41A422D58B8243F790CB609504379A260FF94F78F109335E69C83AE5EF7CA9E08700

Function 00007FF615A2BF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A2C12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF615A2C140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF615A2BF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF615A2BFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF615A2C041

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 7aa536c079c6f0e12130e188430d06e86234429065cb3d558fe177d76107df69
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 8B315E11ACDE4751FA54A7B6D4633B9A281AF41FA8F440235EA0EC72F3DF6DAD048601

Function 00007FF615A2F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F597

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bcfcf1faf55df9f9e23f958511fce33fc2a490ff62131b022dace26bbec7c8c2
Instruction ID: 95063829c713752744a865e34dc590758fa16b86c60a14ed7552f7d9f83d2a1c
Opcode Fuzzy Hash: bcfcf1faf55df9f9e23f958511fce33fc2a490ff62131b022dace26bbec7c8c2
Instruction Fuzzy Hash: 1251D321B49A8246EA689E37940367AA285EF44FB8F148735DE7D837F5CF3CDC408600

Function 00007FF615A39E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF615A39CE5,?,?,00000000,00007FF615A39D9A), ref: 00007FF615A39ED6
GetLastError.KERNEL32(?,?,?,00007FF615A39CE5,?,?,00000000,00007FF615A39D9A), ref: 00007FF615A39EE0

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 1a56008033fd5afdcc743bf0c955a081b0f05bb2f6b41150f8e002ed8d30fcfb
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 73218E21F5CE8241EED0DB64B480279A6929F84FB8F184335DA2E872E1CF6CAD448201

Function 00007FF615A3B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF615A3B5DD), ref: 00007FF615A3B490
GetLastError.KERNEL32(?,?,?,?,?,00007FF615A3B5DD), ref: 00007FF615A3B49A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: d75f48e1f7902ad65a18d41382531fdee14edc3b262ce96aea4a314e825f12d2
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: E911BF61A08F8581DA50CB29B844169A362AF44FF8F584331EE7D87BFACF3CD8508704

Function 00007FF615A34C34 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF615A34B49), ref: 00007FF615A34C67
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF615A34B49), ref: 00007FF615A34C7D

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
Instruction ID: 5c8d59a54008985b069c9794a0de721ae286cc7fff41ee7c7e313b20caddfb3c
Opcode Fuzzy Hash: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
Instruction Fuzzy Hash: 75114F2164CB5682EAA48B16A41113EF7A0FF85F79F500335EAADC19F8EF2CD854DB00

Function 00007FF615A39C58 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C6E
GetLastError.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C78

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 725cfb9f829c903e3f7e4f354c15345f04d18523e5725bcfd66da20d502a222c
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 74E08C10F8CE8686FF88EBF2A8480B992919F98F25B444230C90DC3272EF3C6C458300

Function 00007FF615A3B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3B1E4

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 590876a32080199f335b1121d6d3b23d611ecf3c7b0230dd48f52509e0b43458
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: EC41B132948A0987EAA4DE55E54127DF7A1EF55FA8F140331D69AC36E0CF3CE802C751

Function 00007FF615A276A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF615A2774A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e29fff93704508a3d781caa4d735a753c542fb89e11f4355a6ab92db07b5401f
Instruction ID: 6d78ea185521d3de9b6094c55ddecfc632c8d717a6c536fe264105539e34bcc4
Opcode Fuzzy Hash: e29fff93704508a3d781caa4d735a753c542fb89e11f4355a6ab92db07b5401f
Instruction Fuzzy Hash: 7621B721B88A5145FA149B27A9063FAEA41BF45FE4F8C4530DD0D877A6DF7DE941C700

Function 00007FF615A3AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3ACD2

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction ID: f4842ebe826b19fa881ab012a480bb4b0e587af7cf3f103574c9b0215dc8fdd4
Opcode Fuzzy Hash: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction Fuzzy Hash: ED319C22E58E6286E691DB5598513BDAA50AF50FB8F450336DA1D833F2CFBCEC518320

Function 00007FF615A352A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A35209

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 13c8e6eff1e1b81120e819abe5e936ae5ce112c6d51b3cc13fb72018a46336a2
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: C9119621A5DE8145EAE0DF95D40117EE3A4AF59FA8F444231EA8CD76A6DF3CDC408740

Function 00007FF615A45664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45687

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 6a3373f6ade36e011149639d26d829bd8690b74f46a64ba711cd3a427cb0b0b7
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 3B215632658E8186DB618F58D480379F661EF98FA4F184334D69D87AE5DF3CD8008B00

Function 00007FF615A2F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F730

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 37e1d5030f1a1c2f31f273b8de2d0b2b7f78af5a3279489abf0a7cd75e2731a8
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 5501A525A48F4241E944DF675902069E699AF55FF0F484731DE6C93BE6DF3CD9028300

Function 00007FF615A3DEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF615A3A63A,?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A), ref: 00007FF615A3DEFD

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 4c87eefaad83f9fad80927af22213462643e1d2995d10e718f516db8f66a134d
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 91F04944B89A47C0FE94D7A658512B5D2906F98FA8F5C4330D90EC62A1DF2CAC898250

Function 00007FF615A3C90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF615A2FFB0,?,?,?,00007FF615A3161A,?,?,?,?,?,00007FF615A32E09), ref: 00007FF615A3C94A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 25e08d64fb14db1bbbc15e59e6bbd9c34330ef52f37b16d57ede266a0008b8b5
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: AFF05E00B98A4784FE94D7B29C2127992805F48F78F094330D92EC62E1EF2CAC408110

Non-executed Functions

Function 00007FF615A26EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF615A26EB7
GetProcAddress.KERNEL32 ref: 00007FF615A26EFD
GetProcAddress.KERNEL32 ref: 00007FF615A26F22
GetProcAddress.KERNEL32 ref: 00007FF615A26F47
GetProcAddress.KERNEL32 ref: 00007FF615A26F6F
GetProcAddress.KERNEL32 ref: 00007FF615A26F97
GetProcAddress.KERNEL32 ref: 00007FF615A26FBF
GetProcAddress.KERNEL32 ref: 00007FF615A26FE7
GetProcAddress.KERNEL32 ref: 00007FF615A2700F

Strings

Tcl_DeleteInterp, xrefs: 00007FF615A26FB5, 00007FF615A26FD1
Tcl_FindExecutable, xrefs: 00007FF615A26F18, 00007FF615A26F34
Tcl_CreateObjCommand, xrefs: 00007FF615A271E5, 00007FF615A27201
Tcl_ConditionFinalize, xrefs: 00007FF615A270CD, 00007FF615A270E9
Tcl_FinalizeThread, xrefs: 00007FF615A26F8D, 00007FF615A26FA9
Tcl_SetVar2Ex, xrefs: 00007FF615A27285, 00007FF615A272A1
Tcl_EvalObjv, xrefs: 00007FF615A27325, 00007FF615A27341
Tcl_SetVar2, xrefs: 00007FF615A271BD, 00007FF615A271D9
Tcl_GetString, xrefs: 00007FF615A2720D, 00007FF615A27229
Tcl_GetVar2, xrefs: 00007FF615A27195, 00007FF615A271B1
Tcl_GetCurrentThread, xrefs: 00007FF615A27005, 00007FF615A27021
Tcl_Finalize, xrefs: 00007FF615A26F65, 00007FF615A26F81
Tk_Init, xrefs: 00007FF615A2739D, 00007FF615A273B9
Tk_GetNumMainWindows, xrefs: 00007FF615A273C5, 00007FF615A273E1
Tcl_MutexFinalize, xrefs: 00007FF615A270A5, 00007FF615A270C1
Failed to get address for %hs, xrefs: 00007FF615A26ED0
Tcl_NewByteArrayObj, xrefs: 00007FF615A2725D, 00007FF615A27279
Tcl_CreateThread, xrefs: 00007FF615A26FDD, 00007FF615A26FF9
Tcl_NewStringObj, xrefs: 00007FF615A27235, 00007FF615A27251
Tcl_CreateInterp, xrefs: 00007FF615A26EF3, 00007FF615A26F0F
GetProcAddress, xrefs: 00007FF615A26ED7
Tcl_JoinThread, xrefs: 00007FF615A2702D, 00007FF615A27049
Tcl_ConditionNotify, xrefs: 00007FF615A270F5, 00007FF615A27111
Tcl_ThreadAlert, xrefs: 00007FF615A2716D, 00007FF615A27189
Tcl_DoOneEvent, xrefs: 00007FF615A26F3D, 00007FF615A26F59
Tcl_GetObjResult, xrefs: 00007FF615A272AD, 00007FF615A272C9
Tcl_ThreadQueueEvent, xrefs: 00007FF615A27145, 00007FF615A27161
Tcl_Free, xrefs: 00007FF615A27375, 00007FF615A27391
Tcl_Init, xrefs: 00007FF615A26EB0, 00007FF615A26EC9
Tcl_MutexUnlock, xrefs: 00007FF615A2707D, 00007FF615A27099
Tcl_ConditionWait, xrefs: 00007FF615A2711D, 00007FF615A27139
Tcl_Alloc, xrefs: 00007FF615A2734D, 00007FF615A27369
Tcl_EvalEx, xrefs: 00007FF615A272FD, 00007FF615A27319
Tcl_MutexLock, xrefs: 00007FF615A27055, 00007FF615A27071
Tcl_EvalFile, xrefs: 00007FF615A272D5, 00007FF615A272F1

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: e9dd703e04d9b1959287dffc76a7792dfa3f628e931c7d2c72949f25a48c2eb6
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 6EE1A864A8EF4391FA55DB95A8511B4A3A9AF44F71F881336C81E863B4EF7CFD48C240

Function 00007FF615A433BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF615A4340A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A43A76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A43BEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A43EAA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A440CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A44307
memcpy_s.LIBCPMT ref: 00007FF615A443E2
memcpy_s.LIBCPMT ref: 00007FF615A4448D
memcpy_s.LIBCPMT ref: 00007FF615A4455C

Strings

1#QNAN, xrefs: 00007FF615A43523
1#INF, xrefs: 00007FF615A43533
1#IND, xrefs: 00007FF615A434F7
1#SNAN, xrefs: 00007FF615A4351A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction ID: 26802fc3e47f25bc9c59e2b490efcc61a09ca2214cdcbd86fdacb39807fd7b44
Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction Fuzzy Hash: 3CB22772A48A828BE7648FA4D4407FDB7A1FF54F58F581236DA0D97A94DF38AD40CB40

Function 00007FF615A279B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27A1B
RemoveDirectoryW.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27A9E
DeleteFileW.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27ABD
FindNextFileW.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27ACB
FindClose.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27ADC
RemoveDirectoryW.KERNEL32(?,00007FF615A27EF9,00007FF615A239E6), ref: 00007FF615A27AE5

Strings

%s\*, xrefs: 00007FF615A279E2

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 4eab1e063d102975ece63bb15f99a70a936dbc9d97236656692762c444460501
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 3341A021A8CD4691EE209B75E4455B9A3A1FF94F74F840332D59DC26A4DF3CDF4A8740

Function 00007FF615A29FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 00007FF615A2A990
invalid distances set, xrefs: 00007FF615A2A4C0
invalid bit length repeat, xrefs: 00007FF615A2A3B9
too many length or distance symbols, xrefs: 00007FF615A2A166
invalid literal/length code, xrefs: 00007FF615A2A702
invalid code lengths set, xrefs: 00007FF615A2A14D
invalid code -- missing end-of-block, xrefs: 00007FF615A2A3E6
invalid literal/lengths set, xrefs: 00007FF615A2A453
invalid distance code, xrefs: 00007FF615A2A8D4

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction ID: 61feae95f107c4ab3209ba705712d4ff58750eff66a1513bc608e59e622aee1b
Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction Fuzzy Hash: BD52E372A58AA64BE7548F25C459A7E7BA9FF84F50F014239E64AC3790DFB8DC40CB00

Function 00007FF615A2C44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF615A2C468
RtlCaptureContext.KERNEL32 ref: 00007FF615A2C495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF615A2C4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF615A2C4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF615A2C544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF615A2C561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF615A2C56C

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: c173a279c38dc07105e8d6c24a39b461dd8c63c3e287c27101f631fbede77c70
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: E9314D72648F8586EB608FA1E8543EEB360FB84B54F44413ADB4E87BA5DF38D948C710

Function 00007FF615A229E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF615A2342E,?,00007FF615A23534), ref: 00007FF615A22A14
FormatMessageW.KERNEL32(?,?,?,00007FF615A2342E), ref: 00007FF615A22A7D
MessageBoxW.USER32 ref: 00007FF615A22ACF

Strings

%ls%ls: %ls, xrefs: 00007FF615A22A96
Error, xrefs: 00007FF615A22ABE
<FormatMessageW failed.>, xrefs: 00007FF615A22A83

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction ID: a42c3c80c40711d19c083c40786f8d5eb5c947608415bcba9281e24d37b44105
Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction Fuzzy Hash: 10216572618E8582E7209B51F4416EAB3A4FF88F95F404236EBCD93A68DF3CD546C740

Function 00007FF615A39924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF615A3999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF615A399B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF615A399F0
IsDebuggerPresent.KERNEL32 ref: 00007FF615A39A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF615A39A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF615A39A3E

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: aba8df26f76246d542c0a4a1590807c708f0ba641064d68484cb93579808676d
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: E0315332658F8586DB60CF65E8402AEB3A4FF88F64F540235EA9D83B65DF38C555C700

Function 00007FF615A40B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A40BD0
FindFirstFileExW.KERNEL32 ref: 00007FF615A40CDA

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction ID: dfa48fe47f0631860a1a8370912a03aa267097b9bb95b633ee204b50ffe7b3a3
Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction Fuzzy Hash: C1B19626B98E9685EA60DBA694005B9E390FF44FF4F485231E95D8BBA5DF3CEC41D300

Function 00007FF615A2C330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF615A2C35C
GetCurrentThreadId.KERNEL32 ref: 00007FF615A2C36A
GetCurrentProcessId.KERNEL32 ref: 00007FF615A2C376
QueryPerformanceCounter.KERNEL32 ref: 00007FF615A2C386

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: 120e9363ddf5be7f977df2d70d4e934b09d5ba34da3d3bb6ed05609ead4ecb3f
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 10112E22B54F058AEB00CFA0E8552B973A4FB59F68F441E31DA6D86BA4DF7CD5548340

Function 00007FF615A42F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF615A42F86
memcpy_s.LIBCPMT ref: 00007FF615A42FB1

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction ID: a7b172a863b510922d16c563f70620f338a5f4efd1b3c16cb36522a487273eef
Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction Fuzzy Hash: A3C1D472B58A8687DB248F99A04466AF791FB94F94F488236DB4A83754DF3DFC41CB00

Function 00007FF615A2979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

, xrefs: 00007FF615A2987B
header crc mismatch, xrefs: 00007FF615A29C41
unknown header flags set, xrefs: 00007FF615A297E5

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction ID: e7a4b2f8f3fe46274973005eafda414fb650c851412353f119ac49c72a55df38
Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction Fuzzy Hash: 8CF19472A587D54FE7958B26C089A3ABAA9FF44F90F054638DA4D876A0CF38D981C740

Function 00007FF615A48A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF615A48C87
RaiseException.KERNEL32 ref: 00007FF615A48C98

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction ID: d1b832961fc2223d229719e268860e190b7c1ee3b54ac6ae174e5207a45b0cf5
Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction Fuzzy Hash: C5B14A73605B8A8AEB55CF29D84636C7BA0FB44F58F198A21DA5D837B4CF39D852C700

Function 00007FF615A32CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF615A33074
, xrefs: 00007FF615A32E32

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction ID: 8cbd7a11ff7ae72c771f4f2ddbb5239696a5920acd945ec7e1d1275386f99034
Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction Fuzzy Hash: E5E19132A48A4686EBE8CE25C151179A7A0FF45FACF244336DA4E877B4DF29EC51C740

Function 00007FF615A295FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF615A29769
incorrect header check, xrefs: 00007FF615A29782

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction ID: e0450767f4b509edb521f8706acf4709c3628773d83f7cad1cad3fb63121f791
Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction Fuzzy Hash: B491CB72A58AC54BE7A48F25C459B7E7A99FF44FA0F054239DA4E86790CF78DD40CB00

Function 00007FF615A3D200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF615A3D38A
e+000, xrefs: 00007FF615A3D30D

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction ID: b39d8d7247d9d2062012d07ea32ed71d5c9f0ec513575ad030f7c538fc87a8e5
Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction Fuzzy Hash: 26513B62B5CAC586E7A5CE359801769EB91EB44FA8F489331CB58C7AE1CF3DD844C700

Function 00007FF615A3FBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction ID: aa0c5bf5903d32fc0e22c973f2700f2fc88bb0db82fe5e822a3c3015841d6e36
Opcode Fuzzy Hash: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction Fuzzy Hash: FA02BF22AEDE8644FA94EB569441279A684BF41FB8F584735DDADCA3F1DF3CAC018300

Function 00007FF615A3CD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF615A3D0AE

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction ID: 36b8955ccca265e6566f34051a07e02a604f69198d325eea273b0ed966b99492
Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction Fuzzy Hash: 6CA13662B48B8586EB61CB2AE4107A9BB90AF51FD8F048232DA4D877A1DF3DD905C701

Function 00007FF615A37AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF615A37ACB

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
Instruction ID: 20369845272754f852fdede7bcb5344fdd1d9447a3014c74db86d47f400fae16
Opcode Fuzzy Hash: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
Instruction Fuzzy Hash: 71516211B88E5641FAE4EB26595157AD691AF44FE8F484634DE0EC77B2EF3CED418200

Function 00007FF615A42790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF615A42794

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction ID: 001e4bdf0f44f88620f4776ca7d1bcf1cfd1ad93e9e9c45e2f452d71c6f4c009
Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction Fuzzy Hash: C4B09220E57F8AC2EA082B696C8621462A87F88F20FA88238C54C81330DF2C28A54700

Function 00007FF615A328C0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction ID: 54a8deebcc64f098b8298190c3b950d2578928d367b05d8ff8a9ae0cfefcdb40
Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction Fuzzy Hash: 60D19A22A88E4686EBB8CE29955027DA7A0AF45F6CF244335CE0D876B5DF39EC41C740

Function 00007FF615A28B20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction ID: d570127249cc5f9352ec521f55f7270cbc31c6f30c17f7be9a37c5652980b26b
Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction Fuzzy Hash: 85C1D2722142F24FD288EB29E45997A73D1FB98709BD4402AEB8747F85CE3CE415D790

Function 00007FF615A31F30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction ID: b85cc1594c4c7395e27e057aa2c3ab2a69d3d4a5f49682619beb80fcd2a9ddb2
Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction Fuzzy Hash: A7B15B72948A8585E7A5CF29D45427CBBA0EF46F6CF244236CB4E873A5DF39E841C700

Function 00007FF615A3D880 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction ID: 1d5551e62d3914703577ea59246248873769658a5fd19a93995eeeec2945664b
Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction Fuzzy Hash: CD81A472A4CB8186E7B4CF19A441369AA91FF45FE8F144335DA8D83BA5DF3CD9408B40

Function 00007FF615A45728 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d2b2a23e656420a48cffdcfc29ff0550bdd13d7615b538a3eaf25f4462ec28d4
Instruction ID: f5ddf05acbfc5ce7abc4f12ff52f23270fea25ff961f33d41e4a3ff291ea7cb1
Opcode Fuzzy Hash: d2b2a23e656420a48cffdcfc29ff0550bdd13d7615b538a3eaf25f4462ec28d4
Instruction Fuzzy Hash: 6461C822E8CA8286F764CAA8845427DE681AF58F74F584735D69DC6EF5DF7DEC008B00

Function 00007FF615A31074 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 007cb4dfb4cb4e9668bac0f387e292047ba596b17d756c07258b201909cd32ad
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 9E516036A58A5182E7A4CB29C040268A3B0EF49F7CF244235CE4D877A4CF7AFC42C780

Function 00007FF615A30C64 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 2a83633483a3abe1b8cba73b5cb9940bb6708b30e7c685bf83a7794cd130b001
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: A2515E76A98A5186E7A4CB29C040229A7A1FF55F7CF244231CA8D977B5CF3AEC43C740

Function 00007FF615A31484 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 9f861a409c5cd032b8ff75dc7958662a372d6bd1ab78e91d2fcd3db6f4f7a740
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 32515176A58A5186E7A4CB29C044228A3B1EF49F7CF244231DA4E977A4CF3AFC42C740

Function 00007FF615A30E70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 678505a34866b24b228a72222c00144fec1ff4491008cbcec82e3fba81ff9355
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: A1516A36A98A5586E7A4CB29C04023CA7A1EF45F6CF244231CE4D977A5CF3AED52C740

Function 00007FF615A30A60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 583b5c6ee5ec019ed084cd809e903881cb9df88300f2c94df9d2daea9e1d1b4c
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: D3515F36A99A5186E7A4CF29D050229B7A1FF44F6CF244231CA4D977B5DF3AEC42C740

Function 00007FF615A31280 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 522915dd0b93667993598d80904283ce64964cd3c5b352fb37cf5d52054556e0
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 8D514076A58A5185E7A5CB29C044228A7B1EF45F6CF244231CE4D977B8CF3AFC52C780

Function 00007FF615A35040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: fecae39eb82edb0703dd5e4812393575a66e465b75f30d0729fa10fe7e60a2e8
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 1141B752DC9F8A08E9D5D91C45146B8A7C0AF1BFB8D6853B0DDD9D33E2DF0E6D868140

Function 00007FF615A391B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction ID: baa8981adb8e8eeffb15f8670596e9e1d9b7bdb800aa9087873ed8eec3d0c868
Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction Fuzzy Hash: 9441E162754E548AEF44CF6AD91456AB3A1BF48FE4B099136EE0DD7B68DF3CC8418300

Function 00007FF615A373F4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction ID: 6f62a0870a2f7bf030203d6256d1fb63f6895ab46cf9ebf389d953028eba26c5
Opcode Fuzzy Hash: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction Fuzzy Hash: 4031D632B58F8241EBA4DF25684013EAAD5AF84FA4F144339EB9D93BA5DF3CD9114704

Function 00007FF615A48880 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction ID: be4acf772ae92d7527b0e96b6d86c9dd11a00793be5c927d7ef1839cfce14544
Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction Fuzzy Hash: F1F04FB1A596958EDBA48F2DB812629B7D0FB08B90F808139E689C3A14DB7C94608F04

Function 00007FF615A2C62C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction ID: a26d91901e03818c97af7432c370c77ba97513a5adb70b915b5cfced03324e23
Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction Fuzzy Hash: E5A00121998C2AE1EA688BA5E861125B220BF50F20B446231D40D810B0AF3CA8008250

Function 00007FF615A250B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A250C0
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A25101
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A25126
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A2514B
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A25173
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A2519B
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A251C3
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A251EB
GetProcAddress.KERNEL32(?,00007FF615A25C57,?,00007FF615A2308E), ref: 00007FF615A25213

Strings

Py_DecRef, xrefs: 00007FF615A250B6, 00007FF615A250D2
PyConfig_Clear, xrefs: 00007FF615A251E1, 00007FF615A251FD
PyObject_Str, xrefs: 00007FF615A255A1, 00007FF615A255BD
PyMarshal_ReadObjectFromString, xrefs: 00007FF615A25489, 00007FF615A254A5
Py_ExitStatusException, xrefs: 00007FF615A2511C, 00007FF615A25138
Py_Finalize, xrefs: 00007FF615A25141, 00007FF615A2515D
PyRun_SimpleStringFlags, xrefs: 00007FF615A255F1, 00007FF615A2560D
PyConfig_Read, xrefs: 00007FF615A25231, 00007FF615A2524D
PySys_SetObject, xrefs: 00007FF615A25669, 00007FF615A25685
PyObject_CallFunction, xrefs: 00007FF615A25501, 00007FF615A2551D
PyConfig_SetString, xrefs: 00007FF615A25281, 00007FF615A2529D
PyConfig_InitIsolatedConfig, xrefs: 00007FF615A25209, 00007FF615A25225
PyMem_RawFree, xrefs: 00007FF615A254B1, 00007FF615A254CD
PyUnicode_FromFormat, xrefs: 00007FF615A25709, 00007FF615A25725
PyList_Append, xrefs: 00007FF615A25461, 00007FF615A2547D
Py_IsInitialized, xrefs: 00007FF615A25191, 00007FF615A251AD
PyObject_SetAttrString, xrefs: 00007FF615A25579, 00007FF615A25595
PyImport_ExecCodeModule, xrefs: 00007FF615A25411, 00007FF615A2542D
PyEval_EvalCode, xrefs: 00007FF615A253C1, 00007FF615A253DD
Failed to get address for %hs, xrefs: 00007FF615A250D9
PyErr_Restore, xrefs: 00007FF615A25399, 00007FF615A253B5
PyConfig_SetBytesString, xrefs: 00007FF615A25259, 00007FF615A25275
PyErr_Print, xrefs: 00007FF615A25371, 00007FF615A2538D
PyUnicode_Replace, xrefs: 00007FF615A25781, 00007FF615A2579D
Py_PreInitialize, xrefs: 00007FF615A251B9, 00007FF615A251D5
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF615A255C9, 00007FF615A255E5
PyImport_ImportModule, xrefs: 00007FF615A25439, 00007FF615A25455
PyConfig_SetWideStringList, xrefs: 00007FF615A252A9, 00007FF615A252C5
GetProcAddress, xrefs: 00007FF615A250E0
PySys_GetObject, xrefs: 00007FF615A25641, 00007FF615A2565D
PyModule_GetDict, xrefs: 00007FF615A254D9, 00007FF615A254F5
PyUnicode_AsUTF8, xrefs: 00007FF615A25691, 00007FF615A256AD
PyUnicode_Decode, xrefs: 00007FF615A256B9, 00007FF615A256D5
PyUnicode_Join, xrefs: 00007FF615A25759, 00007FF615A25775
PyUnicode_DecodeFSDefault, xrefs: 00007FF615A256E1, 00007FF615A256FD
Py_DecodeLocale, xrefs: 00007FF615A250F7, 00007FF615A25113
PyImport_AddModule, xrefs: 00007FF615A253E9, 00007FF615A25405
PyStatus_Exception, xrefs: 00007FF615A25619, 00007FF615A25635
PyErr_Clear, xrefs: 00007FF615A252D1, 00007FF615A252ED
Py_InitializeFromConfig, xrefs: 00007FF615A25169, 00007FF615A25185
PyErr_Fetch, xrefs: 00007FF615A252F9, 00007FF615A25315
PyObject_GetAttrString, xrefs: 00007FF615A25551, 00007FF615A2556D
PyUnicode_FromString, xrefs: 00007FF615A25731, 00007FF615A2574D
PyObject_CallFunctionObjArgs, xrefs: 00007FF615A25529, 00007FF615A25545
PyErr_Occurred, xrefs: 00007FF615A25349, 00007FF615A25365
PyErr_NormalizeException, xrefs: 00007FF615A25321, 00007FF615A2533D

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: de39e87eab7f2b758a82ab68803bc3ea607f68d96156b894192e679a9c71da99
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: 3012C460DCEF4391FA159B95E8211B4A3E4BF48F71B981636C84F962B4EF7CBD488241

Function 00007FF615A277D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF615A27C97,?,?,FFFFFFFF,00007FF615A23834), ref: 00007FF615A2782C

Part of subcall function 00007FF615A226C0: MessageBoxW.USER32 ref: 00007FF615A22736

Strings

%.*s, xrefs: 00007FF615A2790C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF615A27803
CreateDirectory, xrefs: 00007FF615A27974
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF615A2796D
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF615A2789D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF615A278D9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF615A27840
\, xrefs: 00007FF615A27861

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
Instruction ID: 62b29b4f3b1209a6796cad535cf533c80c74cec93a627f28f8fef3b46327229c
Opcode Fuzzy Hash: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
Instruction Fuzzy Hash: 0241B811B9DE4341FA50EB76D8526BAE751EF84FA4F444231E64EC26B5EF2CED048340

Function 00007FF615A220F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF615A2211B
SelectObject.GDI32 ref: 00007FF615A22162
DrawTextW.USER32 ref: 00007FF615A22185
SelectObject.GDI32 ref: 00007FF615A2219B
ReleaseDC.USER32 ref: 00007FF615A221AB
MoveWindow.USER32 ref: 00007FF615A221FB
MoveWindow.USER32 ref: 00007FF615A2223B
MoveWindow.USER32 ref: 00007FF615A2228E
MoveWindow.USER32 ref: 00007FF615A222D6

Strings

P%, xrefs: 00007FF615A2216F

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: e9c747987b85b0afa0ed168aec6bdbe81edfbb2a4b0122591a0c6c942ab87450
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: 9A51E626614BA186DA349F32A4181BAF7A1FB98F71F044221EBDE83694DF3CD485DB10

Function 00007FF615A355A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A355E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A359D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A35C6C

Strings

-, xrefs: 00007FF615A35679
:, xrefs: 00007FF615A3579C
f, xrefs: 00007FF615A35705
p, xrefs: 00007FF615A35695
p, xrefs: 00007FF615A3570D

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction ID: 10e27c5cb5a6ec71953df4f5f62c186299a0e64deed4c4ef5d7e1a709e1aa7c5
Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction Fuzzy Hash: 81129261E48A4386FBA0DB19E054279E791FF45F78F944236D6C9866E4EF3CED908B00

Function 00007FF615A302E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A30328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A306F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3098F

Strings

p, xrefs: 00007FF615A303CD
f, xrefs: 00007FF615A30575
p, xrefs: 00007FF615A30432
f, xrefs: 00007FF615A3042A
f, xrefs: 00007FF615A303C0

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction ID: bbe2d5f2da188409fa2d5f76ef4d411c77573e19c64cba7a9d0af14a043690ac
Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction Fuzzy Hash: BF128321E8C94386FBA4DA15E0547BAF651FF90F68F844231E699866E4DF7CED80CB40

Function 00007FF615A21050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A211D0
malloc, xrefs: 00007FF615A210FC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A210C5
fseek, xrefs: 00007FF615A210CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF615A210F5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A21097
fread, xrefs: 00007FF615A211D7

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 46cb2396e176c515e5b1b379c4cef78a4cdb7727bbd2a54cd4f09649ba9bae94
Instruction ID: 6bdf0ec1ca5633ce4051ee18f72d52e1d1420df51a3c2ef20fbdb4288cb4dd45
Opcode Fuzzy Hash: 46cb2396e176c515e5b1b379c4cef78a4cdb7727bbd2a54cd4f09649ba9bae94
Instruction Fuzzy Hash: 35419E25B88E4642EA149B63A8421BAE791FF44FE4F444235DD1D87BA5EF3CF8058300

Function 00007FF615A21440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A2159A
malloc, xrefs: 00007FF615A214E0
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A214A9
fseek, xrefs: 00007FF615A214B0
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF615A214D9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A2146F
fread, xrefs: 00007FF615A215A1

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: df4ad80a251e0c5f0c79bd6923b775d70a5b162c42eaf5c7801165d24b84e2b2
Instruction ID: 774d48396f049f332c83feb58827fe55be9e90209898c78f444261bfd75a46e4
Opcode Fuzzy Hash: df4ad80a251e0c5f0c79bd6923b775d70a5b162c42eaf5c7801165d24b84e2b2
Instruction Fuzzy Hash: D6418225B88A4681EE209B66A9421B6E390FF04FE4F584231DE5D87AB5EF3CFD418700

Function 00007FF615A2DD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF615A2DD85

Part of subcall function 00007FF615A2ECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF615A2ED1F
Part of subcall function 00007FF615A2ECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF615A2ED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF615A2DE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF615A2E0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF615A2E1B8

Strings

csm, xrefs: 00007FF615A2DE06
csm, xrefs: 00007FF615A2DE80
csm, xrefs: 00007FF615A2DD9F

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: 058a0e1005133d21dac8bf5411d9281846fc2607dbf0ac9240cc41dd2c90c26b
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: 31D14232A48B418AE7109B76D4423BDB7A0FF55FA8F104235DA4D977A6DF38E881C741

Function 00007FF615A3E020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF615A3E3BA,?,?,0000011C08C26A08,00007FF615A3A063,?,?,?,00007FF615A39F5A,?,?,?,00007FF615A3524E), ref: 00007FF615A3E19C
GetProcAddress.KERNEL32(?,?,?,00007FF615A3E3BA,?,?,0000011C08C26A08,00007FF615A3A063,?,?,?,00007FF615A39F5A,?,?,?,00007FF615A3524E), ref: 00007FF615A3E1A8

Strings

ext-ms-, xrefs: 00007FF615A3E0F9
api-ms-, xrefs: 00007FF615A3E0E6

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 13f4663a5949b25a25e1b26a15749e830685449452005753b3b553e94c1e60e1
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: 08419E21B99E0286FA96CB16E804675A2D2BF55FB4F494235DE1DCB7A4EF3CEC458200

Function 00007FF615A2CFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF615A2D29A,?,?,?,00007FF615A2CF8C,?,?,?,00007FF615A2CB89), ref: 00007FF615A2D06D
GetLastError.KERNEL32(?,?,?,00007FF615A2D29A,?,?,?,00007FF615A2CF8C,?,?,?,00007FF615A2CB89), ref: 00007FF615A2D07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF615A2D29A,?,?,?,00007FF615A2CF8C,?,?,?,00007FF615A2CB89), ref: 00007FF615A2D0A5
FreeLibrary.KERNEL32(?,?,?,00007FF615A2D29A,?,?,?,00007FF615A2CF8C,?,?,?,00007FF615A2CB89), ref: 00007FF615A2D113
GetProcAddress.KERNEL32(?,?,?,00007FF615A2D29A,?,?,?,00007FF615A2CF8C,?,?,?,00007FF615A2CB89), ref: 00007FF615A2D11F

Strings

api-ms-, xrefs: 00007FF615A2D08D

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: 2a6101546ac909ba165be1f02ae3cfcd1118d283ed3545d3a22813830c7b82e2
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: 9E31AD21A9EE4280EE119B67A801675A394FF08FB4F990735DD1E873B5EF3CE8428241

Function 00007FF615A3A460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF615A3A46F
FlsGetValue.KERNEL32 ref: 00007FF615A3A484
FlsSetValue.KERNEL32 ref: 00007FF615A3A4A5
FlsSetValue.KERNEL32 ref: 00007FF615A3A4D2
FlsSetValue.KERNEL32 ref: 00007FF615A3A4E3
FlsSetValue.KERNEL32 ref: 00007FF615A3A4F4
SetLastError.KERNEL32 ref: 00007FF615A3A50F

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction ID: 6c0aa137bb5d92ddd22130b5b5d98c8005348aa071dbc8921563720bad6aca1a
Opcode Fuzzy Hash: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction Fuzzy Hash: 5E213A20F8CA5246FA94E7215665139E1825F48FB8F144734DA3ECBAF6DF7CAC414701

Function 00007FF615A4707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF615A470AD
GetLastError.KERNEL32 ref: 00007FF615A470B9
CloseHandle.KERNEL32 ref: 00007FF615A470D1
CreateFileW.KERNEL32 ref: 00007FF615A470FC
WriteConsoleW.KERNEL32 ref: 00007FF615A4711B

Strings

CONOUT$, xrefs: 00007FF615A470DD

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: 48fb29378dcf127555f34a71c966ee7ae2e3fd1bca650c9d26dd0c89ae71a2df
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: DD114F21A58E4686E7508B96A854729A6A0BF88FF4F044334EA5DC77A4DF7CDC048740

Function 00007FF615A281F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A2821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A2827A

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A28305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A28364
FreeLibrary.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A28375
FreeLibrary.KERNEL32(?,00000000,?,00007FF615A239F2), ref: 00007FF615A2838A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
Instruction ID: c8a6294b68f2ddd2b625f92eb2d8c6da62f2499e67982adbd875a2de4b6ca709
Opcode Fuzzy Hash: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
Instruction Fuzzy Hash: 4E41B462A59F8641EA709B22A5012BAB394FF84FE4F444235EF5D977A9DF3CE801C700

Function 00007FF615A3A5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A5E7
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A61D
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A64A
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A65B
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A66C
SetLastError.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A687

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction ID: 517795d1abf381fa0427b58fd4b4c4e2e02d04a8ddd00eab3aae9a3bbec5f86a
Opcode Fuzzy Hash: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction Fuzzy Hash: 59113820F88E524AFA94E7215661139E2825F88FB8F144734D93ECB6F6DF7CAC414701

Function 00007FF615A22300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF615A22338
DialogBoxIndirectParamW.USER32 ref: 00007FF615A223FE
DeleteObject.GDI32 ref: 00007FF615A22431
DestroyIcon.USER32 ref: 00007FF615A22443

Strings

Unhandled exception in script, xrefs: 00007FF615A22368

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
Instruction ID: 9cd35fc2c7cb98cc7c5b20613a41a7063e9d7d73f3ab6e0221932c97c90f6401
Opcode Fuzzy Hash: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
Instruction Fuzzy Hash: CE316036A58E8689EB60DF61E8552F9A360FF89FA4F440235EA4D87B65DF3CD904C700

Function 00007FF615A22760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

MessageBoxW.USER32 ref: 00007FF615A2283B
MessageBoxA.USER32 ref: 00007FF615A2284F

Strings

%s%s: %s, xrefs: 00007FF615A227EC
Error/warning (ANSI fallback), xrefs: 00007FF615A22843
Error, xrefs: 00007FF615A2282C

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: 310df8b402aa82528e2a86e6ded866f5d926d4347e1a68295d7909938d244021
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: C5218672668F8581EA20DB61F4517EAA364FF84F94F404236EB8C83A69DF3CDA45C740

Function 00007FF615A38DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF615A38DC5
GetProcAddress.KERNEL32 ref: 00007FF615A38DDB
FreeLibrary.KERNEL32 ref: 00007FF615A38E02

Strings

CorExitProcess, xrefs: 00007FF615A38DD4
mscoree.dll, xrefs: 00007FF615A38DBC

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 996a73f0bfe029ec2f1c2ea4fb0f7b05c248e06a2d52a5cee8b65f6d548034d5
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 25F06261A59F0681EF108B64E4487799360AF85FB5F581736D66D861F4CF3CD849C310

Function 00007FF615A48678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF615A486A0
_set_statfp.LIBCMT ref: 00007FF615A486BB
_set_statfp.LIBCMT ref: 00007FF615A486D7
_set_statfp.LIBCMT ref: 00007FF615A48713

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 8c00375e6a3182cfdc9756efab3e7f699c90e7ff99eb073456a55613ac92f26e
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 3411BF32ED8E0341F79411A9F466376D1406F56FB4F1D4734EA6E966F68F2CAC40C110

Function 00007FF615A3A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A6BF
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A6DE
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A706
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A717
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A728

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction ID: a4c539fbde22c590053b2205852199ef3efebd6fe476f67bc90ee02192f06523
Opcode Fuzzy Hash: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction Fuzzy Hash: 2F116D20F88A5246FAD8D32556A1579E1926F98FB8E044334E93DCA6F6DF7CAC018700

Function 00007FF615A3A534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF615A3A545
FlsSetValue.KERNEL32 ref: 00007FF615A3A564
FlsSetValue.KERNEL32 ref: 00007FF615A3A58C
FlsSetValue.KERNEL32 ref: 00007FF615A3A59D
FlsSetValue.KERNEL32 ref: 00007FF615A3A5AE

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction ID: 92cec531f6d7df790b3d041e0ecf4a81956bde54c74fa1d275987c3bb3f9c725
Opcode Fuzzy Hash: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction Fuzzy Hash: D1112A20F88A074AFAD8E7254461579A2815F59F78E144734DA3ECE2F2EF7CBC414201

Function 00007FF615A352B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A352EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A35416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A354CC

Strings

verbose, xrefs: 00007FF615A352C0

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: 716eed2af6b506121381e72b2eb31df7cf84a962e4998e1cb70cbc8ce63088f2
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: 97919222A48E4645E7A5CE29D45037DB792AF48FA8F844236DADE873E5DF3CEC458340

Function 00007FF615A3EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3F1B7

Part of subcall function 00007FF615A36D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A36D69

Strings

ccs, xrefs: 00007FF615A3F0F2
UTF-16LEUNICODE, xrefs: 00007FF615A3F155
UTF-8, xrefs: 00007FF615A3F136

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 6a51c174f0d765dd3309aca0a35bd518829f5ebf650714d9449d9b68928a8dd0
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: D181DA32DA890385FBE4CF29D110279A6A4AF12F6CF558271CA99D72B5EF2DEC018701

Function 00007FF615A2C968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF615A2C993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF615A2CA2A
RtlUnwindEx.KERNEL32 ref: 00007FF615A2CA84

Strings

csm, xrefs: 00007FF615A2CA11

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: a651c28c34c4b3c13c910fe0a2846c46ba34693f71b5ac7f9daa7015bfd619c3
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: 2351A132B59A42AADB14CB66E465A79B792EF44FA4F108230DA4DC37A4DF7DEC41C700

Function 00007FF615A2E5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF615A2E5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF615A2E6B8

Strings

csm, xrefs: 00007FF615A2E70A
csm, xrefs: 00007FF615A2E5F2

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 4f69219a8bcea51ed3d2f4fbe79b06a84bf405d859bcef183dd9f661a0255bbb
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 81517132A48A828AEB648B339045278B691EF55FA4F148335DB5D87BE5CF3CE891C741

Function 00007FF615A2E1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF615A2E257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF615A2E2A3

Strings

RCC, xrefs: 00007FF615A2E273
MOC, xrefs: 00007FF615A2E26B

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction ID: fef42459364621923312d35548909ac5f2180daa75eb01cc9eae4747ccb07890
Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction Fuzzy Hash: 59619032908BC585DB219B26E4413AAF7A0FB84FA4F044325EB9D47BA5DF7CE590CB40

Function 00007FF615A225F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

MessageBoxW.USER32 ref: 00007FF615A22686
MessageBoxA.USER32 ref: 00007FF615A2269A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF615A2268E
Error, xrefs: 00007FF615A22677

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 51c11ca983d5a56b14860e8cab357bc89f797b0cc5541e78ba16eef8ea252a50
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 3F116D72668F8581FA208B61F451BA9B364FF48F94F905236EA4D97664DF3CDA09C700

Function 00007FF615A22870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

MessageBoxW.USER32 ref: 00007FF615A22906
MessageBoxA.USER32 ref: 00007FF615A2291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF615A2290E
Warning, xrefs: 00007FF615A228F7

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 2a019c74239c2c7fd815faa4ea7f23b616daffb490cce48f75354588fd08c458
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 8B119072668F8981FA208B21F451BA9B364FF44F94F905235DA4C87664CF3CDA04C700

Function 00007FF615A3B8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF615A3B92F
WriteFile.KERNEL32 ref: 00007FF615A3BBF7
WriteFile.KERNEL32 ref: 00007FF615A3BC3D
GetLastError.KERNEL32 ref: 00007FF615A3BCF3

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: 5bb38ad559e3eb652253f41b8c1ba81e8bfe731770c929ba15db7d6376dec092
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: FCD1D172B58A8589E750CF65D4402AC77B2FB48FACB144236CE5E97BA9DF38D916C300

Function 00007FF615A22030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF615A22064
SetWindowLongPtrW.USER32 ref: 00007FF615A22086
GetWindowLongPtrW.USER32 ref: 00007FF615A220B0
InvalidateRect.USER32 ref: 00007FF615A220D0

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: c4c1b6c395868e1f116d984bb31bcdaa299b045b6f8bbddcc233d43b07bb6ca4
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: 6F11A921E4C94642FA549B7BE5452799291EF88FA0F888231DE4A87BADCF3CDCC18601

Function 00007FF615A44E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A40A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A40AA3

_get_daylight.LIBCMT ref: 00007FF615A44F44
_get_daylight.LIBCMT ref: 00007FF615A44F55

Strings

?, xrefs: 00007FF615A44ED5

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction ID: 51ef4fe3176a14be087320c08a13af8fd0cc335049b326a145b0d73c14eefa6b
Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction Fuzzy Hash: 1941D712A58B8256FB649BA5D4017B9E690EF80FB4F184335EE5D86AF5DF3CD8418700

Function 00007FF615A3832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3835E

Part of subcall function 00007FF615A39C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C6E
Part of subcall function 00007FF615A39C58: GetLastError.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF615A2BEC5), ref: 00007FF615A3837C

Strings

C:\Users\user\Desktop\Q3pEXxmWAD.exe, xrefs: 00007FF615A3836A

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Q3pEXxmWAD.exe
API String ID: 2553983749-3472980803
Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction ID: 46973c9d3421328560b50cd3990179b3cafe2f49f0f89f031e734359ec9c20b8
Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction Fuzzy Hash: 9E418136A49F5789E794DF25A4800BCA395FF45FA8B554235EA4E83BA5DF3CEC818300

Function 00007FF615A3F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3F916

Part of subcall function 00007FF615A3E8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E908

Strings

., xrefs: 00007FF615A3F967
:, xrefs: 00007FF615A3F956

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
Instruction ID: 585798f5920ed84ab7eba90bfebe955fa87af950d5bf0fb519b50f26ec400e5e
Opcode Fuzzy Hash: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
Instruction Fuzzy Hash: 28417F22F58F5298FB80DBB198511BC6AB86F14F6CF540235DE5DA7A65EF3C98458300

Function 00007FF615A3BF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF615A3C05F
GetLastError.KERNEL32 ref: 00007FF615A3C081

Strings

U, xrefs: 00007FF615A3C00B

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: 526d8eadfb0341d3e738e54f2dc30820dd1ef88a8bc7d9c7b6ea4c702761ae22
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: 22418322A18B8586DB60CF25E8547A9A761FF98FA4F444131EA4DC7B68DF3CD941CB40

Function 00007FF615A3E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E95A

Strings

:, xrefs: 00007FF615A3E91E

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction ID: 9c0129e4d225e4650168bcad57af644f6667f2ac263b68769772548d71f63256
Opcode Fuzzy Hash: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction Fuzzy Hash: B121C122B48A8586EFA0DB15D44427EE3A1FF84F98F454235DB8C836A4DF7CED448740

Function 00007FF615A2F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF615A2F0B8
RaiseException.KERNEL32 ref: 00007FF615A2F0F9

Strings

csm, xrefs: 00007FF615A2F0E6

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 315a32233af2962c37bdef8c9b6ab589f4bed42b29f502773b9ab69f260a68ca
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 20113736619B8482EB218B25E440269B7A4FF88F94F184231DB8D47768EF3CC9518B00

Function 00007FF615A3FA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3FA7C
GetDriveTypeW.KERNEL32 ref: 00007FF615A3FABC

Strings

:, xrefs: 00007FF615A3FAA5

Memory Dump Source

Source File: 00000000.00000002.3254239096.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000000.00000002.3254190441.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254354992.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254459349.00007FF615A64000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3254592956.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: a99506371614376a98b8d77fdc0a9f5595e4a634051cc9e809542db78b6d4434
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: B1018421D6CA4686FBA0DF60A46127EA790EF48F2CF440236D59DC26A1DF3CD904CA14

Analysis Process: Q3pEXxmWAD.exePID: 3144, Parent PID: 5004COMMON

Executed Functions

Function 00007FF8B93C1060 Relevance: 632.7, APIs: 189, Strings: 172, Instructions: 924
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FF8B93C10A2
Py_AtExit.PYTHON311 ref: 00007FF8B93C10B7
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C1108
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C1117
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C1127
VerifyVersionInfoW.KERNEL32 ref: 00007FF8B93C114B
PyModule_Create2.PYTHON311 ref: 00007FF8B93C1179
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C11A5
PyErr_NewException.PYTHON311 ref: 00007FF8B93C11BF
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C11E5
PyErr_NewException.PYTHON311 ref: 00007FF8B93C11FF
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C1225
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B93C123F
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C1260
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C1282
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C12A4
PyMem_Malloc.PYTHON311 ref: 00007FF8B93C12AF
PyCapsule_New.PYTHON311 ref: 00007FF8B93C12FE
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C131D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1338
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C134E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1364
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C137A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1390
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C13A6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C13BC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C13D2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C13E8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C13FE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1414
PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B93C142B
PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B93C1442
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1455
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C146B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1481
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1497
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C14AD
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C14C0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C14D6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C14EC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1502
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1518
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C152E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1544
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C155A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1570
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1586
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C159C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C15B2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C15C8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C15DE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C15F4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C160A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1620
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1636
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C164C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C165F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1675
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C168B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C16A1
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C16B7
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C16CD
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C16E3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C16F9
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C170F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1725
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C173B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1751
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1767
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C177A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C178D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C17A0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C17B6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C17CC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C17E2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C17F8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C180E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1824
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C183A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1850
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1866
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C187C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1892
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C18A8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C18BE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C18D4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C18EA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1900
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1916
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C192C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1942
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1958
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C196E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1984
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C199A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C19B0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C19C6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C19DC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C19F2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A08
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A1E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A34
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A4A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A5D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A73
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A89
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1A9F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1AB5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1ACB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1AE1
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1AF4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B0A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B20
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B36
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B4C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B62
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B78
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1B8E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1BA4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1BBA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1BD0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1BE6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1BFC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C12
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C28
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C3E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C54
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C6A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C80
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1C96
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1CAC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1CBF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1CD5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1CEB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D01
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D17
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D2D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D40
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D56
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D6C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D82
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1D98
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1DAE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1DC4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1DDA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1DF0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E06
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E1C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E32
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E48
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E5E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E74
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E87
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1E9D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1EB3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1EC9
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1EDF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1EF5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F0B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F21
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F37
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F4A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F60
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F76
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1F8C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1FA2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1FB5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1FC8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C1FDE
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FF8B93C203F
PyModule_AddObject.PYTHON311 ref: 00007FF8B93C2057
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C2079
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C208C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C20A2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B93C20B8
PyModule_GetDict.PYTHON311 ref: 00007FF8B93C20C1
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C211D
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C212C
VerSetConditionMask.KERNEL32 ref: 00007FF8B93C213D
VerifyVersionInfoA.KERNEL32 ref: 00007FF8B93C2163
PyErr_Format.PYTHON311 ref: 00007FF8B93C3130

Strings

BDADDR_LOCAL, xrefs: 00007FF8B93C143B
EAI_BADFLAGS, xrefs: 00007FF8B93C1DD0
IPPROTO_ICMPV6, xrefs: 00007FF8B93C18E0
IPV6_HOPLIMIT, xrefs: 00007FF8B93C1CA2
TCP_NODELAY, xrefs: 00007FF8B93C1D36
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FF8B93C2022
SO_DEBUG, xrefs: 00007FF8B93C14B6
AF_UNSPEC, xrefs: 00007FF8B93C132E
NI_MAXSERV, xrefs: 00007FF8B93C1F2D
IPPROTO_FRAGMENT, xrefs: 00007FF8B93C189E
MSG_DONTROUTE, xrefs: 00007FF8B93C1681
NI_NUMERICHOST, xrefs: 00007FF8B93C1F56
MSG_CTRUNC, xrefs: 00007FF8B93C16AD
IPV6_UNICAST_HOPS, xrefs: 00007FF8B93C1C4A
SO_RCVLOWAT, xrefs: 00007FF8B93C15D4
NI_NUMERICSERV, xrefs: 00007FF8B93C1F82
AI_ADDRCONFIG, xrefs: 00007FF8B93C1EEB
has_ipv6, xrefs: 00007FF8B93C1297
SO_REUSEADDR, xrefs: 00007FF8B93C14E2
IPV6_RECVRTHDR, xrefs: 00007FF8B93C1CE1
IPV6_MULTICAST_IF, xrefs: 00007FF8B93C1C1E
IPPROTO_GGP, xrefs: 00007FF8B93C17C2
EAI_SERVICE, xrefs: 00007FF8B93C1E54
IP_TOS, xrefs: 00007FF8B93C1B16
SO_RCVBUF, xrefs: 00007FF8B93C15A8
herror, xrefs: 00007FF8B93C11D8
IPV6_JOIN_GROUP, xrefs: 00007FF8B93C1BDC
SOL_UDP, xrefs: 00007FF8B93C175D
SOCK_SEQPACKET, xrefs: 00007FF8B93C148D
IPPROTO_PIM, xrefs: 00007FF8B93C1922
IPV6_RTHDR, xrefs: 00007FF8B93C1D0D
SO_SNDBUF, xrefs: 00007FF8B93C1592
IPPROTO_IGP, xrefs: 00007FF8B93C19BC
INADDR_UNSPEC_GROUP, xrefs: 00007FF8B93C1A95
IPPORT_RESERVED, xrefs: 00007FF8B93C1A2A
SO_ACCEPTCONN, xrefs: 00007FF8B93C14CC
TCP_KEEPCNT, xrefs: 00007FF8B93C1D8E
IPPROTO_IDP, xrefs: 00007FF8B93C185C
AI_V4MAPPED, xrefs: 00007FF8B93C1F01
NI_NAMEREQD, xrefs: 00007FF8B93C1F6C
SO_SNDLOWAT, xrefs: 00007FF8B93C15BE
INADDR_NONE, xrefs: 00007FF8B93C1AD7
IP_ADD_MEMBERSHIP, xrefs: 00007FF8B93C1BB0
SO_USELOOPBACK, xrefs: 00007FF8B93C1550
RCVALL_ON, xrefs: 00007FF8B93C2082
SO_RCVTIMEO, xrefs: 00007FF8B93C1600
error, xrefs: 00007FF8B93C1192
AF_DECnet, xrefs: 00007FF8B93C139C
IPPROTO_RAW, xrefs: 00007FF8B93C194E
socket.gaierror, xrefs: 00007FF8B93C11F2
SO_ERROR, xrefs: 00007FF8B93C1616
SIO_KEEPALIVE_VALS, xrefs: 00007FF8B93C2003
NI_DGRAM, xrefs: 00007FF8B93C1F98
MSG_MCAST, xrefs: 00007FF8B93C1705
EAI_SOCKTYPE, xrefs: 00007FF8B93C1E6A
IPPROTO_IP, xrefs: 00007FF8B93C1770
WSAStartup failed: error code %d, xrefs: 00007FF8B93C3123
AI_NUMERICSERV, xrefs: 00007FF8B93C1EBF
SOCK_STREAM, xrefs: 00007FF8B93C144B
IPPROTO_HOPOPTS, xrefs: 00007FF8B93C1783
AI_NUMERICHOST, xrefs: 00007FF8B93C1EA9
IPV6_V6ONLY, xrefs: 00007FF8B93C1C60
MSG_PEEK, xrefs: 00007FF8B93C166B
SO_BROADCAST, xrefs: 00007FF8B93C153A
MSG_TRUNC, xrefs: 00007FF8B93C1697
AI_CANONNAME, xrefs: 00007FF8B93C1E93
SOL_TCP, xrefs: 00007FF8B93C1747
00:00:00:00:00:00, xrefs: 00007FF8B93C141A
IPV6_LEAVE_GROUP, xrefs: 00007FF8B93C1BF2
INADDR_BROADCAST, xrefs: 00007FF8B93C1A69
IPPROTO_PGM, xrefs: 00007FF8B93C19E8
TCP_KEEPINTVL, xrefs: 00007FF8B93C1D78
IPV6_HOPOPTS, xrefs: 00007FF8B93C1CB5
RCVALL_OFF, xrefs: 00007FF8B93C206F
WSAStartup failed: network not ready, xrefs: 00007FF8B93C313C
IPPROTO_CBT, xrefs: 00007FF8B93C19A6
INADDR_ANY, xrefs: 00007FF8B93C1A53
MSG_WAITALL, xrefs: 00007FF8B93C16C3
SOL_SOCKET, xrefs: 00007FF8B93C171B
EAI_FAMILY, xrefs: 00007FF8B93C1DFC
IP_MULTICAST_TTL, xrefs: 00007FF8B93C1B84
AF_INET, xrefs: 00007FF8B93C1344
SHUT_RD, xrefs: 00007FF8B93C1FAB
timeout, xrefs: 00007FF8B93C1232
IPPROTO_IPV4, xrefs: 00007FF8B93C17D8
EAI_AGAIN, xrefs: 00007FF8B93C1DBA
IPPROTO_ESP, xrefs: 00007FF8B93C18B4
SHUT_RDWR, xrefs: 00007FF8B93C1FD4
AF_IRDA, xrefs: 00007FF8B93C13DE
IP_RECVDSTADDR, xrefs: 00007FF8B93C1B58
IPPROTO_TCP, xrefs: 00007FF8B93C1804
IPV6_CHECKSUM, xrefs: 00007FF8B93C1C76
IPPROTO_AH, xrefs: 00007FF8B93C18CA
EAI_NODATA, xrefs: 00007FF8B93C1E28
IPPROTO_DSTOPTS, xrefs: 00007FF8B93C190C
AF_APPLETALK, xrefs: 00007FF8B93C1370
CAPI, xrefs: 00007FF8B93C1313
SHUT_WR, xrefs: 00007FF8B93C1FBE
socket.herror, xrefs: 00007FF8B93C11B2
IPPROTO_PUP, xrefs: 00007FF8B93C1830
SIO_RCVALL, xrefs: 00007FF8B93C1FE4
IPPROTO_EGP, xrefs: 00007FF8B93C181A
SO_DONTROUTE, xrefs: 00007FF8B93C1524
INADDR_LOOPBACK, xrefs: 00007FF8B93C1A7F
IPPROTO_SCTP, xrefs: 00007FF8B93C1938, 00007FF8B93C1A14
IPPROTO_UDP, xrefs: 00007FF8B93C1846
gaierror, xrefs: 00007FF8B93C1218
NI_MAXHOST, xrefs: 00007FF8B93C1F17
IPV6_MULTICAST_HOPS, xrefs: 00007FF8B93C1C08
IPPORT_USERRESERVED, xrefs: 00007FF8B93C1A40
BTPROTO_RFCOMM, xrefs: 00007FF8B93C140A
IP_DROP_MEMBERSHIP, xrefs: 00007FF8B93C1BC6
IPV6_MULTICAST_LOOP, xrefs: 00007FF8B93C1C34
AF_IPX, xrefs: 00007FF8B93C135A
RCVALL_MAX, xrefs: 00007FF8B93C20AE
IP_MULTICAST_LOOP, xrefs: 00007FF8B93C1B9A
SOL_IP, xrefs: 00007FF8B93C1731
BDADDR_ANY, xrefs: 00007FF8B93C1424
IPPROTO_MAX, xrefs: 00007FF8B93C1964
TCP_FASTOPEN, xrefs: 00007FF8B93C1DA4
AF_BLUETOOTH, xrefs: 00007FF8B93C13F4
IPPROTO_ND, xrefs: 00007FF8B93C1872
AF_SNA, xrefs: 00007FF8B93C13C8
IPPROTO_ICMP, xrefs: 00007FF8B93C1796
IP_HDRINCL, xrefs: 00007FF8B93C1B00
IPPROTO_IGMP, xrefs: 00007FF8B93C17AC
RCVALL_SOCKETLEVELONLY, xrefs: 00007FF8B93C2098
SO_SNDTIMEO, xrefs: 00007FF8B93C15EA
INADDR_ALLHOSTS_GROUP, xrefs: 00007FF8B93C1AAB
SO_TYPE, xrefs: 00007FF8B93C162C
IPPROTO_ICLFXBM, xrefs: 00007FF8B93C197A
IPPROTO_ROUTING, xrefs: 00007FF8B93C1888
IPV6_DONTFRAG, xrefs: 00007FF8B93C1C8C
_socket.CAPI, xrefs: 00007FF8B93C12D2
MSG_OOB, xrefs: 00007FF8B93C1655
TCP_MAXSEG, xrefs: 00007FF8B93C1D4C
IP_RECVTOS, xrefs: 00007FF8B93C1B42
IPPROTO_L2TP, xrefs: 00007FF8B93C19FE
WSAStartup failed: requested version not supported, xrefs: 00007FF8B93C3145
SO_EXCLUSIVEADDRUSE, xrefs: 00007FF8B93C14F8
IPPROTO_NONE, xrefs: 00007FF8B93C18F6
AI_PASSIVE, xrefs: 00007FF8B93C1E7D
IPV6_RECVTCLASS, xrefs: 00007FF8B93C1CF7
IPPROTO_IPV6, xrefs: 00007FF8B93C17EE
IPV6_PKTINFO, xrefs: 00007FF8B93C1CCB
SO_KEEPALIVE, xrefs: 00007FF8B93C150E
IP_TTL, xrefs: 00007FF8B93C1B2C
EAI_FAIL, xrefs: 00007FF8B93C1DE6
SO_OOBINLINE, xrefs: 00007FF8B93C157C
AF_LINK, xrefs: 00007FF8B93C13B2
SOCK_DGRAM, xrefs: 00007FF8B93C1461
SO_LINGER, xrefs: 00007FF8B93C1566
IPPROTO_ST, xrefs: 00007FF8B93C1990
EAI_NONAME, xrefs: 00007FF8B93C1E3E
TCP_KEEPIDLE, xrefs: 00007FF8B93C1D62
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FF8B93C1AC1
SOMAXCONN, xrefs: 00007FF8B93C1642
socket, xrefs: 00007FF8B93C1275
SocketType, xrefs: 00007FF8B93C1256
IP_OPTIONS, xrefs: 00007FF8B93C1AEA
NI_NOFQDN, xrefs: 00007FF8B93C1F40
IPV6_TCLASS, xrefs: 00007FF8B93C1D23
SOCK_RDM, xrefs: 00007FF8B93C14A3
IP_MULTICAST_IF, xrefs: 00007FF8B93C1B6E
MSG_ERRQUEUE, xrefs: 00007FF8B93C16D9
EAI_MEMORY, xrefs: 00007FF8B93C1E12
MSG_BCAST, xrefs: 00007FF8B93C16EF
00:00:00:FF:FF:FF, xrefs: 00007FF8B93C1431
AF_INET6, xrefs: 00007FF8B93C1386
SOCK_RAW, xrefs: 00007FF8B93C1477
AI_ALL, xrefs: 00007FF8B93C1ED5
IPPROTO_RDP, xrefs: 00007FF8B93C19D2

Memory Dump Source

Source File: 00000002.00000002.3270094699.00007FF8B93C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000002.00000002.3269996369.00007FF8B93C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270292182.00007FF8B93D0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b93c0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$Constant$Object$ConditionMask$Err_$ExceptionInfoStringVerifyVersion$Capsule_Create2DictExitFormatFromLongLong_MallocMem_StartupUnsigned
String ID: 00:00:00:00:00:00$00:00:00:FF:FF:FF$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$timeout
API String ID: 2280847565-1299366327
Opcode ID: 1e3798d66d8f3466d25b29997ac536b7de1a01caa9abcf0d10d40263422c2a14
Instruction ID: ae16f627e19cbc3690c2be264a5052973d12b2cc12dbaa7f90834eee3916fdfd
Opcode Fuzzy Hash: 1e3798d66d8f3466d25b29997ac536b7de1a01caa9abcf0d10d40263422c2a14
Instruction Fuzzy Hash: FAA2B568B18FA2A5EA14DF1AE8546662331BB4EBD1F847035CE0E06764DEBDE34DC701

Function 00007FF8B90618C0 Relevance: 142.0, APIs: 44, Strings: 37, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyModule_Create2.PYTHON3 ref: 00007FF8B90618EB
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF8B9061904

Part of subcall function 00007FF8B90613D0: PyEval_SaveThread.PYTHON3 ref: 00007FF8B90613DA
Part of subcall function 00007FF8B90613D0: LoadLibraryA.KERNEL32 ref: 00007FF8B90613EA
Part of subcall function 00007FF8B90613D0: PyEval_RestoreThread.PYTHON3 ref: 00007FF8B90613F6
Part of subcall function 00007FF8B90613D0: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B906140A

RtlGetVersion.NTDLL ref: 00007FF8B9061945
GetSystemInfo.KERNEL32 ref: 00007FF8B90619C1
InitializeCriticalSection.KERNEL32 ref: 00007FF8B90619CE
PyModule_GetState.PYTHON3 ref: 00007FF8B90619E8
PyErr_NewException.PYTHON3 ref: 00007FF8B90619FD
_Py_Dealloc.PYTHON3 ref: 00007FF8B9061A1B
PyErr_NewException.PYTHON3 ref: 00007FF8B9061A50
PyModule_AddObject.PYTHON3 ref: 00007FF8B9061A6D
PyErr_NewException.PYTHON3 ref: 00007FF8B9061A7F
PyModule_AddObject.PYTHON3 ref: 00007FF8B9061A9C
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061AB2
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061AC8
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061ADE
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061AF4
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B0A
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B20
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B36
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B49
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B5F
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B75
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061B8B
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061BA1
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061BB7
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061BCD
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061BE3
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061BF9
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C0F
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C25
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C3B
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C51
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C67
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C7D
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061C93
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061CA9
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061CBF
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061CD5
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061CEC
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061D02
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061D18
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061D2E
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061D44
PyModule_AddIntConstant.PYTHON3 ref: 00007FF8B9061D5A

Strings

NORMAL_PRIORITY_CLASS, xrefs: 00007FF8B9061B16
WINDOWS_10, xrefs: 00007FF8B9061D50
TimeoutExpired, xrefs: 00007FF8B9061A56
ERROR_SERVICE_DOES_NOT_EXIST, xrefs: 00007FF8B9061CB5
MIB_TCP_STATE_CLOSED, xrefs: 00007FF8B9061B3F
TimeoutAbandoned, xrefs: 00007FF8B9061A85
WINDOWS_VISTA, xrefs: 00007FF8B9061CF8
HIGH_PRIORITY_CLASS, xrefs: 00007FF8B9061AEA
IDLE_PRIORITY_CLASS, xrefs: 00007FF8B9061B00
_psutil_windows.TimeoutAbandoned, xrefs: 00007FF8B9061A76
MIB_TCP_STATE_LAST_ACK, xrefs: 00007FF8B9061C05
MIB_TCP_STATE_ESTAB, xrefs: 00007FF8B9061B97
_psutil_windows.Error, xrefs: 00007FF8B90619F1
MIB_TCP_STATE_FIN_WAIT2, xrefs: 00007FF8B9061BEF
MIB_TCP_STATE_SYN_RCVD, xrefs: 00007FF8B9061BC3
ERROR_ACCESS_DENIED, xrefs: 00007FF8B9061C89
ERROR_PRIVILEGE_NOT_HELD, xrefs: 00007FF8B9061CCB
ABOVE_NORMAL_PRIORITY_CLASS, xrefs: 00007FF8B9061ABE
MIB_TCP_STATE_FIN_WAIT1, xrefs: 00007FF8B9061BD9
MIB_TCP_STATE_TIME_WAIT, xrefs: 00007FF8B9061C1B, 00007FF8B9061C31
REALTIME_PRIORITY_CLASS, xrefs: 00007FF8B9061B2C
MIB_TCP_STATE_CLOSE_WAIT, xrefs: 00007FF8B9061B6B
PSUTIL_CONN_NONE, xrefs: 00007FF8B9061C5D
WINDOWS_8, xrefs: 00007FF8B9061D24
PSUTIL_DEBUG, xrefs: 00007FF8B90618FD
ERROR_INVALID_NAME, xrefs: 00007FF8B9061C9F
WINDOWS_8_1, xrefs: 00007FF8B9061D3A
MIB_TCP_STATE_CLOSING, xrefs: 00007FF8B9061B55
WINVER, xrefs: 00007FF8B9061CE2
INFINITE, xrefs: 00007FF8B9061C73
WINDOWS_7, xrefs: 00007FF8B9061D0E
MIB_TCP_STATE_LISTEN, xrefs: 00007FF8B9061B81
_psutil_windows.TimeoutExpired, xrefs: 00007FF8B9061A47
BELOW_NORMAL_PRIORITY_CLASS, xrefs: 00007FF8B9061AD4
MIB_TCP_STATE_DELETE_TCB, xrefs: 00007FF8B9061C47
version, xrefs: 00007FF8B9061AA8
MIB_TCP_STATE_SYN_SENT, xrefs: 00007FF8B9061BAD

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$Constant$Err_$Exception$Eval_ObjectThread$Create2CriticalDeallocFilenameFromInfoInitializeLibraryLoadRestoreSaveSectionStateSystemVersionWindowsWithgetenv
String ID: ABOVE_NORMAL_PRIORITY_CLASS$BELOW_NORMAL_PRIORITY_CLASS$ERROR_ACCESS_DENIED$ERROR_INVALID_NAME$ERROR_PRIVILEGE_NOT_HELD$ERROR_SERVICE_DOES_NOT_EXIST$HIGH_PRIORITY_CLASS$IDLE_PRIORITY_CLASS$INFINITE$MIB_TCP_STATE_CLOSED$MIB_TCP_STATE_CLOSE_WAIT$MIB_TCP_STATE_CLOSING$MIB_TCP_STATE_DELETE_TCB$MIB_TCP_STATE_ESTAB$MIB_TCP_STATE_FIN_WAIT1$MIB_TCP_STATE_FIN_WAIT2$MIB_TCP_STATE_LAST_ACK$MIB_TCP_STATE_LISTEN$MIB_TCP_STATE_SYN_RCVD$MIB_TCP_STATE_SYN_SENT$MIB_TCP_STATE_TIME_WAIT$NORMAL_PRIORITY_CLASS$PSUTIL_CONN_NONE$PSUTIL_DEBUG$REALTIME_PRIORITY_CLASS$TimeoutAbandoned$TimeoutExpired$WINDOWS_10$WINDOWS_7$WINDOWS_8$WINDOWS_8_1$WINDOWS_VISTA$WINVER$_psutil_windows.Error$_psutil_windows.TimeoutAbandoned$_psutil_windows.TimeoutExpired$version
API String ID: 887074641-2468274236
Opcode ID: 6efccafb7da625c96c85524e3565947ef2e24866e459a4feb39aadcde8a1da25
Instruction ID: 04dd81408f408a8b8da893315b3c0f5dbe60be50ffa680de9f3aa1e3c5faf83d
Opcode Fuzzy Hash: 6efccafb7da625c96c85524e3565947ef2e24866e459a4feb39aadcde8a1da25
Instruction Fuzzy Hash: 7CC1F8A5B1CA8281FE50DF69E9943782762AF4ABD1F804135CB0E477A4DF6DE14BC701

Function 00007FF8B9061E90 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyList_New.PYTHON3 ref: 00007FF8B9061EA0
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FF8B9061EF3
_Py_Dealloc.PYTHON3 ref: 00007FF8B9061F03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8B9061F11

Strings

psutil/arch/windows\cpu.c, xrefs: 00007FF8B9061F57
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FF8B9061F7B
(ddddd), xrefs: 00007FF8B9062042
psutil-debug [%s:%d]> , xrefs: 00007FF8B9061F61
GetSystemInfo() failed to retrieve CPU count, xrefs: 00007FF8B9061FB4
NtQuerySystemInformation(SystemProcessorPerformanceInformation), xrefs: 00007FF8B906200D

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocErr_FromList_Windowsfree
String ID: (ddddd)$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 2064544276-4027580629
Opcode ID: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction ID: 7d04343ec31796014f8d7fd1501bf6ee4410470d3e2b7d92c201aeef599d8df9
Opcode Fuzzy Hash: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction Fuzzy Hash: 49717631A18B828AEE56DF3DA450679B3A5AF55BC4B048336EB4F66650EF3CF4478700

Function 00007FF615A21000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF615A2378C
_MEIPASS2, xrefs: 00007FF615A236A2, 00007FF615A236AE, 00007FF615A239AC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF615A236FC
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF615A23A31
pyi-contents-directory, xrefs: 00007FF615A235F8
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF615A23653
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF615A2391A
Could not create temporary directory!, xrefs: 00007FF615A23838
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF615A23A12
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF615A237EF
pyi-disable-windowed-traceback, xrefs: 00007FF615A2361D
pyi-runtime-tmpdir, xrefs: 00007FF615A235D3
pkg, xrefs: 00007FF615A237CF
Failed to convert DLL search path!, xrefs: 00007FF615A238A3
MEI, xrefs: 00007FF615A2374E
Failed to start splash screen!, xrefs: 00007FF615A23933
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF615A23820
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF615A23905

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: 9842cbd688bc5711a49d4e0ce16b69d9ca5c4bef69e7965de4c15c2abde6ee8e
Instruction ID: 9d1c5aa427aabfb24a793a5885fabce4f7225c3c0af4c8d99338ae2c7c1b221d
Opcode Fuzzy Hash: 9842cbd688bc5711a49d4e0ce16b69d9ca5c4bef69e7965de4c15c2abde6ee8e
Instruction Fuzzy Hash: 56F18221A8CE8291FB18DB72D5562F9A651AF55FA0F844232DA1DC36F6EF2CED54C300

Function 00007FF8B9067E20 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF8B9067E57
OpenProcessToken.ADVAPI32 ref: 00007FF8B9067E6B
GetLastError.KERNEL32 ref: 00007FF8B9067E79
ImpersonateSelf.ADVAPI32 ref: 00007FF8B9067E89
OpenProcessToken.ADVAPI32 ref: 00007FF8B9067EB6

Part of subcall function 00007FF8B9061070: GetLastError.KERNEL32 ref: 00007FF8B9061092
Part of subcall function 00007FF8B9061070: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B90610B5

Part of subcall function 00007FF8B9067D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B9067D92
Part of subcall function 00007FF8B9067D80: fprintf.MSPDB140-MSVCRT ref: 00007FF8B9067DAF
Part of subcall function 00007FF8B9067D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B9067DB9
Part of subcall function 00007FF8B9067D80: fprintf.MSPDB140-MSVCRT ref: 00007FF8B9067DC9
Part of subcall function 00007FF8B9067D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B9067DD3
Part of subcall function 00007FF8B9067D80: fprintf.MSPDB140-MSVCRT ref: 00007FF8B9067DE3
Part of subcall function 00007FF8B9067D80: GetLastError.KERNEL32 ref: 00007FF8B9067DE8
Part of subcall function 00007FF8B9067D80: PyErr_WarnEx.PYTHON3 ref: 00007FF8B9067E0A

GetLastError.KERNEL32 ref: 00007FF8B9067ED6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9067EFD

Strings

LookupPrivilegeValue, xrefs: 00007FF8B9067F47
AdjustTokenPrivileges, xrefs: 00007FF8B9067FBD, 00007FF8B9068024
ImpersonateSelf, xrefs: 00007FF8B9067E93
(originated from %s), xrefs: 00007FF8B9067EE5, 00007FF8B9067F50, 00007FF8B9067FC6
SeDebugPrivilege, xrefs: 00007FF8B9067F2E
OpenProcessToken, xrefs: 00007FF8B9067EC0, 00007FF8B9067EDC

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorLast$Err_Process__acrt_iob_funcfprintf$FilenameFromOpenTokenWindowsWith$CurrentImpersonateSelfWarn
String ID: (originated from %s)$AdjustTokenPrivileges$ImpersonateSelf$LookupPrivilegeValue$OpenProcessToken$SeDebugPrivilege
API String ID: 2544101647-3705996988
Opcode ID: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction ID: 57b5e1875737c0d28fa502aaca78ec54d3da30ab8711f839417b91837acbcc3a
Opcode Fuzzy Hash: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction Fuzzy Hash: 4F510971A1CBC292EF60DF69E8402A977A4FB447C4F404436EB8E42669DF7CE54AC740

Function 00007FF615A45C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A459E9
Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45A67
Part of subcall function 00007FF615A459A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45AB8

CreateFileW.KERNEL32 ref: 00007FF615A45D7A
CreateFileW.KERNEL32 ref: 00007FF615A45DCA
GetLastError.KERNEL32 ref: 00007FF615A45DFA
GetFileType.KERNEL32 ref: 00007FF615A45E0F
GetLastError.KERNEL32 ref: 00007FF615A45E19
CloseHandle.KERNEL32 ref: 00007FF615A45E4C
CloseHandle.KERNEL32 ref: 00007FF615A45FAF
CreateFileW.KERNEL32 ref: 00007FF615A45FE4
GetLastError.KERNEL32 ref: 00007FF615A45FF3

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: 95feed0c779c36a7a1ba4d80d35574e93c85faadfbfbd27e0ce93f4ff7b6b122
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: D8C1BF36B28E4586EB50CFA8C4816AC7761FB89FA8B055335DE6E977A4CF38D851C300

Function 00007FF8B93C45E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48threadnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B93C3588: PyErr_Format.PYTHON311 ref: 00007FF8B93C37DC

PySys_Audit.PYTHON311 ref: 00007FF8B93C463C
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C464E
bind.WS2_32 ref: 00007FF8B93C4665
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C4670

Strings

bind, xrefs: 00007FF8B93C4603
socket.bind, xrefs: 00007FF8B93C4635

Memory Dump Source

Source File: 00000002.00000002.3270094699.00007FF8B93C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000002.00000002.3269996369.00007FF8B93C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270292182.00007FF8B93D0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b93c0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_Thread$AuditErr_FormatRestoreSaveSys_bind
String ID: bind$socket.bind
API String ID: 1695574521-187351271
Opcode ID: d95e10c574bb9151cc7cac422ff355062cc574c072084da3d5b3e385af4c240c
Instruction ID: a6c77f7e4d2e2f364d67009a22c86c9f9d44ee88ef83a4baf3e8ee5f0fe42157
Opcode Fuzzy Hash: d95e10c574bb9151cc7cac422ff355062cc574c072084da3d5b3e385af4c240c
Instruction Fuzzy Hash: BF110322A08FC292E6609F59E8443ABA374FB8CBC0F042532DB8D47B58DF7CE5598740

Function 00007FF615A285A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF615A285D3
FindClose.KERNEL32 ref: 00007FF615A285E2

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: c9cafafdc66f99a65d3c69a8019079e40aeb429c65858f50282e42242ab94f87
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 64F0C822A5CB4686F7608F64B449766B390BF44F38F044335EA6D42AE4CF3CD4588A00

Function 00007FF8B8B01660 Relevance: 179.6, APIs: 101, Strings: 1, Instructions: 1106COMMON

Download Yara Rule

APIs

PyImport_Import.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FF8B8AF8A49), ref: 00007FF8B8B01680
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FF8B8AF8A49), ref: 00007FF8B8B016A9
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FF8B8AF8A49), ref: 00007FF8B8B016EF

Strings

<module>, xrefs: 00007FF8B8B018AF, 00007FF8B8B01A49, 00007FF8B8B01BC4, 00007FF8B8B01D3F, 00007FF8B8B01EC1, 00007FF8B8B02043, 00007FF8B8B0220D, 00007FF8B8B02388, 00007FF8B8B0253A, 00007FF8B8B026B5, 00007FF8B8B027E9, 00007FF8B8B0291B, 00007FF8B8B0299D

Memory Dump Source

Source File: 00000002.00000002.3267090500.00007FF8B8AF1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000002.00000002.3267030615.00007FF8B8AF0000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267162979.00007FF8B8B04000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267222840.00007FF8B8B0A000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267280567.00007FF8B8B0E000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8af0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$ImportImport_
String ID: <module>
API String ID: 2397823689-217463007
Opcode ID: 31361185dd40eca64a4d0713cd9bf962043c8a4a799bfca1e9d897335efbc7c7
Instruction ID: aae5d4cc9f2cc87d0cc1109ae73ab6f3c16fb3dbdc618f1a7a342ebfae0398c6
Opcode Fuzzy Hash: 31361185dd40eca64a4d0713cd9bf962043c8a4a799bfca1e9d897335efbc7c7
Instruction Fuzzy Hash: 0FC21665E09B0781EA1AAB7DE88017833A5BF45BC4F485235CB0DA73B5EF3CA4479349

Function 00007FF8B90613D0 Relevance: 89.5, APIs: 27, Strings: 24, Instructions: 229
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FF8B90613DA
LoadLibraryA.KERNEL32 ref: 00007FF8B90613EA
PyEval_RestoreThread.PYTHON3 ref: 00007FF8B90613F6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B906140A
GetProcAddress.KERNEL32 ref: 00007FF8B906141C
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9061430
FreeLibrary.KERNEL32 ref: 00007FF8B9061439
GetModuleHandleA.KERNEL32 ref: 00007FF8B9061466
GetProcAddress.KERNEL32 ref: 00007FF8B9061484
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9061498
GetModuleHandleA.KERNEL32 ref: 00007FF8B90614C5
GetProcAddress.KERNEL32 ref: 00007FF8B90614E3
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B90614F7
PyEval_SaveThread.PYTHON3 ref: 00007FF8B906151D
LoadLibraryA.KERNEL32 ref: 00007FF8B906152D
PyEval_RestoreThread.PYTHON3 ref: 00007FF8B9061539
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B906154D
GetProcAddress.KERNEL32 ref: 00007FF8B9061574
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9061588
FreeLibrary.KERNEL32 ref: 00007FF8B9061591

Strings

RtlNtStatusToDosErrorNoTeb, xrefs: 00007FF8B90616AC
wtsapi32.dll, xrefs: 00007FF8B90617BA, 00007FF8B90617D4, 00007FF8B90617EE
NtQueryInformationProcess, xrefs: 00007FF8B906147A, 00007FF8B906148F
WTSQuerySessionInformationW, xrefs: 00007FF8B90617C6
RtlIpv6AddressToStringA, xrefs: 00007FF8B9061727
NtSetInformationProcess, xrefs: 00007FF8B90614D9, 00007FF8B90614EE
NtQuerySystemInformation, xrefs: 00007FF8B9061412, 00007FF8B9061427
RtlGetVersion, xrefs: 00007FF8B9061620
ntdll.dll, xrefs: 00007FF8B90613E0, 00007FF8B9061401, 00007FF8B9061458, 00007FF8B9061471, 00007FF8B90614B7, 00007FF8B90614D0, 00007FF8B9061523, 00007FF8B9061544, 00007FF8B90615BE, 00007FF8B9061627, 00007FF8B9061735
WTSEnumerateSessionsW, xrefs: 00007FF8B90617AC
NtSuspendProcess, xrefs: 00007FF8B9061643
NtResumeProcess, xrefs: 00007FF8B9061666
GetExtendedUdpTable, xrefs: 00007FF8B90615FD
iphlpapi.dll, xrefs: 00007FF8B90615E1, 00007FF8B9061604
GetActiveProcessorCount, xrefs: 00007FF8B906176C, 00007FF8B9061781
WTSFreeMemory, xrefs: 00007FF8B90617E0
NtQueryVirtualMemory, xrefs: 00007FF8B9061689
GetExtendedTcpTable, xrefs: 00007FF8B90615DA
RtlIpv4AddressToStringA, xrefs: 00007FF8B90615B0
GetTickCount64, xrefs: 00007FF8B90616EA, 00007FF8B90616FF
NtQueryObject, xrefs: 00007FF8B906156A, 00007FF8B906157F
ntdll, xrefs: 00007FF8B906164A, 00007FF8B906166D, 00007FF8B9061690, 00007FF8B90616B3
kernel32, xrefs: 00007FF8B90616CF, 00007FF8B90616E1, 00007FF8B9061751, 00007FF8B9061763, 00007FF8B90617A0
GetLogicalProcessorInformationEx, xrefs: 00007FF8B9061792

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_FilenameFromWindowsWith$AddressEval_LibraryProcThread$FreeHandleLoadModuleRestoreSave
String ID: GetActiveProcessorCount$GetExtendedTcpTable$GetExtendedUdpTable$GetLogicalProcessorInformationEx$GetTickCount64$NtQueryInformationProcess$NtQueryObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtResumeProcess$NtSetInformationProcess$NtSuspendProcess$RtlGetVersion$RtlIpv4AddressToStringA$RtlIpv6AddressToStringA$RtlNtStatusToDosErrorNoTeb$WTSEnumerateSessionsW$WTSFreeMemory$WTSQuerySessionInformationW$iphlpapi.dll$kernel32$ntdll$ntdll.dll$wtsapi32.dll
API String ID: 3787047288-761253638
Opcode ID: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction ID: 211165d999b4e0a84c6b5053004ab9c55a53a722ad7f971c2acf0aa61abc833f
Opcode Fuzzy Hash: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction Fuzzy Hash: 43C1D2A1A0DB8780EE84DFACF89017933E1AF597D4F849535C60D862A4EF2CE19BC340

Function 00007FF8B93C5008 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 244
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PySys_Audit.PYTHON311 ref: 00007FF8B93C506D
PyErr_Format.PYTHON311 ref: 00007FF8B93C50C5
PySys_Audit.PYTHON311 ref: 00007FF8B93C51C1
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C51CF
WSASocketW.WS2_32 ref: 00007FF8B93C51F8
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C5204
PyLong_AsLongLong.PYTHON311 ref: 00007FF8B93C5277
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C5286
PyErr_SetString.PYTHON311 ref: 00007FF8B93C52A6
memset.VCRUNTIME140 ref: 00007FF8B93C52C6
getsockname.WS2_32 ref: 00007FF8B93C52D8
WSAGetLastError.WS2_32 ref: 00007FF8B93C52F7
getsockopt.WS2_32 ref: 00007FF8B93C5333
PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C5373
WSASocketW.WS2_32 ref: 00007FF8B93C539A
socket.WS2_32 ref: 00007FF8B93C53B6
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C53C2
SetHandleInformation.KERNEL32 ref: 00007FF8B93C53EC
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B93C53FC
closesocket.WS2_32 ref: 00007FF8B93C5405

Strings

socket descriptor string has wrong size, should be %zu bytes., xrefs: 00007FF8B93C50B5
negative file descriptor, xrefs: 00007FF8B93C529C
socket.__new__, xrefs: 00007FF8B93C5066, 00007FF8B93C519C
Oiii, xrefs: 00007FF8B93C5055, 00007FF8B93C515C

Memory Dump Source

Source File: 00000002.00000002.3270094699.00007FF8B93C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000002.00000002.3269996369.00007FF8B93C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270292182.00007FF8B93D0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b93c0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_Eval_Thread$AuditLongRestoreSaveSocketSys_$ErrorFormatFromHandleInformationLastLong_OccurredStringWindowsclosesocketgetsocknamegetsockoptmemsetsocket
String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
API String ID: 3118441216-2881308447
Opcode ID: 50bb1b7be01f2dc67f8305606acf70d1fd44bd1c34773e67d9b9e366ba2ac7f7
Instruction ID: fab48116999f07edbba9b718073102fe8633cbf064b2a33ecfce598cb94bbed9
Opcode Fuzzy Hash: 50bb1b7be01f2dc67f8305606acf70d1fd44bd1c34773e67d9b9e366ba2ac7f7
Instruction Fuzzy Hash: 30C15022A08FD582E6608F2DD94427A73B0FB99BE4F146335DB5D436A1EF3CE5898740

Function 00007FF8B8AF8970 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyModule_Create2.PYTHON311 ref: 00007FF8B8AF89A4
PyObject_GetAttrString.PYTHON311 ref: 00007FF8B8AF89C4
PyModule_GetDict.PYTHON311 ref: 00007FF8B8AF89D4
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF8A56

Strings

__name__, xrefs: 00007FF8B8AF89BA

Memory Dump Source

Source File: 00000002.00000002.3267090500.00007FF8B8AF1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000002.00000002.3267030615.00007FF8B8AF0000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267162979.00007FF8B8B04000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267222840.00007FF8B8B0A000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267280567.00007FF8B8B0E000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8af0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$AttrCreate2DeallocDictObject_String
String ID: __name__
API String ID: 2272293537-3954359393
Opcode ID: 4f397e03f3fee52b4d0ecdc321c4dbf54df67c5ae79e314d5e53c94f376fe017
Instruction ID: dfb8f2f823dfcd781feb8611b6e5bc03778df8b788519d204f5e6e0f60ff7a65
Opcode Fuzzy Hash: 4f397e03f3fee52b4d0ecdc321c4dbf54df67c5ae79e314d5e53c94f376fe017
Instruction Fuzzy Hash: C671F670E0AB0682FE599B7CA89513873A4BF45BD4F195634CB4E922B0CF3CA453C30A

Function 00007FF8B8AF44D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyImport_ImportModuleLevelObject.PYTHON311 ref: 00007FF8B8AF4501
PyObject_GetAttr.PYTHON311 ref: 00007FF8B8AF454D
PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B8AF456D
PyObject_GetItem.PYTHON311 ref: 00007FF8B8AF4585
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF4597
PyDict_SetItem.PYTHON311 ref: 00007FF8B8AF45B8
PyObject_SetItem.PYTHON311 ref: 00007FF8B8AF45C0
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF45D1
PyErr_Clear.PYTHON311 ref: 00007FF8B8AF4601
PyModule_GetFilenameObject.PYTHON311 ref: 00007FF8B8AF460A
PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B8AF4628
PyErr_SetImportError.PYTHON311 ref: 00007FF8B8AF463F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF464E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF465D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8AF466C

Strings

cannot import name %R from %R (%S), xrefs: 00007FF8B8AF4618
%U.%U, xrefs: 00007FF8B8AF4563

Memory Dump Source

Source File: 00000002.00000002.3267090500.00007FF8B8AF1000.00000020.00000001.01000000.00000015.sdmp, Offset: 00007FF8B8AF0000, based on PE: true

Associated: 00000002.00000002.3267030615.00007FF8B8AF0000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267162979.00007FF8B8B04000.00000002.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267222840.00007FF8B8B0A000.00000004.00000001.01000000.00000015.sdmpDownload File
Associated: 00000002.00000002.3267280567.00007FF8B8B0E000.00000002.00000001.01000000.00000015.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8af0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$ItemObject_$Err_FormatFromImportObjectUnicode_$AttrClearDict_ErrorFilenameImport_LevelModuleModule_
String ID: %U.%U$cannot import name %R from %R (%S)
API String ID: 3630264407-438398067
Opcode ID: e640b3e46d7a37767e1cf98e302e0e9caccce58bf8976f823c6c11df13f9ec8d
Instruction ID: f1edb45f4c41130e16c6fc287bb96f5aa01b370d5921574521eab0f64a06b7d4
Opcode Fuzzy Hash: e640b3e46d7a37767e1cf98e302e0e9caccce58bf8976f823c6c11df13f9ec8d
Instruction Fuzzy Hash: 7C41B372A1AA4282EA589F2AA88427D73A4FF55FC8F045034CF4E57764DF3CE4478309

Function 00007FF615A218F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF615A276A0: _fread_nolock.LIBCMT ref: 00007FF615A2774A

_fread_nolock.LIBCMT ref: 00007FF615A219B4

Part of subcall function 00007FF615A22760: MessageBoxW.USER32 ref: 00007FF615A2283B

Strings

calloc, xrefs: 00007FF615A219F5
Failed to read cookie!, xrefs: 00007FF615A219BF
Could not read full TOC!, xrefs: 00007FF615A21AD4
Could not allocate memory for archive structure!, xrefs: 00007FF615A219EE
malloc, xrefs: 00007FF615A21AA8
fseek, xrefs: 00007FF615A21990
Failed to seek to cookie position!, xrefs: 00007FF615A21989
MEI, xrefs: 00007FF615A21931
Could not allocate buffer for TOC!, xrefs: 00007FF615A21AA1
Error on file., xrefs: 00007FF615A21B0A
fread, xrefs: 00007FF615A219C6, 00007FF615A21ADB

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: 35ecb335ea51856d2c4ba3a5b8941be69d2e3f44d34773facc26e79b75a298fb
Instruction ID: f7a4a0deadb81fe3a89be8279d37a16d76d36532af825da770577c4b51b9e83c
Opcode Fuzzy Hash: 35ecb335ea51856d2c4ba3a5b8941be69d2e3f44d34773facc26e79b75a298fb
Instruction Fuzzy Hash: 5971C635A48E8685EB20CB36E4422B9A3A1FF84FA4F444235D98DC7769EF3CED448700

Function 00007FF615A21440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A214A9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF615A214D9
malloc, xrefs: 00007FF615A214E0
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A2146F
fseek, xrefs: 00007FF615A214B0
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A2159A
fread, xrefs: 00007FF615A215A1

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 6f52e494031d5ca2484d2f9d573e2a1dcf24fa62387402d5cbc9e3bb6a366fed
Instruction ID: 774d48396f049f332c83feb58827fe55be9e90209898c78f444261bfd75a46e4
Opcode Fuzzy Hash: 6f52e494031d5ca2484d2f9d573e2a1dcf24fa62387402d5cbc9e3bb6a366fed
Instruction Fuzzy Hash: D6418225B88A4681EE209B66A9421B6E390FF04FE4F584231DE5D87AB5EF3CFD418700

Function 00007FF615A211F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF615A213EE
malloc, xrefs: 00007FF615A2129C, 00007FF615A212CA
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF615A21295
1.3.1, xrefs: 00007FF615A21229
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF615A21256
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF615A212C3

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: e496b0bcba3729b97d06f0e46ecf728c80844e1a155ab2c5c02d584ccd3a7d05
Instruction ID: a22e92a38c2824d56ef444bfd9ff73625bc3ae78b804c4956e9f44256b7a2129
Opcode Fuzzy Hash: e496b0bcba3729b97d06f0e46ecf728c80844e1a155ab2c5c02d584ccd3a7d05
Instruction Fuzzy Hash: B451D462A48E4241EA649B66A4413BAA291BF44FA4F484335EE4DC7BE5EF3CED01C700

Function 00007FF615A3AD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3B199

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction ID: 33264224313a5734f1e0c87458eb5b21de11d44e87ae9996d1b21e6b0ff3bd42
Opcode Fuzzy Hash: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction Fuzzy Hash: 09C1D122A4CF8A91EAA0DB1594442BDB791EF91FA8F154331DA4E837B1CFBCEC558300

Function 00007FF8B93C4EA8 Relevance: 10.6, APIs: 7, Instructions: 103COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B93C4F38
_PyLong_AsInt.PYTHON311 ref: 00007FF8B93C4F57
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C4F64
_PyLong_AsInt.PYTHON311 ref: 00007FF8B93C4F7E
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C4F8B
_PyLong_AsInt.PYTHON311 ref: 00007FF8B93C4FA5
PyErr_Occurred.PYTHON311 ref: 00007FF8B93C4FB3

Memory Dump Source

Source File: 00000002.00000002.3270094699.00007FF8B93C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000002.00000002.3269996369.00007FF8B93C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270292182.00007FF8B93D0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b93c0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_Long_Occurred$Arg_KeywordsUnpack
String ID:
API String ID: 591546834-0
Opcode ID: 20742500c124c423266bfdab1c304cd984d45cdb87b6458035995fc094c063de
Instruction ID: 3bdd5a8d9ebf56a21ccc82ee740718628e8eb5c6ffa18433f6827496ce9cdee8
Opcode Fuzzy Hash: 20742500c124c423266bfdab1c304cd984d45cdb87b6458035995fc094c063de
Instruction Fuzzy Hash: 97415926A09FC252FAA59F29A45877A62B0FF48BE5F142634DF1E42790DF3CE4498300

Function 00007FF615A233E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF615A23534), ref: 00007FF615A23411

Part of subcall function 00007FF615A229E0: GetLastError.KERNEL32(?,?,?,00007FF615A2342E,?,00007FF615A23534), ref: 00007FF615A22A14
Part of subcall function 00007FF615A229E0: FormatMessageW.KERNEL32(?,?,?,00007FF615A2342E), ref: 00007FF615A22A7D
Part of subcall function 00007FF615A229E0: MessageBoxW.USER32 ref: 00007FF615A22ACF

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF615A234B8
Failed to obtain executable path., xrefs: 00007FF615A2341B
GetModuleFileNameW, xrefs: 00007FF615A23422
Failed to resolve full path to executable %ls., xrefs: 00007FF615A23461
\\?\, xrefs: 00007FF615A23482

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 434bb14bfbe818b65a19d164a90e83b2f6ab42f9d93d1c9a3e9892e9ca8fe901
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: FF219511B58E4291FA219B36E8163B9E290BF49FA5F804337E65DC65F5EF2CDD048700

Function 00007FF8B90612C0 Relevance: 10.5, APIs: 7, Instructions: 37librarythreadloaderCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FF8B90612DA
LoadLibraryA.KERNEL32 ref: 00007FF8B90612E6
PyEval_RestoreThread.PYTHON3 ref: 00007FF8B90612F2
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9061302
GetProcAddress.KERNEL32 ref: 00007FF8B9061310
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FF8B9061320
FreeLibrary.KERNEL32 ref: 00007FF8B9061329

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_Eval_FilenameFromLibraryThreadWindowsWith$AddressFreeLoadProcRestoreSave
String ID:
API String ID: 568911590-0
Opcode ID: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction ID: 6d2caef7de90f54d3cadbc956b80b6f41a0e4c7ca7f7b050969c49241ef1c7b3
Opcode Fuzzy Hash: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction Fuzzy Hash: 28012C61B1DA8681EE54DF66B90813E63A1BF48FC1B448034DE4E07B58DF3CD0428300

Function 00007FF8B8CE3A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

PyFrozenSet_New.PYTHON311 ref: 00007FF8B8CE3A9B
EVP_MD_do_all_provided.LIBCRYPTO-3 ref: 00007FF8B8CE3AC1
PyModule_AddObject.PYTHON311 ref: 00007FF8B8CE3AE1
_Py_Dealloc.PYTHON311 ref: 00007FF8B8CE5399

Strings

openssl_md_meth_names, xrefs: 00007FF8B8CE3AD7

Memory Dump Source

Source File: 00000002.00000002.3268470633.00007FF8B8CE1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF8B8CE0000, based on PE: true

Associated: 00000002.00000002.3268399588.00007FF8B8CE0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.3268531245.00007FF8B8CE7000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.3268588757.00007FF8B8CEC000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.3268675265.00007FF8B8CEE000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8ce0000_Q3pEXxmWAD.jbxd

Similarity

API ID: D_do_all_providedDeallocFrozenModule_ObjectSet_
String ID: openssl_md_meth_names
API String ID: 4100423519-1600430994
Opcode ID: c7570a8fd0a96cd5cb6b92ca885935ccddc4592bf0b1fee869571e27cecb3355
Instruction ID: 355b0a75d8bad24c7fce22dd532cdde9883122b2db41d1741b4aef869c0f023a
Opcode Fuzzy Hash: c7570a8fd0a96cd5cb6b92ca885935ccddc4592bf0b1fee869571e27cecb3355
Instruction Fuzzy Hash: 1E014FB1A08642C3EBB44B78AC2D2796390BB487D6F144535DB6E42594CF7DF546C708

Function 00007FF8B8CC1000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

PyImport_ImportModule.PYTHON311 ref: 00007FF8B8CC100B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8CC101F
PyCapsule_Import.PYTHON311 ref: 00007FF8B8CC102E

Strings

charset_normalizer.md__mypyc, xrefs: 00007FF8B8CC1004
charset_normalizer.md__mypyc.init_charset_normalizer___md, xrefs: 00007FF8B8CC1027

Memory Dump Source

Source File: 00000002.00000002.3267779046.00007FF8B8CC1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8B8CC0000, based on PE: true

Associated: 00000002.00000002.3267713988.00007FF8B8CC0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3267887097.00007FF8B8CC2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3267975575.00007FF8B8CC4000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8cc0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Import$Capsule_DeallocImport_Module
String ID: charset_normalizer.md__mypyc$charset_normalizer.md__mypyc.init_charset_normalizer___md
API String ID: 1394619730-824592145
Opcode ID: 4dbea5a90385b545af12b2b3c19e32250d97452fe296dfd027e4427eacffc248
Instruction ID: eac13d9fe312367e39179017df4435230525c799afa7cfe5f860a67710c52502
Opcode Fuzzy Hash: 4dbea5a90385b545af12b2b3c19e32250d97452fe296dfd027e4427eacffc248
Instruction Fuzzy Hash: CBE01AA5E0A60381EB989F2EBC6C1B022A07F547C0F884436C30D02254EF2CA94F8B98

Function 00007FF8B9061DC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32 ref: 00007FF8B9061DD3
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FF8B9061DDF
Py_BuildValue.PYTHON3 ref: 00007FF8B9061E82

Strings

(ddd), xrefs: 00007FF8B9061DF4

Memory Dump Source

Source File: 00000002.00000002.3269315418.00007FF8B9061000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF8B9060000, based on PE: true

Associated: 00000002.00000002.3269250127.00007FF8B9060000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269445450.00007FF8B906B000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269525176.00007FF8B9070000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.3269619893.00007FF8B9071000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b9060000_Q3pEXxmWAD.jbxd

Similarity

API ID: BuildErr_FromSystemTimesValueWindows
String ID: (ddd)
API String ID: 2325294781-2401937087
Opcode ID: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction ID: 041493ac7001e1b410b2efb9756859def533889a811a8f2ec867c6dbf50a3f27
Opcode Fuzzy Hash: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction Fuzzy Hash: 89119631A29E814FC953DB799940526E3A5AFAA7D0B448322F50FB1E10EB2CE0978B00

Function 00007FF615A34938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A34965
CreateFileW.KERNEL32 ref: 00007FF615A349A4
CloseHandle.KERNEL32 ref: 00007FF615A349D9

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: ec32103ba5c952ee524e886234061cf783d406dd014e49015af9a18ca01c7717
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: 4A41A422D58B8243F790CB609504379A260FF94F78F109335E69C83AE5EF7CA9E08700

Function 00007FF8B93C4860 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FF8B93C4884
closesocket.WS2_32 ref: 00007FF8B93C4890
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B93C489B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B93C48AA

Memory Dump Source

Source File: 00000002.00000002.3270094699.00007FF8B93C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B93C0000, based on PE: true

Associated: 00000002.00000002.3269996369.00007FF8B93C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270164094.00007FF8B93C8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270292182.00007FF8B93D0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.3270351890.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b93c0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_Thread$RestoreSave_errnoclosesocket
String ID:
API String ID: 1624953543-0
Opcode ID: 4126259241acdad7b25acebef5f1c11f1c1da3f86697e3691b0e3be26900da62
Instruction ID: bf59571a8c0bd51e14b0d3d212802934602b47656722bb80a43b107d34cad838
Opcode Fuzzy Hash: 4126259241acdad7b25acebef5f1c11f1c1da3f86697e3691b0e3be26900da62
Instruction Fuzzy Hash: F2F0FF21A18FD182E6545F59A84806A7371EB4CBF0B146730DB7A037E4CF7DE94A8300

Function 00007FF615A2BF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A2C12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF615A2C140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF615A2BF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF615A2BFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF615A2C041

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 7aa536c079c6f0e12130e188430d06e86234429065cb3d558fe177d76107df69
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: 8B315E11ACDE4751FA54A7B6D4633B9A281AF41FA8F440235EA0EC72F3DF6DAD048601

Function 00007FF615A2F45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F597

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
Instruction ID: 95063829c713752744a865e34dc590758fa16b86c60a14ed7552f7d9f83d2a1c
Opcode Fuzzy Hash: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
Instruction Fuzzy Hash: 1251D321B49A8246EA689E37940367AA285EF44FB8F148735DE7D837F5CF3CDC408600

Function 00007FF615A39E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,00007FF615A39CE5,?,?,00000000,00007FF615A39D9A), ref: 00007FF615A39ED6
GetLastError.KERNEL32(?,?,?,00007FF615A39CE5,?,?,00000000,00007FF615A39D9A), ref: 00007FF615A39EE0

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 1a56008033fd5afdcc743bf0c955a081b0f05bb2f6b41150f8e002ed8d30fcfb
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: 73218E21F5CE8241EED0DB64B480279A6929F84FB8F184335DA2E872E1CF6CAD448201

Function 00007FF615A3B444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF615A3B5DD), ref: 00007FF615A3B490
GetLastError.KERNEL32(?,?,?,?,?,00007FF615A3B5DD), ref: 00007FF615A3B49A

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: d75f48e1f7902ad65a18d41382531fdee14edc3b262ce96aea4a314e825f12d2
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: E911BF61A08F8581DA50CB29B844169A362AF44FF8F584331EE7D87BFACF3CD8508704

Function 00007FF615A3B1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3B1E4

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 590876a32080199f335b1121d6d3b23d611ecf3c7b0230dd48f52509e0b43458
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: EC41B132948A0987EAA4DE55E54127DF7A1EF55FA8F140331D69AC36E0CF3CE802C751

Function 00007FF615A276A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF615A2774A

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a0f762802b007f79df3f5188bfeabeb6c0338d12f38915015ea771c39cfbc038
Instruction ID: 6d78ea185521d3de9b6094c55ddecfc632c8d717a6c536fe264105539e34bcc4
Opcode Fuzzy Hash: a0f762802b007f79df3f5188bfeabeb6c0338d12f38915015ea771c39cfbc038
Instruction Fuzzy Hash: 7621B721B88A5145FA149B27A9063FAEA41BF45FE4F8C4530DD0D877A6DF7DE941C700

Function 00007FF615A3AC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3ACD2

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction ID: f4842ebe826b19fa881ab012a480bb4b0e587af7cf3f103574c9b0215dc8fdd4
Opcode Fuzzy Hash: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction Fuzzy Hash: ED319C22E58E6286E691DB5598513BDAA50AF50FB8F450336DA1D833F2CFBCEC518320

Function 00007FF615A352A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A35209

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 13c8e6eff1e1b81120e819abe5e936ae5ce112c6d51b3cc13fb72018a46336a2
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: C9119621A5DE8145EAE0DF95D40117EE3A4AF59FA8F444231EA8CD76A6DF3CDC408740

Function 00007FF615A45664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A45687

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: 6a3373f6ade36e011149639d26d829bd8690b74f46a64ba711cd3a427cb0b0b7
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 3B215632658E8186DB618F58D480379F661EF98FA4F184334D69D87AE5DF3CD8008B00

Function 00007FF615A2F6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A2F730

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: 37e1d5030f1a1c2f31f273b8de2d0b2b7f78af5a3279489abf0a7cd75e2731a8
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 5501A525A48F4241E944DF675902069E699AF55FF0F484731DE6C93BE6DF3CD9028300

Function 00007FF615A3DEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF615A3A63A,?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A), ref: 00007FF615A3DEFD

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction ID: 4c87eefaad83f9fad80927af22213462643e1d2995d10e718f516db8f66a134d
Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
Instruction Fuzzy Hash: 91F04944B89A47C0FE94D7A658512B5D2906F98FA8F5C4330D90EC62A1DF2CAC898250

Function 00007FF615A3C90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF615A2FFB0,?,?,?,00007FF615A3161A,?,?,?,?,?,00007FF615A32E09), ref: 00007FF615A3C94A

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 25e08d64fb14db1bbbc15e59e6bbd9c34330ef52f37b16d57ede266a0008b8b5
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: AFF05E00B98A4784FE94D7B29C2127992805F48F78F094330D92EC62E1EF2CAC408110

Function 00007FF615A281A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

LoadLibraryW.KERNEL32(?,00007FF615A25C06,?,00007FF615A2308E), ref: 00007FF615A281C2

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction ID: a8c52203fcdf8dfcb23a3bd49efef91830774016038e32e81289fc52b86c789e
Opcode Fuzzy Hash: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
Instruction Fuzzy Hash: A8D0C201F24A4681FF84EBBBBA46579A192AF89FD0F48C134EE1C43B66DE3CC4800B00

Non-executed Functions

Function 00007FF8B8B28324 Relevance: 107.0, APIs: 50, Strings: 11, Instructions: 276COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON311 ref: 00007FF8B8B28343
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B28363
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B2836B
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2838A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2839B
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B283B7
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B283BF
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B283DE
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B283EF
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B2840B
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B28413
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B28432
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28443
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B2845F
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B28467
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B28486
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28497
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B284B3
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B284BB
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B284DA
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B284EB
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B28507
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B2850F
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2852E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2853F
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B2855B
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B28563
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B28582
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28593
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B285AF
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B285B7
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B285D6
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B285E7
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B28603
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B2860B
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2862A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2863B
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B28657
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B2865F
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2867E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2868F
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B286AB
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B286B3
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B286CE
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B286DF
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B286F7
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B286FF
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2871A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2872B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28743

Strings

number, xrefs: 00007FF8B8B28380
connect_renegotiate, xrefs: 00007FF8B8B2847C
accept_good, xrefs: 00007FF8B8B28524
accept_renegotiate, xrefs: 00007FF8B8B28578
connect_good, xrefs: 00007FF8B8B28428
misses, xrefs: 00007FF8B8B28674
accept, xrefs: 00007FF8B8B284D0, 00007FF8B8B285CC
connect, xrefs: 00007FF8B8B283D4
cache_full, xrefs: 00007FF8B8B28710
hits, xrefs: 00007FF8B8B28620
timeouts, xrefs: 00007FF8B8B286C4

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocDict_$FromItemLongLong_StringX_ctrl
String ID: accept$accept_good$accept_renegotiate$cache_full$connect$connect_good$connect_renegotiate$hits$misses$number$timeouts
API String ID: 3804526530-4076585280
Opcode ID: 9bb32dfcd675d2c24069937e8235e7c69130e9df25574439dcdacdb0d8f7f3d6
Instruction ID: 92e5abfa46d0221e8423f87ce979d9f4a750e7f8690fc05a1b00236284c10784
Opcode Fuzzy Hash: 9bb32dfcd675d2c24069937e8235e7c69130e9df25574439dcdacdb0d8f7f3d6
Instruction Fuzzy Hash: FCC13175A08B0A86EA156F79E56867D3BA0FF45BC5F884434CF0E06B64EF2CF41A8305

Function 00007FF8B8B2576C Relevance: 94.9, APIs: 41, Strings: 13, Instructions: 356stringCOMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B8B257B2
BIO_new.LIBCRYPTO-3 ref: 00007FF8B8B257BB
PyErr_SetString.PYTHON311 ref: 00007FF8B8B257D4
X509_get_ext_d2i.LIBCRYPTO-3 ref: 00007FF8B8B257EE
PyList_New.PYTHON311 ref: 00007FF8B8B2580B
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B25826
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B25842
PyErr_WarnFormat.PYTHON311 ref: 00007FF8B8B258B0
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B258CC
GENERAL_NAME_print.LIBCRYPTO-3 ref: 00007FF8B8B258D8
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B8B258EC
strchr.VCRUNTIME140 ref: 00007FF8B8B25907
PyTuple_New.PYTHON311 ref: 00007FF8B8B2591C
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B2593E
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B25BB5

Strings

DirName, xrefs: 00007FF8B8B25B19
Registered ID, xrefs: 00007FF8B8B2597A
email, xrefs: 00007FF8B8B25B79
%d.%d.%d.%d, xrefs: 00007FF8B8B25A3A
Unknown general name type %d, xrefs: 00007FF8B8B2589F
DNS, xrefs: 00007FF8B8B25B70
<INVALID>, xrefs: 00007FF8B8B259B7
<invalid>, xrefs: 00007FF8B8B25AF8
IP Address, xrefs: 00007FF8B8B259FE
failed to allocate BIO, xrefs: 00007FF8B8B257CD
Invalid value %.200s, xrefs: 00007FF8B8B25C67
%X:%X:%X:%X:%X:%X:%X:%X, xrefs: 00007FF8B8B25ACE
URI, xrefs: 00007FF8B8B25B67

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: String$Err_FromSizeUnicode_$E_printFormatL_sk_numL_sk_valueList_O_ctrlO_getsO_newO_s_memTuple_WarnX509_get_ext_d2istrchr
String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
API String ID: 359532264-4109427827
Opcode ID: 4bcc3934c0b1a15c61bc44874913e03d2a3a1538fa544ffd736aea6974b17af1
Instruction ID: 2227b4e15342cf9afe1844b0d9ec46cabe62c9d6b4370c085aa3054f768d4f4e
Opcode Fuzzy Hash: 4bcc3934c0b1a15c61bc44874913e03d2a3a1538fa544ffd736aea6974b17af1
Instruction Fuzzy Hash: 1CF19221A0DA4786EA959F3DA85893D6BA1BF85BC1F984031CF4E02754EF3CF44AC708

Function 00007FF8B8B2B6D0 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 206threadCOMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B76E
ERR_clear_error.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B7B1
PyEval_SaveThread.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B7B7
SSL_new.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B7C3
PyEval_RestoreThread.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B7D0
_Py_Dealloc.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B7E8
SSL_get0_param.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B804
X509_VERIFY_PARAM_set_hostflags.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B810
SSL_set_ex_data.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B81F
SSL_set_fd.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B832
BIO_up_ref.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B846
BIO_up_ref.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B858
SSL_set_bio.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B86A
SSL_ctrl.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B87F
SSL_get_verify_mode.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B898
SSL_get_verify_callback.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B8A9
SSL_set_verify.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B8BB
SSL_set_post_handshake_auth.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B8C5
SSL_get_rbio.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B8F3
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B908
SSL_get_wbio.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B912
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B923
PyEval_SaveThread.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B929
SSL_set_connect_state.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B93B
SSL_set_accept_state.LIBSSL-3(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B943
PyEval_RestoreThread.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B94C
PyWeakref_NewRef.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B960
_Py_Dealloc.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B9A4
PyObject_GC_Track.PYTHON311(?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B2B9DB

Strings

Cannot create a client socket with a PROTOCOL_TLS_SERVER context, xrefs: 00007FF8B8B2B75D
Cannot create a server socket with a PROTOCOL_TLS_CLIENT context, xrefs: 00007FF8B8B2B716

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_Thread$DeallocO_ctrlO_up_refObject_RestoreSave$L_ctrlL_get0_paramL_get_rbioL_get_verify_callbackL_get_verify_modeL_get_wbioL_newL_set_accept_stateL_set_bioL_set_connect_stateL_set_ex_dataL_set_fdL_set_post_handshake_authL_set_verifyM_set_hostflagsR_clear_errorTrackWeakref_X509_
String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context
API String ID: 4263894999-1683031804
Opcode ID: 0031bbf280b373c30cfbe2cbbd0a71c1935be5ad4a206d99c4ca01a24e5316e2
Instruction ID: c18e87e7b727711af9a87ba2da35c8c41c6c0e51cd40f0a0cd90ad19289cc2e2
Opcode Fuzzy Hash: 0031bbf280b373c30cfbe2cbbd0a71c1935be5ad4a206d99c4ca01a24e5316e2
Instruction Fuzzy Hash: B8913E75A08B46C6EA649F3AE44423D6BA0FF89BD0F945139CB4E47765CF3CE44A8708

Function 00007FF8B8B29ABC Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 177threadCOMMON

Download Yara Rule

APIs

PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B29AEE
SSL_get_rbio.LIBSSL-3 ref: 00007FF8B8B29B46
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B29B5B
SSL_get_wbio.LIBSSL-3 ref: 00007FF8B8B29B65
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B29B76
_PyDeadline_Init.PYTHON311 ref: 00007FF8B8B29B8E

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

PyErr_SetString.PYTHON311 ref: 00007FF8B8B29BC8
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B29BDB
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B29C24
SSL_write_ex.LIBSSL-3 ref: 00007FF8B8B29C48
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B29C86
PyErr_CheckSignals.PYTHON311 ref: 00007FF8B8B29C9D
_PyDeadline_Get.PYTHON311 ref: 00007FF8B8B29CB3
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B29D11
PyLong_FromSize_t.PYTHON311 ref: 00007FF8B8B29D4B

Strings

The write operation timed out, xrefs: 00007FF8B8B29BBE
3, xrefs: 00007FF8B8B29B1E
Underlying socket connection gone, xrefs: 00007FF8B8B29B17
Underlying socket too large for select()., xrefs: 00007FF8B8B29C1B
Underlying socket has been closed., xrefs: 00007FF8B8B29C01

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Deadline_DeallocErr_Eval_O_ctrlThread$CheckFromInitL_get_rbioL_get_wbioL_write_exLong_ObjectR_clear_errorR_peek_last_errorRestoreSaveSignalsSize_tStringWeakref_
String ID: 3$The write operation timed out$Underlying socket connection gone$Underlying socket has been closed.$Underlying socket too large for select().
API String ID: 919700936-2917282068
Opcode ID: bf6b3c890ac77d66f34ece76bee8f8e568b33e21db145761fff3f3cb08034e98
Instruction ID: 8a7bbdff32601b60852db7c2726923dd5a479975748c95e0dd5f55726e77a4e6
Opcode Fuzzy Hash: bf6b3c890ac77d66f34ece76bee8f8e568b33e21db145761fff3f3cb08034e98
Instruction Fuzzy Hash: 98716226A08A4A85EB649F3A9854A7D6BA0FF89BD4F944131DF0E43754DF3CE44BC309

Function 00007FF8B8B2A0FC Relevance: 34.7, APIs: 23, Instructions: 173encryptionCOMMON

Download Yara Rule

APIs

PySet_New.PYTHON311 ref: 00007FF8B8B2A11E

Part of subcall function 00007FF8B8B2C0F4: CertOpenStore.CRYPT32 ref: 00007FF8B8B2C11F

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A149
GetLastError.KERNEL32 ref: 00007FF8B8B2A14F
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B8B2A157
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B2A171
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A1B9
PyTuple_New.PYTHON311 ref: 00007FF8B8B2A1DD
PySet_Add.PYTHON311 ref: 00007FF8B8B2A204
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A218
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF8B8B2A224
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A281

Part of subcall function 00007FF8B8B2B9EC: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF8B8B2BA0B
Part of subcall function 00007FF8B8B2B9EC: GetLastError.KERNEL32(?,00007FF8B8B2A1A4), ref: 00007FF8B8B2BA15

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A246
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A25B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A26E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A296
CertFreeCertificateContext.CRYPT32 ref: 00007FF8B8B2A2A5
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A2B9
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A2CE
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A2E2
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A2F6
CertCloseStore.CRYPT32 ref: 00007FF8B8B2A304
PySequence_List.PYTHON311 ref: 00007FF8B8B2A324
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A336

Part of subcall function 00007FF8B8B2AA80: PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AA9B
Part of subcall function 00007FF8B8B2AA80: PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AAC0

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Cert$From$StoreString$ErrorInternLastSet_Unicode_$Bytes_CertificateCertificatesCloseContextEnhancedEnumErr_FreeListOpenSequence_SizeTuple_UsageWindows
String ID:
API String ID: 2957225168-0
Opcode ID: 00cfbd82ab356ececa8d0fd7a9a76f3f1247062863f5d9192ddc75cfd238cd04
Instruction ID: dc2dedddff1dcd89af0cb527c619315e828c966f1f2aa788b081cfbd2c701d0a
Opcode Fuzzy Hash: 00cfbd82ab356ececa8d0fd7a9a76f3f1247062863f5d9192ddc75cfd238cd04
Instruction Fuzzy Hash: B0616C31E0DA0686FA599F79995463D6BA4BF45FE0F985434CB0E06B90DF3DE84B8308

Function 00007FF8B8B296C4 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 178threadCOMMON

Download Yara Rule

APIs

PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B296F0
SSL_get_rbio.LIBSSL-3 ref: 00007FF8B8B2972A
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B29740
SSL_get_wbio.LIBSSL-3 ref: 00007FF8B8B2974A
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B2975B
_PyDeadline_Init.PYTHON311 ref: 00007FF8B8B2977C
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B297CF
SSL_set_read_ahead.LIBSSL-3 ref: 00007FF8B8B297E8
SSL_shutdown.LIBSSL-3 ref: 00007FF8B8B297F5
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B29831
_PyDeadline_Get.PYTHON311 ref: 00007FF8B8B2987E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B298C8
PyErr_SetString.PYTHON311 ref: 00007FF8B8B29915
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B29932

Strings

The write operation timed out, xrefs: 00007FF8B8B2990E
Underlying socket connection gone, xrefs: 00007FF8B8B2978B
Underlying socket too large for select()., xrefs: 00007FF8B8B298E7
B, xrefs: 00007FF8B8B29798
The read operation timed out, xrefs: 00007FF8B8B298FF

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Deadline_DeallocEval_O_ctrlThread$Err_InitL_get_rbioL_get_wbioL_set_read_aheadL_shutdownObjectRestoreSaveStringWeakref_
String ID: B$The read operation timed out$The write operation timed out$Underlying socket connection gone$Underlying socket too large for select().
API String ID: 1084328889-1139084988
Opcode ID: 786450713eaa2fccca575bb657458fb339c0d4207d5a8d7b04ee1e30d4079a13
Instruction ID: fc2c390fea5b91ec106f46f729fa8523cf09170d7325b27b4a94ec9a270f0766
Opcode Fuzzy Hash: 786450713eaa2fccca575bb657458fb339c0d4207d5a8d7b04ee1e30d4079a13
Instruction Fuzzy Hash: AE719221A08A4A85EB619F39E454A7E6B61FF85BD0F940131CF4E076A5DF3CE447C309

Function 00007FF8B8B289E0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 162threadCOMMON

Download Yara Rule

APIs

PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B28A0C
SSL_get_rbio.LIBSSL-3 ref: 00007FF8B8B28A65
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B28A7A
SSL_get_wbio.LIBSSL-3 ref: 00007FF8B8B28A84
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B28A95
_PyDeadline_Init.PYTHON311 ref: 00007FF8B8B28AB0

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B28AC6
SSL_do_handshake.LIBSSL-3 ref: 00007FF8B8B28AD3
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B28B12
PyErr_CheckSignals.PYTHON311 ref: 00007FF8B8B28B29
_PyDeadline_Get.PYTHON311 ref: 00007FF8B8B28B3F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28B9B
PyErr_SetString.PYTHON311 ref: 00007FF8B8B28BEC
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28C00

Strings

_ssl.c:997: Underlying socket too large for select()., xrefs: 00007FF8B8B28BBD
_ssl.c:989: The handshake operation timed out, xrefs: 00007FF8B8B28BE2
Underlying socket connection gone, xrefs: 00007FF8B8B28A36
_ssl.c:993: Underlying socket has been closed., xrefs: 00007FF8B8B28BC6

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Deadline_DeallocErr_Eval_O_ctrlThread$CheckInitL_do_handshakeL_get_rbioL_get_wbioObjectR_clear_errorR_peek_last_errorRestoreSaveSignalsStringWeakref_
String ID: Underlying socket connection gone$_ssl.c:989: The handshake operation timed out$_ssl.c:993: Underlying socket has been closed.$_ssl.c:997: Underlying socket too large for select().
API String ID: 3614085790-581767418
Opcode ID: fb66ee667b99c74b2d02b9e66a64809caaccb1e6aa0245eb93b8f93ad39b7a38
Instruction ID: f0c9c480cdc378fc863229195943e09aec2e6e53ab26a5236585dc5e30fc204a
Opcode Fuzzy Hash: fb66ee667b99c74b2d02b9e66a64809caaccb1e6aa0245eb93b8f93ad39b7a38
Instruction Fuzzy Hash: CA619F22A08A4A85EB609F39989457D2B60FF89BD4F984135DF0E47764DF3DE487C348

Function 00007FF8B8B2A448 Relevance: 30.1, APIs: 20, Instructions: 138encryptionCOMMON

Download Yara Rule

APIs

PySet_New.PYTHON311 ref: 00007FF8B8B2A465

Part of subcall function 00007FF8B8B2C0F4: CertOpenStore.CRYPT32 ref: 00007FF8B8B2C11F

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A490
GetLastError.KERNEL32 ref: 00007FF8B8B2A496
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B8B2A49E
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B2A4B5
PyTuple_New.PYTHON311 ref: 00007FF8B8B2A4E0
PySet_Add.PYTHON311 ref: 00007FF8B8B2A500
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A514
CertEnumCRLsInStore.CRYPT32 ref: 00007FF8B8B2A520
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A542
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A557
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A56A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A57D
CertFreeCRLContext.CRYPT32 ref: 00007FF8B8B2A58A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A59F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A5B3
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A5C7
CertCloseStore.CRYPT32 ref: 00007FF8B8B2A5D5
PySequence_List.PYTHON311 ref: 00007FF8B8B2A5F5
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A607

Part of subcall function 00007FF8B8B2AA80: PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AA9B
Part of subcall function 00007FF8B8B2AA80: PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AAC0

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$CertFrom$StoreString$InternSet_Unicode_$Bytes_CloseContextEnumErr_ErrorFreeLastListOpenSequence_SizeTuple_Windows
String ID:
API String ID: 1063190953-0
Opcode ID: eb047e3373abf0ec0b41bb6c844c8189c5dd6aff23c62de071c86eaad8799ed7
Instruction ID: dafe8ef2c5b613c408b4dedd432824df0858c21ccb13136590db1b192f0bf0ea
Opcode Fuzzy Hash: eb047e3373abf0ec0b41bb6c844c8189c5dd6aff23c62de071c86eaad8799ed7
Instruction Fuzzy Hash: D5514D31E0DA0686FA559F7D995853E7B92AF45BE0F985834CB0E06B90DF2CF44B8308

Function 00007FF8B8B24EC4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8B21558: OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B8B2159D
Part of subcall function 00007FF8B8B21558: PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B215C3

ASN1_STRING_type.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B24DC3), ref: 00007FF8B8B24F08
ASN1_STRING_length.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B24DC3), ref: 00007FF8B8B24F16
ASN1_STRING_get0_data.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B24DC3), ref: 00007FF8B8B24F22
_Py_BuildValue_SizeT.PYTHON311(?,?,?,?,00000000,00007FF8B8B24DC3), ref: 00007FF8B8B24F38

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Strings

Ns#, xrefs: 00007FF8B8B24F8C
D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B8B24FA1
Ny#, xrefs: 00007FF8B8B24F2B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Size$BuildFromG_get0_dataG_lengthG_typeJ_obj2txtR_clear_errorR_peek_last_errorStringUnicode_Value_
String ID: D:\a\1\s\Modules\_ssl.c$Ns#$Ny#
API String ID: 264388756-3706530764
Opcode ID: 1db0223c09ea266e2185b0babf05a6766941df6c9eba47953027eeb8ca545ffa
Instruction ID: baf09af6e8332fbf61d980e2b6436cc14cac477e5b9e6b57d9193db91407d3f5
Opcode Fuzzy Hash: 1db0223c09ea266e2185b0babf05a6766941df6c9eba47953027eeb8ca545ffa
Instruction Fuzzy Hash: E2218225A0CA9781FB549F3EA44427DAB50AF8ABD4F945030DF0E47B55DF2CE14B8708

Function 00007FF8B7DE18A0 Relevance: 13.9, APIs: 9, Instructions: 425COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FF8B7DE190B
PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE19F5
PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE1A52
PyUnicode_FromKindAndData.PYTHON311 ref: 00007FF8B7DE1B2D
PyMem_Free.PYTHON311 ref: 00007FF8B7DE1B3E
PyMem_Realloc.PYTHON311 ref: 00007FF8B7DE1CF8

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Mem_$SubtypeType_$DataFreeFromKindMallocReallocUnicode_
String ID:
API String ID: 1742244024-0
Opcode ID: 5c1050c68e97de161cd6d8c48e9085a3eef7c228c5941944440c3b79a23d7220
Instruction ID: f67055fcff68ead51afb635147617d205bfff68fe241acadd866793296a6374a
Opcode Fuzzy Hash: 5c1050c68e97de161cd6d8c48e9085a3eef7c228c5941944440c3b79a23d7220
Instruction Fuzzy Hash: 8B02FF72B0879282EF668B1DD54467D76A1EB457C4F5C4335DBAE867B8EE2EE840C300

Function 00007FF8B8B22FF8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B8B23014
memset.VCRUNTIME140 ref: 00007FF8B8B23038
RtlCaptureContext.KERNEL32 ref: 00007FF8B8B23041
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B8B2305B
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B8B2309C
memset.VCRUNTIME140 ref: 00007FF8B8B230CF
IsDebuggerPresent.KERNEL32 ref: 00007FF8B8B230F0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B8B23111
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B8B2311C

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
Instruction ID: 492b3d9449a690cda96927afa7c5cf6fa6136fa73be39909679f0d42c261660f
Opcode Fuzzy Hash: 95a6715441451f332765c81f1ec3e8738af08fa5e0456622ef6d16990be337b9
Instruction Fuzzy Hash: 8D318F72609A8185EB608F74E8503EE7760FB88394F84443ADB4D47AA8DF3CD14AC708

Function 00007FF8B7DE3058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B7DE3074
memset.VCRUNTIME140 ref: 00007FF8B7DE3098
RtlCaptureContext.KERNEL32 ref: 00007FF8B7DE30A1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B7DE30BB
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B7DE30FC
memset.VCRUNTIME140 ref: 00007FF8B7DE312F
IsDebuggerPresent.KERNEL32 ref: 00007FF8B7DE3150
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7DE3171
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7DE317C

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction ID: fcb052c189b66f679058dd11cead065dfd6e49cd1c3ddd2beeaf0f62f714e77e
Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction Fuzzy Hash: C2316C72609B8186EB618F64E8503FD3364FB847C4F48413ADB5E57AA8EF38D648C710

Function 00007FF615A44F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF615A44F55

Part of subcall function 00007FF615A448A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A448BC

Part of subcall function 00007FF615A39C58: HeapFree.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C6E
Part of subcall function 00007FF615A39C58: GetLastError.KERNEL32(?,?,?,00007FF615A42032,?,?,?,00007FF615A4206F,?,?,00000000,00007FF615A42535,?,?,?,00007FF615A42467), ref: 00007FF615A39C78

Part of subcall function 00007FF615A39C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF615A39BEF,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A39C19
Part of subcall function 00007FF615A39C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF615A39BEF,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A39C3E

_get_daylight.LIBCMT ref: 00007FF615A44F44

Part of subcall function 00007FF615A44908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A4491C

_get_daylight.LIBCMT ref: 00007FF615A451BA
_get_daylight.LIBCMT ref: 00007FF615A451CB
_get_daylight.LIBCMT ref: 00007FF615A451DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF615A4541C), ref: 00007FF615A45203

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction ID: d898e1631a2a89432eea7d3e42ac775ccf009769dcaf6f6c091879ddfa03a7c9
Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction Fuzzy Hash: 3DD1C426E48A424AE720EF66D4511B9A791FF88FA4F484235EA4DC7AA5DF3CEC41C740

Function 00007FF615A39924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF615A3999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF615A399B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF615A399F0
IsDebuggerPresent.KERNEL32 ref: 00007FF615A39A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF615A39A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF615A39A3E

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: aba8df26f76246d542c0a4a1590807c708f0ba641064d68484cb93579808676d
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: E0315332658F8586DB60CF65E8402AEB3A4FF88F64F540235EA9D83B65DF38C555C700

Function 00007FF8B8B24C40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

i2d_X509.LIBCRYPTO-3 ref: 00007FF8B8B24C5A
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B24C85
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8B8B24CA0

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Strings

D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B8B24C90

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Bytes_FromO_freeR_clear_errorR_peek_last_errorSizeStringX509i2d_
String ID: D:\a\1\s\Modules\_ssl.c
API String ID: 2720122973-132925792
Opcode ID: 9af05a4043ec2e85ce9df03048124a835a201c5827042fc1ec5692019a40c01c
Instruction ID: 7ab7b87ab608a12df2c71bda2f35d274c4fdf905d03808de418dc84208c56fe6
Opcode Fuzzy Hash: 9af05a4043ec2e85ce9df03048124a835a201c5827042fc1ec5692019a40c01c
Instruction Fuzzy Hash: 47F06D51B18A4682EF008F7AE44436EA751EB89BD5F844535DE4E46B54EFBCE00E8704

Function 00007FF8B8B21610 Relevance: 334.6, APIs: 95, Strings: 96, Instructions: 397COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B8B21627
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2163D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21653
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21669
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2167F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21695
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B216AB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B216C1
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B216D7
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B216ED
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21700
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21716
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2172C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2173F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21755
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2176B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21781
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21797
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B217AD
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B217C3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B217D6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B217EC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21802
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21818
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2182E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21844
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2185A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21870
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21886
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2189C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B218B2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B218C8
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B218DE
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B218F4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2190A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21920
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21936
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2194C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21962
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21978
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B2198E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B219A4
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B219BA
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B219D0
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B219E6
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B219FC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A12
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A28
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A3E
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A54
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A6A
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A80
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21A96
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21AAC
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21AC2
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21AD5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21AEB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B01
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B17
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B2D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B43
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B59
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B6C
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B82
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21B95
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21BAB
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21BC1
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21BD7
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21BED
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C03
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C19
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C2F
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C45
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C5B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C71
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C87
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21C9D
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21CB3
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21CC9
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21CDF
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21CF5
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21D0B
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21D21
PyModule_AddIntConstant.PYTHON311 ref: 00007FF8B8B21D37
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21D51
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21D6B
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21D85
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21D9F
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21DB9
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21DD3
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21DED
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21E07
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21E21
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21E3B
PyModule_AddObject.PYTHON311 ref: 00007FF8B8B21E55

Strings

HAS_SNI, xrefs: 00007FF8B8B21D44
HAS_NPN, xrefs: 00007FF8B8B21D92
CERT_REQUIRED, xrefs: 00007FF8B8B21722
OP_NO_TLSv1_1, xrefs: 00007FF8B8B21B0D
ENCODING_DER, xrefs: 00007FF8B8B21C93
OP_SINGLE_DH_USE, xrefs: 00007FF8B8B21B62
HAS_SSLv2, xrefs: 00007FF8B8B21DC6
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE, xrefs: 00007FF8B8B21866
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY, xrefs: 00007FF8B8B21A08
OP_NO_SSLv2, xrefs: 00007FF8B8B21ACB
HAS_ALPN, xrefs: 00007FF8B8B21DAC
HAS_TLSv1_1, xrefs: 00007FF8B8B21E14
SSL_ERROR_SYSCALL, xrefs: 00007FF8B8B2168B
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION, xrefs: 00007FF8B8B2199A
HAS_TLSv1_2, xrefs: 00007FF8B8B21E2E
OP_NO_COMPRESSION, xrefs: 00007FF8B8B21BA1
ALERT_DESCRIPTION_RECORD_OVERFLOW, xrefs: 00007FF8B8B2180E
OP_NO_TLSv1_3, xrefs: 00007FF8B8B21B39
CERT_OPTIONAL, xrefs: 00007FF8B8B2170C
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE, xrefs: 00007FF8B8B21824
OP_SINGLE_ECDH_USE, xrefs: 00007FF8B8B21B8B
HAS_SSLv3, xrefs: 00007FF8B8B21DE0
CERT_NONE, xrefs: 00007FF8B8B216F6
PROTO_MAXIMUM_SUPPORTED, xrefs: 00007FF8B8B21CBF
@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM, xrefs: 00007FF8B8B21616
SSL_ERROR_WANT_WRITE, xrefs: 00007FF8B8B2165F
ALERT_DESCRIPTION_DECODE_ERROR, xrefs: 00007FF8B8B21900
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED, xrefs: 00007FF8B8B21892
ALERT_DESCRIPTION_UNRECOGNIZED_NAME, xrefs: 00007FF8B8B219C6
SSL_ERROR_EOF, xrefs: 00007FF8B8B216CD
OP_CIPHER_SERVER_PREFERENCE, xrefs: 00007FF8B8B21B4F
PROTO_TLSv1_3, xrefs: 00007FF8B8B21D2D
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN, xrefs: 00007FF8B8B218A8
HOSTFLAG_NO_WILDCARDS, xrefs: 00007FF8B8B21C25
HAS_TLSv1, xrefs: 00007FF8B8B21DFA
ALERT_DESCRIPTION_BAD_RECORD_MAC, xrefs: 00007FF8B8B217F8
OP_NO_SSLv3, xrefs: 00007FF8B8B21AE1
PROTOCOL_TLSv1, xrefs: 00007FF8B8B21A76
PROTOCOL_TLS_SERVER, xrefs: 00007FF8B8B21A60
PROTO_SSLv3, xrefs: 00007FF8B8B21CD5
ALERT_DESCRIPTION_ILLEGAL_PARAMETER, xrefs: 00007FF8B8B218BE
ALERT_DESCRIPTION_UNKNOWN_CA, xrefs: 00007FF8B8B218D4
SSL_ERROR_SSL, xrefs: 00007FF8B8B216A1
SSL_ERROR_WANT_CONNECT, xrefs: 00007FF8B8B216B7
ENCODING_PEM, xrefs: 00007FF8B8B21C7D
ALERT_DESCRIPTION_DECRYPT_ERROR, xrefs: 00007FF8B8B21916
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE, xrefs: 00007FF8B8B219DC
SSL_ERROR_WANT_READ, xrefs: 00007FF8B8B21649
ALERT_DESCRIPTION_USER_CANCELLED, xrefs: 00007FF8B8B2196E
HOSTFLAG_NEVER_CHECK_SUBJECT, xrefs: 00007FF8B8B21C0F
VERIFY_ALLOW_PROXY_CERTS, xrefs: 00007FF8B8B2178D
ALERT_DESCRIPTION_HANDSHAKE_FAILURE, xrefs: 00007FF8B8B2183A
ALERT_DESCRIPTION_ACCESS_DENIED, xrefs: 00007FF8B8B218EA
PROTO_TLSv1, xrefs: 00007FF8B8B21CEB
PROTOCOL_TLSv1_2, xrefs: 00007FF8B8B21AA2
VERIFY_X509_PARTIAL_CHAIN, xrefs: 00007FF8B8B217B9
OP_ENABLE_MIDDLEBOX_COMPAT, xrefs: 00007FF8B8B21BB7
ALERT_DESCRIPTION_CERTIFICATE_REVOKED, xrefs: 00007FF8B8B2187C
OP_NO_TICKET, xrefs: 00007FF8B8B21B78
SSL_ERROR_WANT_X509_LOOKUP, xrefs: 00007FF8B8B21675
OP_IGNORE_UNEXPECTED_EOF, xrefs: 00007FF8B8B21BE3
HOSTFLAG_SINGLE_LABEL_SUBDOMAINS, xrefs: 00007FF8B8B21C67
SSL_ERROR_ZERO_RETURN, xrefs: 00007FF8B8B21633
VERIFY_X509_STRICT, xrefs: 00007FF8B8B21777
ALERT_DESCRIPTION_CLOSE_NOTIFY, xrefs: 00007FF8B8B217CC
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE, xrefs: 00007FF8B8B219B0
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE, xrefs: 00007FF8B8B219F2
PROTOCOL_TLS, xrefs: 00007FF8B8B21A34
OP_NO_TLSv1_2, xrefs: 00007FF8B8B21B23
ALERT_DESCRIPTION_INTERNAL_ERROR, xrefs: 00007FF8B8B21958
VERIFY_DEFAULT, xrefs: 00007FF8B8B21735
OP_NO_RENEGOTIATION, xrefs: 00007FF8B8B21BCD
PROTO_MINIMUM_SUPPORTED, xrefs: 00007FF8B8B21CA9
_DEFAULT_CIPHERS, xrefs: 00007FF8B8B21620
VERIFY_X509_TRUSTED_FIRST, xrefs: 00007FF8B8B217A3
VERIFY_CRL_CHECK_CHAIN, xrefs: 00007FF8B8B21761
HOSTFLAG_ALWAYS_CHECK_SUBJECT, xrefs: 00007FF8B8B21BF9
OP_ALL, xrefs: 00007FF8B8B21AB8
ALERT_DESCRIPTION_PROTOCOL_VERSION, xrefs: 00007FF8B8B2192C
PROTOCOL_TLS_CLIENT, xrefs: 00007FF8B8B21A4A
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY, xrefs: 00007FF8B8B21942
ALERT_DESCRIPTION_NO_RENEGOTIATION, xrefs: 00007FF8B8B21984
OP_NO_TLSv1, xrefs: 00007FF8B8B21AF7
PROTO_TLSv1_1, xrefs: 00007FF8B8B21D01
SSL_ERROR_INVALID_ERROR_CODE, xrefs: 00007FF8B8B216E3
HOSTFLAG_MULTI_LABEL_WILDCARDS, xrefs: 00007FF8B8B21C51
VERIFY_CRL_CHECK_LEAF, xrefs: 00007FF8B8B2174B
PROTO_TLSv1_2, xrefs: 00007FF8B8B21D17
PROTOCOL_SSLv23, xrefs: 00007FF8B8B21A1E
HAS_TLSv1_3, xrefs: 00007FF8B8B21E48
HOSTFLAG_NO_PARTIAL_WILDCARDS, xrefs: 00007FF8B8B21C3B
HAS_TLS_UNIQUE, xrefs: 00007FF8B8B21D5E
ALERT_DESCRIPTION_BAD_CERTIFICATE, xrefs: 00007FF8B8B21850
HAS_ECDH, xrefs: 00007FF8B8B21D78
PROTOCOL_TLSv1_1, xrefs: 00007FF8B8B21A8C
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE, xrefs: 00007FF8B8B217E2

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$Constant$Object$String
String ID: @SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM$ALERT_DESCRIPTION_ACCESS_DENIED$ALERT_DESCRIPTION_BAD_CERTIFICATE$ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE$ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE$ALERT_DESCRIPTION_BAD_RECORD_MAC$ALERT_DESCRIPTION_CERTIFICATE_EXPIRED$ALERT_DESCRIPTION_CERTIFICATE_REVOKED$ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN$ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE$ALERT_DESCRIPTION_CLOSE_NOTIFY$ALERT_DESCRIPTION_DECODE_ERROR$ALERT_DESCRIPTION_DECOMPRESSION_FAILURE$ALERT_DESCRIPTION_DECRYPT_ERROR$ALERT_DESCRIPTION_HANDSHAKE_FAILURE$ALERT_DESCRIPTION_ILLEGAL_PARAMETER$ALERT_DESCRIPTION_INSUFFICIENT_SECURITY$ALERT_DESCRIPTION_INTERNAL_ERROR$ALERT_DESCRIPTION_NO_RENEGOTIATION$ALERT_DESCRIPTION_PROTOCOL_VERSION$ALERT_DESCRIPTION_RECORD_OVERFLOW$ALERT_DESCRIPTION_UNEXPECTED_MESSAGE$ALERT_DESCRIPTION_UNKNOWN_CA$ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY$ALERT_DESCRIPTION_UNRECOGNIZED_NAME$ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE$ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION$ALERT_DESCRIPTION_USER_CANCELLED$CERT_NONE$CERT_OPTIONAL$CERT_REQUIRED$ENCODING_DER$ENCODING_PEM$HAS_ALPN$HAS_ECDH$HAS_NPN$HAS_SNI$HAS_SSLv2$HAS_SSLv3$HAS_TLS_UNIQUE$HAS_TLSv1$HAS_TLSv1_1$HAS_TLSv1_2$HAS_TLSv1_3$HOSTFLAG_ALWAYS_CHECK_SUBJECT$HOSTFLAG_MULTI_LABEL_WILDCARDS$HOSTFLAG_NEVER_CHECK_SUBJECT$HOSTFLAG_NO_PARTIAL_WILDCARDS$HOSTFLAG_NO_WILDCARDS$HOSTFLAG_SINGLE_LABEL_SUBDOMAINS$OP_ALL$OP_CIPHER_SERVER_PREFERENCE$OP_ENABLE_MIDDLEBOX_COMPAT$OP_IGNORE_UNEXPECTED_EOF$OP_NO_COMPRESSION$OP_NO_RENEGOTIATION$OP_NO_SSLv2$OP_NO_SSLv3$OP_NO_TICKET$OP_NO_TLSv1$OP_NO_TLSv1_1$OP_NO_TLSv1_2$OP_NO_TLSv1_3$OP_SINGLE_DH_USE$OP_SINGLE_ECDH_USE$PROTOCOL_SSLv23$PROTOCOL_TLS$PROTOCOL_TLS_CLIENT$PROTOCOL_TLS_SERVER$PROTOCOL_TLSv1$PROTOCOL_TLSv1_1$PROTOCOL_TLSv1_2$PROTO_MAXIMUM_SUPPORTED$PROTO_MINIMUM_SUPPORTED$PROTO_SSLv3$PROTO_TLSv1$PROTO_TLSv1_1$PROTO_TLSv1_2$PROTO_TLSv1_3$SSL_ERROR_EOF$SSL_ERROR_INVALID_ERROR_CODE$SSL_ERROR_SSL$SSL_ERROR_SYSCALL$SSL_ERROR_WANT_CONNECT$SSL_ERROR_WANT_READ$SSL_ERROR_WANT_WRITE$SSL_ERROR_WANT_X509_LOOKUP$SSL_ERROR_ZERO_RETURN$VERIFY_ALLOW_PROXY_CERTS$VERIFY_CRL_CHECK_CHAIN$VERIFY_CRL_CHECK_LEAF$VERIFY_DEFAULT$VERIFY_X509_PARTIAL_CHAIN$VERIFY_X509_STRICT$VERIFY_X509_TRUSTED_FIRST$_DEFAULT_CIPHERS
API String ID: 435332665-200463448
Opcode ID: 4246fcb37aba479664cf045844ad5de7c1de426b030fb40a8b8529086aa4eac4
Instruction ID: c22ace9204561fea32ef1a5d4926d7604f7c6539651c68501772e653d7ea7d26
Opcode Fuzzy Hash: 4246fcb37aba479664cf045844ad5de7c1de426b030fb40a8b8529086aa4eac4
Instruction Fuzzy Hash: 2822FEA4B18B1681FA049F3AE85466C2B21BF4ABD1FD85431CE1E16764DFBCE14EC718

Function 00007FF615A26EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF615A26EB7
GetProcAddress.KERNEL32 ref: 00007FF615A26EFD
GetProcAddress.KERNEL32 ref: 00007FF615A26F22
GetProcAddress.KERNEL32 ref: 00007FF615A26F47
GetProcAddress.KERNEL32 ref: 00007FF615A26F6F
GetProcAddress.KERNEL32 ref: 00007FF615A26F97
GetProcAddress.KERNEL32 ref: 00007FF615A26FBF
GetProcAddress.KERNEL32 ref: 00007FF615A26FE7
GetProcAddress.KERNEL32 ref: 00007FF615A2700F

Strings

Tcl_SetVar2Ex, xrefs: 00007FF615A27285, 00007FF615A272A1
Tcl_GetCurrentThread, xrefs: 00007FF615A27005, 00007FF615A27021
Tcl_DeleteInterp, xrefs: 00007FF615A26FB5, 00007FF615A26FD1
Tcl_Free, xrefs: 00007FF615A27375, 00007FF615A27391
Tcl_CreateObjCommand, xrefs: 00007FF615A271E5, 00007FF615A27201
Tcl_ConditionNotify, xrefs: 00007FF615A270F5, 00007FF615A27111
Tcl_SetVar2, xrefs: 00007FF615A271BD, 00007FF615A271D9
Tcl_FinalizeThread, xrefs: 00007FF615A26F8D, 00007FF615A26FA9
Tcl_ConditionFinalize, xrefs: 00007FF615A270CD, 00007FF615A270E9
Tcl_FindExecutable, xrefs: 00007FF615A26F18, 00007FF615A26F34
Tk_Init, xrefs: 00007FF615A2739D, 00007FF615A273B9
Tcl_MutexUnlock, xrefs: 00007FF615A2707D, 00007FF615A27099
Tcl_Alloc, xrefs: 00007FF615A2734D, 00007FF615A27369
GetProcAddress, xrefs: 00007FF615A26ED7
Tcl_MutexLock, xrefs: 00007FF615A27055, 00007FF615A27071
Tcl_DoOneEvent, xrefs: 00007FF615A26F3D, 00007FF615A26F59
Failed to get address for %hs, xrefs: 00007FF615A26ED0
Tcl_NewStringObj, xrefs: 00007FF615A27235, 00007FF615A27251
Tcl_JoinThread, xrefs: 00007FF615A2702D, 00007FF615A27049
Tcl_Init, xrefs: 00007FF615A26EB0, 00007FF615A26EC9
Tcl_GetVar2, xrefs: 00007FF615A27195, 00007FF615A271B1
Tcl_EvalFile, xrefs: 00007FF615A272D5, 00007FF615A272F1
Tcl_Finalize, xrefs: 00007FF615A26F65, 00007FF615A26F81
Tcl_GetObjResult, xrefs: 00007FF615A272AD, 00007FF615A272C9
Tcl_CreateInterp, xrefs: 00007FF615A26EF3, 00007FF615A26F0F
Tcl_EvalEx, xrefs: 00007FF615A272FD, 00007FF615A27319
Tcl_MutexFinalize, xrefs: 00007FF615A270A5, 00007FF615A270C1
Tk_GetNumMainWindows, xrefs: 00007FF615A273C5, 00007FF615A273E1
Tcl_ThreadAlert, xrefs: 00007FF615A2716D, 00007FF615A27189
Tcl_CreateThread, xrefs: 00007FF615A26FDD, 00007FF615A26FF9
Tcl_NewByteArrayObj, xrefs: 00007FF615A2725D, 00007FF615A27279
Tcl_EvalObjv, xrefs: 00007FF615A27325, 00007FF615A27341
Tcl_GetString, xrefs: 00007FF615A2720D, 00007FF615A27229
Tcl_ThreadQueueEvent, xrefs: 00007FF615A27145, 00007FF615A27161
Tcl_ConditionWait, xrefs: 00007FF615A2711D, 00007FF615A27139

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: e9dd703e04d9b1959287dffc76a7792dfa3f628e931c7d2c72949f25a48c2eb6
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 6EE1A864A8EF4391FA55DB95A8511B4A3A9AF44F71F881336C81E863B4EF7CFD48C240

Function 00007FF8B8B24FCC Relevance: 103.6, APIs: 48, Strings: 11, Instructions: 310COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON311 ref: 00007FF8B8B24FF9
X509_get_subject_name.LIBCRYPTO-3 ref: 00007FF8B8B2500E

Part of subcall function 00007FF8B8B24CB0: X509_NAME_entry_count.LIBCRYPTO-3 ref: 00007FF8B8B24CD4
Part of subcall function 00007FF8B8B24CB0: PyList_New.PYTHON311 ref: 00007FF8B8B24CE3
Part of subcall function 00007FF8B8B24CB0: PyList_New.PYTHON311 ref: 00007FF8B8B24CF7
Part of subcall function 00007FF8B8B24CB0: X509_NAME_get_entry.LIBCRYPTO-3 ref: 00007FF8B8B24D19
Part of subcall function 00007FF8B8B24CB0: X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B8B24D2A
Part of subcall function 00007FF8B8B24CB0: PyList_AsTuple.PYTHON311 ref: 00007FF8B8B24D38
Part of subcall function 00007FF8B8B24CB0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B24D4A
Part of subcall function 00007FF8B8B24CB0: PyList_Append.PYTHON311 ref: 00007FF8B8B24D5F
Part of subcall function 00007FF8B8B24CB0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B24D70
Part of subcall function 00007FF8B8B24CB0: PyList_New.PYTHON311 ref: 00007FF8B8B24D80
Part of subcall function 00007FF8B8B24CB0: X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B8B24D95
Part of subcall function 00007FF8B8B24CB0: X509_NAME_ENTRY_get_object.LIBCRYPTO-3 ref: 00007FF8B8B24DA1
Part of subcall function 00007FF8B8B24CB0: X509_NAME_ENTRY_get_data.LIBCRYPTO-3 ref: 00007FF8B8B24DAD
Part of subcall function 00007FF8B8B24CB0: PyList_Append.PYTHON311 ref: 00007FF8B8B24DD5
Part of subcall function 00007FF8B8B24CB0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B24DE7
Part of subcall function 00007FF8B8B24CB0: PyList_AsTuple.PYTHON311 ref: 00007FF8B8B24E19

PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B25038
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25057
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2506A
X509_get_issuer_name.LIBCRYPTO-3 ref: 00007FF8B8B25073
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2509D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B250B8
X509_get_version.LIBCRYPTO-3 ref: 00007FF8B8B250C1
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B250CA
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B250E9
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25108
BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B8B2510E
BIO_new.LIBCRYPTO-3 ref: 00007FF8B8B25117
PyErr_SetString.PYTHON311 ref: 00007FF8B8B25130
BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B25190
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2519F
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B251D7
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B251F2
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2520D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25220
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B25233
X509_get0_notBefore.LIBCRYPTO-3 ref: 00007FF8B8B2523C
ASN1_TIME_print.LIBCRYPTO-3 ref: 00007FF8B8B25248
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B8B2525C
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B2527B
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B2529A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B252B9
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B252CC
X509_get0_notAfter.LIBCRYPTO-3 ref: 00007FF8B8B252D5
ASN1_TIME_print.LIBCRYPTO-3 ref: 00007FF8B8B252E1
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B8B252F5
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B25314
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B25333
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25352
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B25385
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B253A4
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B253D9
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B253EA
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B25427
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25438
PyDict_SetItemString.PYTHON311 ref: 00007FF8B8B25470
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25481
BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B25492

Strings

notAfter, xrefs: 00007FF8B8B25329
OCSP, xrefs: 00007FF8B8B253CF
caIssuers, xrefs: 00007FF8B8B2541D
failed to allocate BIO, xrefs: 00007FF8B8B25129
crlDistributionPoints, xrefs: 00007FF8B8B25466
subject, xrefs: 00007FF8B8B2502E
notBefore, xrefs: 00007FF8B8B25290
serialNumber, xrefs: 00007FF8B8B251E8
version, xrefs: 00007FF8B8B250DF
subjectAltName, xrefs: 00007FF8B8B2537B
issuer, xrefs: 00007FF8B8B25093

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$String$Dict_$Item$List_$X509_$From$SizeUnicode_$AppendE_printO_ctrlO_freeO_getsTupleX509_get0_notY_set$AfterBeforeE_entry_countE_get_entryErr_LongLong_O_newO_s_memX509_get_issuer_nameX509_get_subject_nameX509_get_versionY_get_dataY_get_object
String ID: OCSP$caIssuers$crlDistributionPoints$failed to allocate BIO$issuer$notAfter$notBefore$serialNumber$subject$subjectAltName$version
API String ID: 558561668-857226466
Opcode ID: 9563e2034df4959f2f5ac61751c6a667d57e7973ca6279a7b1bfc31a68fb857e
Instruction ID: c02963637144a02c8e487ccac123e9d1e7329c4a8d37e6c27192f4ebba48d483
Opcode Fuzzy Hash: 9563e2034df4959f2f5ac61751c6a667d57e7973ca6279a7b1bfc31a68fb857e
Instruction Fuzzy Hash: 02D15D65A0DB0785FE949F39E968A7D6BA1AF45BD1F884430CF0E46754EF3CE40A8308

Function 00007FF8B8B276B0 Relevance: 80.7, APIs: 35, Strings: 11, Instructions: 215threadCOMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B276D4
PyErr_SetString.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B276F3
TLS_server_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27744
TLS_client_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B2774F
PyErr_WarnEx.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B2776E
TLSv1_2_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27779
PyErr_WarnEx.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27795
TLSv1_1_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B277A4
PyErr_WarnEx.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B277C0
TLSv1_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B277CF
PyErr_WarnEx.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B277EB
TLS_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B277FA
PyErr_Format.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B2781C
PyEval_SaveThread.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27827
SSL_CTX_new.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27833
PyEval_RestoreThread.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B2783F
PyModule_GetState.PYTHON311(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B2784D
SSL_CTX_free.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B26CD0), ref: 00007FF8B8B27884
PyModule_GetState.PYTHON311 ref: 00007FF8B8B278B9
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B278EC
SSL_CTX_set_options.LIBSSL-3 ref: 00007FF8B8B27918
SSL_CTX_set_cipher_list.LIBSSL-3 ref: 00007FF8B8B27933
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B27946
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B2794C
PyErr_SetString.PYTHON311 ref: 00007FF8B8B27961
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B2798A
PyErr_Format.PYTHON311 ref: 00007FF8B8B279A8
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B279B7
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B279BD
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B279D7
SSL_CTX_set_session_id_context.LIBSSL-3 ref: 00007FF8B8B279EE
SSL_CTX_get0_param.LIBSSL-3 ref: 00007FF8B8B279F8
X509_VERIFY_PARAM_set_flags.LIBCRYPTO-3 ref: 00007FF8B8B27A09
X509_VERIFY_PARAM_set_hostflags.LIBCRYPTO-3 ref: 00007FF8B8B27A15
SSL_CTX_set_post_handshake_auth.LIBSSL-3 ref: 00007FF8B8B27A25

Strings

ssl.PROTOCOL_TLSv1_1 is deprecated, xrefs: 00007FF8B8B27788
ssl.PROTOCOL_TLS is deprecated, xrefs: 00007FF8B8B277DE
ssl.PROTOCOL_TLSv1 is deprecated, xrefs: 00007FF8B8B277B3
Python, xrefs: 00007FF8B8B279E1
Cannot find internal module state, xrefs: 00007FF8B8B276E9
HIGH:!aNULL:!eNULL, xrefs: 00007FF8B8B2792C
ssl.PROTOCOL_TLSv1_2 is deprecated, xrefs: 00007FF8B8B27761
@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM, xrefs: 00007FF8B8B2791E
Failed to set minimum protocol 0x%x, xrefs: 00007FF8B8B2799B
invalid or unsupported protocol version %i, xrefs: 00007FF8B8B2780F
No cipher can be selected., xrefs: 00007FF8B8B27956

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$Warn$Dealloc$Eval_FormatModule_R_clear_errorStateStringThreadX509_X_ctrl$M_set_flagsM_set_hostflagsModuleRestoreS_client_methodS_methodS_server_methodSaveSv1_1_methodSv1_2_methodSv1_methodType_X_freeX_get0_paramX_newX_set_cipher_listX_set_optionsX_set_post_handshake_authX_set_session_id_context
String ID: @SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM$Cannot find internal module state$Failed to set minimum protocol 0x%x$HIGH:!aNULL:!eNULL$No cipher can be selected.$Python$invalid or unsupported protocol version %i$ssl.PROTOCOL_TLS is deprecated$ssl.PROTOCOL_TLSv1 is deprecated$ssl.PROTOCOL_TLSv1_1 is deprecated$ssl.PROTOCOL_TLSv1_2 is deprecated
API String ID: 2039472478-3748777976
Opcode ID: bcdf6bf99e92d8e5cd5db16b7adcdd828c2cfe9f291e85aef186543906fec9a1
Instruction ID: 4e9714268afb9665e2a163abfbc3a5019fea09a8d7eda3de5a8381c158c2be47
Opcode Fuzzy Hash: bcdf6bf99e92d8e5cd5db16b7adcdd828c2cfe9f291e85aef186543906fec9a1
Instruction Fuzzy Hash: 94A13C21A09A07C6EA549F3ED95463C2BA0BF85BD4F984535CB0E47AA0DF3CE44AC74C

Function 00007FF8B8B27B18 Relevance: 68.4, APIs: 36, Strings: 3, Instructions: 198threadCOMMON

Download Yara Rule

APIs

SSL_CTX_get_default_passwd_cb.LIBSSL-3 ref: 00007FF8B8B27B4A
SSL_CTX_get_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B8B27B57
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B27B70
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B27B79
PyUnicode_FSConverter.PYTHON311 ref: 00007FF8B8B27B91
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B8B27BA5
PyErr_SetString.PYTHON311 ref: 00007FF8B8B27BC0

Part of subcall function 00007FF8B8B25E08: PyUnicode_AsUTF8String.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25E3F
Part of subcall function 00007FF8B8B25E08: PyErr_Format.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EB4
Part of subcall function 00007FF8B8B25E08: _Py_Dealloc.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EFD

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

PyUnicode_FSConverter.PYTHON311 ref: 00007FF8B8B27BD9
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B8B27BED
PyErr_SetString.PYTHON311 ref: 00007FF8B8B27C0C
PyCallable_Check.PYTHON311 ref: 00007FF8B8B27C23
SSL_CTX_set_default_passwd_cb.LIBSSL-3 ref: 00007FF8B8B27C59
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B8B27C67
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B27C6D
SSL_CTX_use_certificate_chain_file.LIBSSL-3 ref: 00007FF8B8B27C83
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B27C8F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B27CA0
PyErr_SetFromErrno.PYTHON311 ref: 00007FF8B8B27CB5
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B27CBB
SSL_CTX_set_default_passwd_cb.LIBSSL-3(?,?,?,?,?,?,00007FF8A8D8BCC8,00007FF8B8B27AFA), ref: 00007FF8B8B27DA5
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3(?,?,?,?,?,?,00007FF8A8D8BCC8,00007FF8B8B27AFA), ref: 00007FF8B8B27DB2
PyMem_Free.PYTHON311(?,?,?,?,?,?,00007FF8A8D8BCC8,00007FF8B8B27AFA), ref: 00007FF8B8B27DBC
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00007FF8A8D8BCC8,00007FF8B8B27AFA), ref: 00007FF8B8B27DD1
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,00007FF8A8D8BCC8,00007FF8B8B27AFA), ref: 00007FF8B8B27DEE
SSL_CTX_set_default_passwd_cb.LIBSSL-3 ref: 00007FF8B8B27E00
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B8B27E0D
PyMem_Free.PYTHON311 ref: 00007FF8B8B27E17

Strings

password should be a string or callable, xrefs: 00007FF8B8B27C33
certfile should be a valid filesystem path, xrefs: 00007FF8B8B27BB6
keyfile should be a valid filesystem path, xrefs: 00007FF8B8B27C02

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$DeallocR_clear_errorStringUnicode_X_set_default_passwd_cbX_set_default_passwd_cb_userdata$ConverterEval_ExceptionFreeMatchesMem_Thread_errno$Callable_CheckErrnoFormatFromR_peek_last_errorRestoreSaveX_get_default_passwd_cbX_get_default_passwd_cb_userdataX_use_certificate_chain_file
String ID: certfile should be a valid filesystem path$keyfile should be a valid filesystem path$password should be a string or callable
API String ID: 1360066414-998072137
Opcode ID: fedce28bcc2cea23c3164a51e9c2050cc0d8cdd099b30353a80f813e5023d4e4
Instruction ID: ba7769ff7d7244f98ed5fee2afb447c9c8176b2ac842390f48fd77df5ac2fa10
Opcode Fuzzy Hash: fedce28bcc2cea23c3164a51e9c2050cc0d8cdd099b30353a80f813e5023d4e4
Instruction Fuzzy Hash: 59A1E376A08A06C6EB149F79E85817D2B60BF88BD9F944531DF0E43A54CF3CE45A870C

Function 00007FF8B8B22084 Relevance: 64.9, APIs: 18, Strings: 19, Instructions: 120COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B22096
PyType_FromSpecWithBases.PYTHON311 ref: 00007FF8B8B220B0
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B220D0
PyTuple_Pack.PYTHON311 ref: 00007FF8B8B220F1
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B22117
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B2212E
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B2215B
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B22172
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B22195
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B221AC
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B221CF
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B221E6
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B22205
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B2221C
PyErr_NewExceptionWithDoc.PYTHON311 ref: 00007FF8B8B2223B
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B22252
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23797
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B237B0

Strings

Non-blocking SSL socket needs to read more databefore the requested operation can be completed., xrefs: 00007FF8B8B221BE
ssl.SSLCertVerificationError, xrefs: 00007FF8B8B22110
ssl.SSLZeroReturnError, xrefs: 00007FF8B8B22154
ssl.SSLSyscallError, xrefs: 00007FF8B8B221FE
SSLZeroReturnError, xrefs: 00007FF8B8B22161
SSLSyscallError, xrefs: 00007FF8B8B2220B
SSLError, xrefs: 00007FF8B8B220C6
A certificate could not be verified., xrefs: 00007FF8B8B22106
SSLWantWriteError, xrefs: 00007FF8B8B2219B
SSLWantReadError, xrefs: 00007FF8B8B221D5
ssl.SSLWantReadError, xrefs: 00007FF8B8B221C8
SSL/TLS connection terminated abruptly., xrefs: 00007FF8B8B2222A
ssl.SSLWantWriteError, xrefs: 00007FF8B8B2218E
SSLEOFError, xrefs: 00007FF8B8B22241
SSLCertVerificationError, xrefs: 00007FF8B8B2211D
System error when attempting SSL operation., xrefs: 00007FF8B8B221F4
SSL/TLS session closed cleanly., xrefs: 00007FF8B8B2214A
Non-blocking SSL socket needs to write more databefore the requested operation can be completed., xrefs: 00007FF8B8B22184
ssl.SSLEOFError, xrefs: 00007FF8B8B22234

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$ObjectWith$Err_Exception$Dealloc$BasesFromPackSpecStateTuple_Type_
String ID: A certificate could not be verified.$Non-blocking SSL socket needs to read more databefore the requested operation can be completed.$Non-blocking SSL socket needs to write more databefore the requested operation can be completed.$SSL/TLS connection terminated abruptly.$SSL/TLS session closed cleanly.$SSLCertVerificationError$SSLEOFError$SSLError$SSLSyscallError$SSLWantReadError$SSLWantWriteError$SSLZeroReturnError$System error when attempting SSL operation.$ssl.SSLCertVerificationError$ssl.SSLEOFError$ssl.SSLSyscallError$ssl.SSLWantReadError$ssl.SSLWantWriteError$ssl.SSLZeroReturnError
API String ID: 2091157252-1330971811
Opcode ID: eba41b414b14a5d19da5a92ffb59b808ac36444e6d063591d0875ad1b0e209c8
Instruction ID: 7d7dad10c4b8152d565baee5d2973cb1af047034b66b384574095d1b2faa574f
Opcode Fuzzy Hash: eba41b414b14a5d19da5a92ffb59b808ac36444e6d063591d0875ad1b0e209c8
Instruction Fuzzy Hash: F951E661A09B4791FA109F7AE9445AC2FA0BF4ABD4F845036CB0D57A65EF3CE15BC308

Function 00007FF8B8B2B10C Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 236COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B17A
PyDict_GetItemWithError.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B193
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1A5
PyErr_Occurred.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1B0
PyLong_FromLong.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1C1
PyDict_GetItemWithError.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1DA
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1EC
PyErr_Occurred.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B1F7
ERR_reason_error_string.LIBCRYPTO-3(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B216
SSL_get_verify_result.LIBSSL-3(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B258
PyLong_FromLong.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B262
X509_verify_cert_error_string.LIBCRYPTO-3(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B280
PyUnicode_FromString.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B28E
PyUnicode_FromFormat.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B2B6
PyUnicode_FromFormat.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B2F2
PyUnicode_FromFormat.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B31F
PyUnicode_FromFormat.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B341
PyUnicode_FromFormat.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B35B
_Py_BuildValue_SizeT.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B391
PyObject_CallObject.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B3AE
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B3C1
PyObject_SetAttr.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B3E8
PyObject_SetAttr.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B40A
PyObject_SetAttr.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B434
PyObject_SetAttr.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B44B
PyErr_SetObject.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B45B
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B46A
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B47F
_Py_Dealloc.PYTHON311(?,?,00000000,00000000,00000000,00007FF8B8B26209), ref: 00007FF8B8B2B493

Strings

unknown error, xrefs: 00007FF8B8B2B229
[%S: %S] %s (_ssl.c:%d), xrefs: 00007FF8B8B2B30B
%s (_ssl.c:%d), xrefs: 00007FF8B8B2B351
[%S] %s (_ssl.c:%d), xrefs: 00007FF8B8B2B334
[%S: %S] %s: %S (_ssl.c:%d), xrefs: 00007FF8B8B2B2D9
IP address mismatch, certificate is not valid for '%S'., xrefs: 00007FF8B8B2B2A2
Hostname mismatch, certificate is not valid for '%S'., xrefs: 00007FF8B8B2B2AB

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: From$DeallocUnicode_$FormatObject_$Attr$Err_$BuildDict_ErrorItemLongLong_ObjectOccurredSizeValue_With$CallL_get_verify_resultR_reason_error_stringStringX509_verify_cert_error_string
String ID: %s (_ssl.c:%d)$Hostname mismatch, certificate is not valid for '%S'.$IP address mismatch, certificate is not valid for '%S'.$[%S: %S] %s (_ssl.c:%d)$[%S: %S] %s: %S (_ssl.c:%d)$[%S] %s (_ssl.c:%d)$unknown error
API String ID: 628883730-2914327905
Opcode ID: a0b87949c90fd48871732554e521aaeb53ffe58006c26eb17f4af4b8f6972cf2
Instruction ID: a79cb4ba884bc99977f69f03139d9600828faff91f4c777c18da6995a027c331
Opcode Fuzzy Hash: a0b87949c90fd48871732554e521aaeb53ffe58006c26eb17f4af4b8f6972cf2
Instruction Fuzzy Hash: 23A14F61A09A57C5EA659F3AA89467D2BA0BF45FC0F884439CF0E47754DF3CE84B8308

Function 00007FF8BA2494B8 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249A29
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249A5E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249A97

Strings

double, xrefs: 00007FF8BA2495DE
volatile, xrefs: 00007FF8BA2498A2
int, xrefs: 00007FF8BA249564
long, xrefs: 00007FF8BA249552
__int16, xrefs: 00007FF8BA2496C0
char32_t, xrefs: 00007FF8BA2499AB
this , xrefs: 00007FF8BA249971
char16_t, xrefs: 00007FF8BA2497B8
char8_t, xrefs: 00007FF8BA2497D9
long , xrefs: 00007FF8BA2495C7
volatile, xrefs: 00007FF8BA2498CF
const, xrefs: 00007FF8BA249887
signed , xrefs: 00007FF8BA2499F6
auto, xrefs: 00007FF8BA2497EB
__int128, xrefs: 00007FF8BA249750
void, xrefs: 00007FF8BA24961C
UNKNOWN, xrefs: 00007FF8BA24992C
__int32, xrefs: 00007FF8BA24976E
char, xrefs: 00007FF8BA249588
<unknown>, xrefs: 00007FF8BA2497CA
decltype(auto), xrefs: 00007FF8BA249900
short, xrefs: 00007FF8BA249576
__int8, xrefs: 00007FF8BA2496D2
bool, xrefs: 00007FF8BA249780
float, xrefs: 00007FF8BA24960A
__int64, xrefs: 00007FF8BA24975F
__w64 , xrefs: 00007FF8BA2496FC
unsigned , xrefs: 00007FF8BA2499E6
wchar_t, xrefs: 00007FF8BA24994A

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction ID: ea1c00fc3c20ecc463a63ece1f02b3df58dc26c57316edeeabe37f8dde8ef467
Opcode Fuzzy Hash: 9af3000e46094686c92b09a1ab6ba282d3ea35f814097fcec630d6e6c72122d6
Instruction Fuzzy Hash: 35027E72E1861388FB289B6DD9D61BC27B1BB05BC4F9041B9CF0D16A98DF3DA644E340

Function 00007FF8B8B2804C Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 192threadCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B28086
PyErr_SetString.PYTHON311 ref: 00007FF8B8B280D0
PyUnicode_FSConverter.PYTHON311 ref: 00007FF8B8B280E2
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B8B280F6
PyUnicode_FSConverter.PYTHON311 ref: 00007FF8B8B28119
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B8B2812D
PyUnicode_AsASCIIString.PYTHON311 ref: 00007FF8B8B2815C
PyErr_ExceptionMatches.PYTHON311 ref: 00007FF8B8B28174
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B281AC
PyObject_CheckBuffer.PYTHON311 ref: 00007FF8B8B281D6
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B8B281EA
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B8B281FE
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B2822A
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B2823F
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B28266
SSL_CTX_load_verify_locations.LIBSSL-3 ref: 00007FF8B8B28279
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B28284
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B2828F
PyErr_SetFromErrno.PYTHON311 ref: 00007FF8B8B282A4
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B282AA
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,00007FF8A8D8BCC8,?,?,00007FF8A8D8BCC8,?,00007FF8A8D8BCC8,00007FF8B8B2802C), ref: 00007FF8B8B282DA
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B282EF

Strings

cafile should be a valid filesystem path, xrefs: 00007FF8B8B28104
cadata should be an ASCII string or a bytes-like object, xrefs: 00007FF8B8B28182
cadata should be a contiguous buffer with a single dimension, xrefs: 00007FF8B8B28245
capath should be a valid filesystem path, xrefs: 00007FF8B8B2813B
cafile, capath and cadata cannot be all omitted, xrefs: 00007FF8B8B280BF

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$Buffer_DeallocExceptionMatchesUnicode_$BufferConverterEval_Object_ReleaseStringThread_errno$CheckContiguousErrnoFromR_clear_errorRestoreSaveX_load_verify_locations
String ID: cadata should be a contiguous buffer with a single dimension$cadata should be an ASCII string or a bytes-like object$cafile should be a valid filesystem path$cafile, capath and cadata cannot be all omitted$capath should be a valid filesystem path
API String ID: 3554890122-3904065072
Opcode ID: e4b71f0bbde4b4683a129aa3c3d95ea4b1edc63ab98b778c1f4c94719d88b988
Instruction ID: 73253ba4553678e89c40540434011a2163075ccf6e67d6f586276d49c3c5ccc3
Opcode Fuzzy Hash: e4b71f0bbde4b4683a129aa3c3d95ea4b1edc63ab98b778c1f4c94719d88b988
Instruction Fuzzy Hash: FC814A21A08A4685FB549F7EE95427D2BA1BF44BD9F984531CF0E47A94DF3CE44AC308

Function 00007FF8B8B2AC7C Relevance: 47.4, APIs: 16, Strings: 11, Instructions: 143COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B2ACC1
SSL_CIPHER_get_name.LIBSSL-3 ref: 00007FF8B8B2ACC9
SSL_CIPHER_get_version.LIBSSL-3 ref: 00007FF8B8B2ACD5
SSL_CIPHER_get_id.LIBSSL-3 ref: 00007FF8B8B2ACE1
SSL_CIPHER_description.LIBSSL-3 ref: 00007FF8B8B2ACFD
SSL_CIPHER_get_bits.LIBSSL-3 ref: 00007FF8B8B2AD45
SSL_CIPHER_is_aead.LIBSSL-3 ref: 00007FF8B8B2AD51
SSL_CIPHER_get_cipher_nid.LIBSSL-3 ref: 00007FF8B8B2AD5D
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B8B2AD69
SSL_CIPHER_get_digest_nid.LIBSSL-3 ref: 00007FF8B8B2AD7F
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B8B2AD8B
SSL_CIPHER_get_kx_nid.LIBSSL-3 ref: 00007FF8B8B2AD9B
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B8B2ADA7
SSL_CIPHER_get_auth_nid.LIBSSL-3 ref: 00007FF8B8B2ADB7
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B8B2ADC3
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B2AEC0

Strings

alg_bits, xrefs: 00007FF8B8B2AE74
protocol, xrefs: 00007FF8B8B2AEAA
strength_bits, xrefs: 00007FF8B8B2AE80
digest, xrefs: 00007FF8B8B2AE26
description, xrefs: 00007FF8B8B2AE9E
aead, xrefs: 00007FF8B8B2AE5D
{sksssssssisisOssssssss}, xrefs: 00007FF8B8B2AE51
symmetric, xrefs: 00007FF8B8B2AE3D
name, xrefs: 00007FF8B8B2ADD7
auth, xrefs: 00007FF8B8B2ADF8
kea, xrefs: 00007FF8B8B2AE0F

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: J_nid2ln$BuildR_descriptionR_get_auth_nidR_get_bitsR_get_cipher_nidR_get_digest_nidR_get_idR_get_kx_nidR_get_nameR_get_versionR_is_aeadSizeValue_memset
String ID: aead$alg_bits$auth$description$digest$kea$name$protocol$strength_bits$symmetric${sksssssssisisOssssssss}
API String ID: 2466739568-4085912083
Opcode ID: e2b56106839455ab27443c62e70ce10964873e32936ab5f7d357bcbb4e1ab241
Instruction ID: cc0f81c07d250c4a14e39523814ecefcb281a74e419e86877dddb5e81fd3f9a0
Opcode Fuzzy Hash: e2b56106839455ab27443c62e70ce10964873e32936ab5f7d357bcbb4e1ab241
Instruction Fuzzy Hash: BA613E35A09B8685EB209F39F8442AD77A4FB887D0F941635DA9E437A4DF3CE44AC704

Function 00007FF8B8B2922C Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 228threadCOMMON

Download Yara Rule

APIs

PyWeakref_GetObject.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29265
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29292
PyBytes_FromStringAndSize.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B292DE
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29304
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B2934A
SSL_get_rbio.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29372
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29387
SSL_get_wbio.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29391
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B293A2
_PyDeadline_Init.PYTHON311 ref: 00007FF8B8B293BE
PyEval_SaveThread.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B293D1
SSL_read_ex.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B293E9
PyEval_RestoreThread.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B2941D
PyErr_CheckSignals.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29432
_PyDeadline_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B2944C
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B2951B

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

SSL_get_shutdown.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B2949D
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B294E1
_PyBytes_Resize.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B294F4
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29541
PyLong_FromSize_t.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8B8B291FA), ref: 00007FF8B8B29550

Strings

maximum length can't fit in a C 'int', xrefs: 00007FF8B8B29340
size should not be negative, xrefs: 00007FF8B8B29288
Underlying socket connection gone, xrefs: 00007FF8B8B292B1
The read operation timed out, xrefs: 00007FF8B8B294C3

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Err_String$Bytes_Deadline_Eval_FromO_ctrlThread$CheckInitL_get_rbioL_get_shutdownL_get_wbioL_read_exLong_ObjectR_clear_errorR_peek_last_errorResizeRestoreSaveSignalsSizeSize_tWeakref_
String ID: The read operation timed out$Underlying socket connection gone$maximum length can't fit in a C 'int'$size should not be negative
API String ID: 2735577670-665203206
Opcode ID: bbfc66f33c353f3cbd66036fd6e58892e68d209f93e304ae213a7cedccde276c
Instruction ID: b536e1708321523540595d85ab5702545e105e8ee44fc8a3c1e5e9815ecab04e
Opcode Fuzzy Hash: bbfc66f33c353f3cbd66036fd6e58892e68d209f93e304ae213a7cedccde276c
Instruction Fuzzy Hash: 6FA16D32E09A1A85FB649F7AD844A7D6BA0BF49BD4F950135CF1E46A94CF3CE4478308

Function 00007FF8B8B25FD4 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

SSL_get_servername.LIBSSL-3 ref: 00007FF8B8B25FFC
PyGILState_Ensure.PYTHON311 ref: 00007FF8B8B26005
PyGILState_Release.PYTHON311 ref: 00007FF8B8B26018
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B8B2602A
PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B26045
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FF8B8B26071
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B260A2
PyGILState_Release.PYTHON311 ref: 00007FF8B8B260B2
PyUnicode_FromEncodedObject.PYTHON311 ref: 00007FF8B8B260E9
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B8B260FA
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B26109
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2611A
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FF8B8B26132
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B26144
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B26153
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B8B26162
PyLong_AsLong.PYTHON311 ref: 00007FF8B8B26180
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B26189
PyErr_WriteUnraisable.PYTHON311 ref: 00007FF8B8B26197
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B261B2
PyGILState_Release.PYTHON311 ref: 00007FF8B8B261BB

Strings

ascii, xrefs: 00007FF8B8B260DF

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Err_State_$ReleaseUnraisableWrite$ArgsCallFunctionObjectObject_$EncodedEnsureFromL_get_ex_dataL_get_servernameLongLong_OccurredUnicode_Weakref_
String ID: ascii
API String ID: 3188396730-3510295289
Opcode ID: 8795be1f2294d8245a4fd3ccf2d918e87ebce44b637d9288a9166bcd00813fa7
Instruction ID: 659868635167a1640b726ca2e2547c0f1a986eec3ef60aa8e6cdb64656655074
Opcode Fuzzy Hash: 8795be1f2294d8245a4fd3ccf2d918e87ebce44b637d9288a9166bcd00813fa7
Instruction Fuzzy Hash: 39510125A09A5686FA149F7AD95813D6BA0BF46FD1F884438CF0E07B54DF3CA44B8308

Function 00007FF8B8B21170 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B2118B
PyDict_New.PYTHON311 ref: 00007FF8B8B21194
PyDict_New.PYTHON311 ref: 00007FF8B8B211A7
PyDict_New.PYTHON311 ref: 00007FF8B8B211BA
PyUnicode_FromString.PYTHON311 ref: 00007FF8B8B211E7
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B21206
PyDict_SetItem.PYTHON311 ref: 00007FF8B8B21222
PyDict_SetItem.PYTHON311 ref: 00007FF8B8B2123A
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B21283
PyUnicode_FromString.PYTHON311 ref: 00007FF8B8B2128F
PyDict_SetItem.PYTHON311 ref: 00007FF8B8B212B4
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B212EE
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B21306
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B8B2131E
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2353B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2354A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2355F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23572
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23581

Strings

lib_codes_to_names, xrefs: 00007FF8B8B21314
err_names_to_codes, xrefs: 00007FF8B8B212FC
err_codes_to_names, xrefs: 00007FF8B8B212E4

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dict_$Dealloc$Module_$FromItemObject$StringUnicode_$BuildLongLong_SizeStateValue_
String ID: err_codes_to_names$err_names_to_codes$lib_codes_to_names
API String ID: 311900024-3898622116
Opcode ID: c6e60629ece7d000aa113861ff06567cd8a9fb5c02c61e9550bf6cae00e17cd4
Instruction ID: 5b84a5faa8e4a10b4ee01d2a7f0783c39f47132748c21e07f0e12b44bc860466
Opcode Fuzzy Hash: c6e60629ece7d000aa113861ff06567cd8a9fb5c02c61e9550bf6cae00e17cd4
Instruction Fuzzy Hash: 3751E561A4DB0B91FA549F3AA81463C2BA4AF4ABD1F884435CF0D56760EF2CF45B8348

Function 00007FF8B8B24CB0 Relevance: 36.2, APIs: 24, Instructions: 150COMMON

Download Yara Rule

APIs

X509_NAME_entry_count.LIBCRYPTO-3 ref: 00007FF8B8B24CD4
PyList_New.PYTHON311 ref: 00007FF8B8B24CE3
PyList_New.PYTHON311 ref: 00007FF8B8B24CF7
X509_NAME_get_entry.LIBCRYPTO-3 ref: 00007FF8B8B24D19
X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B8B24D2A
PyList_AsTuple.PYTHON311 ref: 00007FF8B8B24D38
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24D4A
PyList_Append.PYTHON311 ref: 00007FF8B8B24D5F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24D70
PyList_New.PYTHON311 ref: 00007FF8B8B24D80
X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B8B24D95
X509_NAME_ENTRY_get_object.LIBCRYPTO-3 ref: 00007FF8B8B24DA1
X509_NAME_ENTRY_get_data.LIBCRYPTO-3 ref: 00007FF8B8B24DAD
PyList_Append.PYTHON311 ref: 00007FF8B8B24DD5
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24DE7
PyList_AsTuple.PYTHON311 ref: 00007FF8B8B24E19
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24E2B
PyList_Append.PYTHON311 ref: 00007FF8B8B24E3C
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24E4D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24E60
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24E8B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24E9C
PyList_AsTuple.PYTHON311 ref: 00007FF8B8B24EA5
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24EB7

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocList_$X509_$AppendTuple$Y_set$E_entry_countE_get_entryY_get_dataY_get_object
String ID:
API String ID: 3918441104-0
Opcode ID: 3f51801bdaaa6c7ce1aa21ada3a2f565099f7a717c4a6f2c9063da612d9c2b03
Instruction ID: ad1a9bea2505784a0e384d5d321f738bb255a7dafe38cba134cb90290078c940
Opcode Fuzzy Hash: 3f51801bdaaa6c7ce1aa21ada3a2f565099f7a717c4a6f2c9063da612d9c2b03
Instruction Fuzzy Hash: C0511361A0DA0641FE5D6F3AA91463D6A91BF45FD5F9C0434CF2E06B54EF3CA49B8308

Function 00007FF8B8B24A44 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 141COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B24A84
BIO_new_mem_buf.LIBCRYPTO-3 ref: 00007FF8B8B24AB1
SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B8B24AE0
d2i_X509_bio.LIBCRYPTO-3 ref: 00007FF8B8B24AF3
SSL_CTX_get_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B8B24AFF
SSL_CTX_get_default_passwd_cb.LIBSSL-3 ref: 00007FF8B8B24B0C
PEM_read_bio_X509.LIBCRYPTO-3 ref: 00007FF8B8B24B1D
X509_STORE_add_cert.LIBCRYPTO-3 ref: 00007FF8B8B24B31
X509_free.LIBCRYPTO-3 ref: 00007FF8B8B24B3C
ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B24B46
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B24B74
ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B24B82
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B24BF0
BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B24C18

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Strings

Certificate data is too long., xrefs: 00007FF8B8B24AA2
no start line: cadata does not contain a certificate, xrefs: 00007FF8B8B24BA1
Can't allocate buffer, xrefs: 00007FF8B8B24AC3
not enough data: cadata does not contain a certificate, xrefs: 00007FF8B8B24B9A
Empty certificate data, xrefs: 00007FF8B8B24A7A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: R_clear_errorR_peek_last_error$E_add_certErr_M_read_bio_O_freeO_new_mem_bufStringX509X509_X509_bioX509_freeX_get_cert_storeX_get_default_passwd_cbX_get_default_passwd_cb_userdatad2i_
String ID: Can't allocate buffer$Certificate data is too long.$Empty certificate data$no start line: cadata does not contain a certificate$not enough data: cadata does not contain a certificate
API String ID: 3308083359-3246380861
Opcode ID: 8ee09712cb90b3e5a5708cb3cba6a3a3db4649c59bd02f395c1fe461052aa58d
Instruction ID: 2688073858fcb33bbd02497491e5ea9002255214e54343422c2f8491d62973c5
Opcode Fuzzy Hash: 8ee09712cb90b3e5a5708cb3cba6a3a3db4649c59bd02f395c1fe461052aa58d
Instruction Fuzzy Hash: 38517361E0CA0741FB68AF3EA84423D6A91BF457D5FA44535DB2E86A94DF3CE44B8208

Function 00007FF8B8B21E64 Relevance: 31.7, APIs: 21, Instructions: 181COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B21E7A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B21FAA
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B21FC3
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B21FDC
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B22048
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B22067
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2207A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B236EC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Module_State
String ID:
API String ID: 3434497292-0
Opcode ID: f1da567e134593277256ef6c3e95c8f78a145cb8c4559d5b4235226dbf4ce70b
Instruction ID: e2fdcf0ef1c89a88b65352dcf7c12891c54cf168a2b2eab91ea30724e86b214e
Opcode Fuzzy Hash: f1da567e134593277256ef6c3e95c8f78a145cb8c4559d5b4235226dbf4ce70b
Instruction Fuzzy Hash: A7812D32A0EA4685FF599F7C985453C3BA8EF46FD5F988534CB1E06964CF2DA446C308

Function 00007FF8B8B2A630 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

X509_get_default_cert_file_env.LIBCRYPTO-3 ref: 00007FF8B8B2A655
PyUnicode_DecodeFSDefault.PYTHON311 ref: 00007FF8B8B2A679
PyBytes_FromString.PYTHON311 ref: 00007FF8B8B2A68A
X509_get_default_cert_file.LIBCRYPTO-3 ref: 00007FF8B8B2A69C
PyUnicode_DecodeFSDefault.PYTHON311 ref: 00007FF8B8B2A6C0
PyBytes_FromString.PYTHON311 ref: 00007FF8B8B2A6D1
X509_get_default_cert_dir_env.LIBCRYPTO-3 ref: 00007FF8B8B2A6E3
PyUnicode_DecodeFSDefault.PYTHON311 ref: 00007FF8B8B2A707
PyBytes_FromString.PYTHON311 ref: 00007FF8B8B2A718
X509_get_default_cert_dir.LIBCRYPTO-3 ref: 00007FF8B8B2A726
PyUnicode_DecodeFSDefault.PYTHON311 ref: 00007FF8B8B2A74A
PyBytes_FromString.PYTHON311 ref: 00007FF8B8B2A75B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A778
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A78C
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A7A0
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2A7B4
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B2A7D3

Strings

NNNN, xrefs: 00007FF8B8B2A7C9

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Bytes_DeallocDecodeDefaultFromStringUnicode_$BuildSizeValue_X509_get_default_cert_dirX509_get_default_cert_dir_envX509_get_default_cert_fileX509_get_default_cert_file_env
String ID: NNNN
API String ID: 3186749377-3742719684
Opcode ID: 8356f06c798a757c3ae6a2c784ba46f9e0f81ad03e883303a032361db505d8fd
Instruction ID: 1a21e8e7ae726714ac2e5a778f4ef384019ab3ab1eb5830abb40a01a467871de
Opcode Fuzzy Hash: 8356f06c798a757c3ae6a2c784ba46f9e0f81ad03e883303a032361db505d8fd
Instruction Fuzzy Hash: BB51B929A09B5785FA56AF39A95413C6BA0AF59FD0F8C5431CF0E07764EF3CA44B9308

Function 00007FF8B8B24788 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 78threadCOMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON311 ref: 00007FF8B8B247A7
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B8B247B4
PyThread_allocate_lock.PYTHON311 ref: 00007FF8B8B247D6
PyErr_SetString.PYTHON311 ref: 00007FF8B8B247F9
PyErr_Fetch.PYTHON311 ref: 00007FF8B8B2480B
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B24816
PyThread_acquire_lock.PYTHON311 ref: 00007FF8B8B2482B
BIO_printf.LIBCRYPTO-3 ref: 00007FF8B8B24843
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B2484B
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B24866
PyThread_release_lock.PYTHON311 ref: 00007FF8B8B24873
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B2487C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B24887
PyErr_SetFromErrnoWithFilenameObject.PYTHON311 ref: 00007FF8B8B248A2
PyErr_Fetch.PYTHON311 ref: 00007FF8B8B248B4
PyGILState_Release.PYTHON311 ref: 00007FF8B8B248BC

Strings

Unable to allocate lock, xrefs: 00007FF8B8B247EF
%s, xrefs: 00007FF8B8B24835

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$Eval_FetchState_Thread_errno$EnsureErrnoFilenameFromL_get_ex_dataO_ctrlO_printfObjectReleaseRestoreSaveStringThread_acquire_lockThread_allocate_lockThread_release_lockWith
String ID: %s$Unable to allocate lock
API String ID: 2873158514-852672932
Opcode ID: 61231d2e0c73577bd5982210dc0ea3a08a0334a548aedaf7350db9a4fc950299
Instruction ID: aefe9658214e78f8f6757497c8b64c492b01d8ab6c6c3e249205a66cf1ba0666
Opcode Fuzzy Hash: 61231d2e0c73577bd5982210dc0ea3a08a0334a548aedaf7350db9a4fc950299
Instruction Fuzzy Hash: 9741DB35A18E4A82EB109F39E85426D7B60FB88BD5F984131CB4E47764DF3CE44AC304

Function 00007FF8BA24CDBC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE4D
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE86
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CF5A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CF6B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CFCE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CFDE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D02A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D03C
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D1B1

Part of subcall function 00007FF8BA24ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24EDEE

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D233
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D242

Strings

`anonymous namespace', xrefs: 00007FF8BA24D10E

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction ID: c5c9a28b1aa811a121b8ef759972524413877138e49fe5691b3e401863d1190e
Opcode Fuzzy Hash: c2c563be3abc2cd025459880134dd91d33137c93c5547e13454a58e5101b2a40
Instruction Fuzzy Hash: 42E14A72A08B8399EB10CF28E8801AD77A1FB45B84F8051B6EF8D17B59DF78E555E700

Function 00007FF8B8B23BAC Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 160COMMON

Download Yara Rule

APIs

ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B23BE1
PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B23C82
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B23CAE
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FF8B8B23CBA
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B23DEC

Strings

A failure in the SSL library occurred, xrefs: 00007FF8B8B23D6E
EOF occurred in violation of protocol, xrefs: 00007FF8B8B23DBB
The operation did not complete (connect), xrefs: 00007FF8B8B23C4F
Invalid error code, xrefs: 00007FF8B8B23C3E
Some I/O error occurred, xrefs: 00007FF8B8B23CF2
TLS/SSL connection has been closed (EOF), xrefs: 00007FF8B8B23C5F
The operation did not complete (read), xrefs: 00007FF8B8B23D5D
The operation did not complete (X509 lookup), xrefs: 00007FF8B8B23D3B
The operation did not complete (write), xrefs: 00007FF8B8B23D4B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: R_clear_error$Err_FromObjectR_peek_last_errorWeakref_Windows
String ID: A failure in the SSL library occurred$EOF occurred in violation of protocol$Invalid error code$Some I/O error occurred$TLS/SSL connection has been closed (EOF)$The operation did not complete (X509 lookup)$The operation did not complete (connect)$The operation did not complete (read)$The operation did not complete (write)
API String ID: 2320205569-3413158800
Opcode ID: 03120102754c70c1179e95157d1f2e8f2f3180142823207d431965c5264e08cc
Instruction ID: ce2de9de0b9e84e77feae1c6c9e8a140ccae6ae7942009fd94189b9245f38a2b
Opcode Fuzzy Hash: 03120102754c70c1179e95157d1f2e8f2f3180142823207d431965c5264e08cc
Instruction Fuzzy Hash: FE615127A1894685E7618F39D84467DAB61BB48BD4FAC1A31DB0D137B4CF3DE84B8308

Function 00007FF8B8B243D4 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 78threadCOMMON

Download Yara Rule

APIs

SSL_CTX_set_keylog_callback.LIBSSL-3 ref: 00007FF8B8B243F4
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2440E
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B24422
BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B8B2442E
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B24437
_Py_fopen_obj.PYTHON311 ref: 00007FF8B8B24454
BIO_new_fp.LIBCRYPTO-3 ref: 00007FF8B8B2446F
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2448D
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B2449C
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B244B4
BIO_puts.LIBCRYPTO-3 ref: 00007FF8B8B244C9
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B244DD
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B244E6
SSL_CTX_set_keylog_callback.LIBSSL-3 ref: 00007FF8B8B244F7

Strings

Can't malloc memory for keylog file, xrefs: 00007FF8B8B24482
# TLS secrets log file, generated by OpenSSL / Python, xrefs: 00007FF8B8B244C2

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_Thread$O_ctrlRestoreSaveX_set_keylog_callback$DeallocErr_O_free_allO_new_fpO_putsPy_fopen_objString
String ID: # TLS secrets log file, generated by OpenSSL / Python$Can't malloc memory for keylog file
API String ID: 2661017659-2802485923
Opcode ID: 01f7d66f5430effe2a9e48e71a99762d840eb617121cb764a624358be77c7dca
Instruction ID: 1d92249e6ed2d490009a0cbbac515e6d55fac4e816bf133b02f0735f75563901
Opcode Fuzzy Hash: 01f7d66f5430effe2a9e48e71a99762d840eb617121cb764a624358be77c7dca
Instruction Fuzzy Hash: 8D313035A08B0686EB589F39E95467D2B60FF89BD4F985131CB1E07A64DF3CE45A8308

Function 00007FF8B8B254A0 Relevance: 27.1, APIs: 18, Instructions: 103COMMON

Download Yara Rule

APIs

X509_get_ext_d2i.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B254C6
OPENSSL_sk_num.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B254D7
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B254E4
PyList_New.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B2550C
OPENSSL_sk_num.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B25523
OPENSSL_sk_value.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B25532
OBJ_obj2nid.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B2553E
PyUnicode_FromStringAndSize.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B2555D
PyList_Append.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B25575
_Py_Dealloc.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B25587
OPENSSL_sk_num.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B25597
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255A4
PyList_Size.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255AD
_Py_Dealloc.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255C5
PyList_AsTuple.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255D3
_Py_Dealloc.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255E5
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B255F6
_Py_Dealloc.PYTHON311(?,00000000,00000000,00007FF8B8B253B7), ref: 00007FF8B8B2560A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocList_$L_sk_numS_free$Size$AppendFromJ_obj2nidL_sk_valueStringTupleUnicode_X509_get_ext_d2i
String ID:
API String ID: 230305477-0
Opcode ID: 29fcde23e55329bb86f16b93f2084938bc948afdd21aa33df4e747b0059ff261
Instruction ID: 2e195b3974be32c0589379d915f724ffdc7a63a7c7571c60c47645ebbd287fb7
Opcode Fuzzy Hash: 29fcde23e55329bb86f16b93f2084938bc948afdd21aa33df4e747b0059ff261
Instruction Fuzzy Hash: 1941FB21A09A4785FA949F3EA95463D6BA1AF45FD1F984434CF0E46754EF3CF44B8308

Function 00007FF8B8B2636C Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyType_GetModuleState.PYTHON311 ref: 00007FF8B8B26389
BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B8B26392
BIO_new.LIBCRYPTO-3 ref: 00007FF8B8B2639B
PyErr_SetString.PYTHON311 ref: 00007FF8B8B263B4
PyErr_SetString.PYTHON311 ref: 00007FF8B8B263E6
BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B263EF
PEM_write_bio_X509_AUX.LIBCRYPTO-3 ref: 00007FF8B8B263FE
i2d_X509_bio.LIBCRYPTO-3 ref: 00007FF8B8B2640D

Part of subcall function 00007FF8B8B246CC: BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B246EE
Part of subcall function 00007FF8B8B246CC: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FF8B8B24708

BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B2642A

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B2646B

Strings

error, xrefs: 00007FF8B8B26459
failed to allocate BIO, xrefs: 00007FF8B8B263AD
i, xrefs: 00007FF8B8B26433
Unsupported format, xrefs: 00007FF8B8B263DC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: O_free$Err_String$DecodeM_write_bio_ModuleO_ctrlO_newO_s_memR_clear_errorR_peek_last_errorStateType_Unicode_X509_X509_bioi2d_
String ID: Unsupported format$error$failed to allocate BIO$i
API String ID: 629801032-3389475273
Opcode ID: 10f795596972dec6004a6f7c6a7b628bf82453e923b73c936a9f6edfda24e7e6
Instruction ID: 60a8115abf2bace9b81a977851a2880055ed16e75661f340e2be9841f90d52a7
Opcode Fuzzy Hash: 10f795596972dec6004a6f7c6a7b628bf82453e923b73c936a9f6edfda24e7e6
Instruction Fuzzy Hash: 1E312C61A48A4786EA189F3DE85403D6B61FF86BC4FA85135DB5E07B64CF3CE45B8308

Function 00007FF8B8B22388 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

OpenSSL_version_num.LIBCRYPTO-3 ref: 00007FF8B8B2239A
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FF8B8B223A4
_PyModule_Add.PYTHON311 ref: 00007FF8B8B223B7
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B223F5
_PyModule_Add.PYTHON311 ref: 00007FF8B8B22408
OpenSSL_version.LIBCRYPTO-3 ref: 00007FF8B8B22414
PyUnicode_FromString.PYTHON311 ref: 00007FF8B8B2241D
_PyModule_Add.PYTHON311 ref: 00007FF8B8B22430
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B22456
_PyModule_Add.PYTHON311 ref: 00007FF8B8B22469

Strings

OPENSSL_VERSION_INFO, xrefs: 00007FF8B8B223FB
OPENSSL_VERSION, xrefs: 00007FF8B8B22423
_OPENSSL_API_VERSION, xrefs: 00007FF8B8B2245C
IIIII, xrefs: 00007FF8B8B223DE, 00007FF8B8B2244F
OPENSSL_VERSION_NUMBER, xrefs: 00007FF8B8B223AA

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$BuildFromOpenSizeValue_$L_versionL_version_numLongLong_StringUnicode_Unsigned
String ID: IIIII$OPENSSL_VERSION$OPENSSL_VERSION_INFO$OPENSSL_VERSION_NUMBER$_OPENSSL_API_VERSION
API String ID: 1934562181-595941748
Opcode ID: e5135edff734d026e112ece5f23fa964709397683e749bdd5e8e8a98e7c83fa8
Instruction ID: f7e6c952d1f356adb652e56af630f6bbed238e90dc4402f1d866211ca5502385
Opcode Fuzzy Hash: e5135edff734d026e112ece5f23fa964709397683e749bdd5e8e8a98e7c83fa8
Instruction Fuzzy Hash: BE218D61B1875782EB108F7AEC4886D7BA0AF85BD4FC40635CB4E47AA5DF3CE14A8704

Function 00007FF8B8B29E90 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

a2i_IPADDRESS.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29ED5
ERR_clear_error.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29EE3
PyUnicode_Decode.PYTHON311(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29EFD
SSL_ctrl.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29F22
SSL_get0_param.LIBSSL-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29F59
X509_VERIFY_PARAM_set1_host.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29F7A
ASN1_STRING_length.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29F91
ASN1_STRING_get0_data.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29F9D
X509_VERIFY_PARAM_set1_ip.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29FAC
ASN1_OCTET_STRING_free.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29FDC
PyErr_SetString.PYTHON311(?,?,?,?,00000000,00007FF8B8B2B8DB,?,?,?,?,00007FF8A8D8BCC8,?,00000000,00007FF8B8B27095), ref: 00007FF8B8B29FF5

Strings

server_hostname cannot be an empty string or start with a leading dot., xrefs: 00007FF8B8B29FEB
strict, xrefs: 00007FF8B8B29EE9
ascii, xrefs: 00007FF8B8B29EF3

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: X509_$DecodeErr_G_freeG_get0_dataG_lengthL_ctrlL_get0_paramM_set1_hostM_set1_ipR_clear_errorStringUnicode_a2i_
String ID: ascii$server_hostname cannot be an empty string or start with a leading dot.$strict
API String ID: 2286705765-138613600
Opcode ID: d84ef8a0fa407523388efa142ee414c47e2369c5b5be485f5edd9f9ea5bfbf19
Instruction ID: 4e51a2694c850f35bf3c4e3bdde0e5886913dca675354320000d77bf41692e80
Opcode Fuzzy Hash: d84ef8a0fa407523388efa142ee414c47e2369c5b5be485f5edd9f9ea5bfbf19
Instruction Fuzzy Hash: B9414F21A08A9A81EB648F2AD45463D7B60BB45FD4F984135DB4E47794DF3CF44A8708

Function 00007FF8BA24DC24 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF8BA2490F4), ref: 00007FF8BA24E08A
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24E0C9
swprintf_s.PGOCR ref: 00007FF8BA24E0E9
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24E0F9
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24E149

Strings

NULL, xrefs: 00007FF8BA24DCF1
`template-type-parameter-, xrefs: 00007FF8BA24E16A
nullptr, xrefs: 00007FF8BA24DE0D
`generic-class-parameter-, xrefs: 00007FF8BA24E15A
lambda, xrefs: 00007FF8BA24DFE8
`generic-method-parameter-, xrefs: 00007FF8BA24E116

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction ID: 3bffa83c9f78911365f1bdce3df4d2bcb5eda92a190c16cecfc470fa9c183200
Opcode Fuzzy Hash: 04052d8e5626c1f24672c52f4d573e3506f88365006a7f318b5907256fbad706
Instruction Fuzzy Hash: EDF18D32E0C61384FB249B6CD9941FC2BA1BF55FC4F5505B6CF0E2AA95DE3DAA44A340

Function 00007FF615A215C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A2168E
Failed to create symbolic link %s!, xrefs: 00007FF615A215E2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF615A216EF
malloc, xrefs: 00007FF615A216F6
fopen, xrefs: 00007FF615A2161E
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF615A21775
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A2165B
fseek, xrefs: 00007FF615A21695
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A21785
fwrite, xrefs: 00007FF615A2177C
Failed to extract %s: failed to open target file!, xrefs: 00007FF615A21617
fread, xrefs: 00007FF615A2178C

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 255b8301470d2c09814697fd1abaf8d0a44c74aa93bf6ce883ab7e72569204a6
Instruction ID: 8044ba69abeedbc48344e310307dd9983709b5ff3c1d05428fdda127b8b2418c
Opcode Fuzzy Hash: 255b8301470d2c09814697fd1abaf8d0a44c74aa93bf6ce883ab7e72569204a6
Instruction Fuzzy Hash: 82519E65B88E4792EA109B26E9421B9A3A1BF44FB4F444331ED1C877B6EF3CF9558700

Function 00007FF8B7DE48C4 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE48F1
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE4923
PyUnicode_Compare.PYTHON311 ref: 00007FF8B7DE4986
_Py_Dealloc.PYTHON311 ref: 00007FF8B7DE4997
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE49AB
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE49CB
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE49E3
PyErr_SetString.PYTHON311 ref: 00007FF8B7DE4A06

Strings

NFKD, xrefs: 00007FF8B7DE49D9
NFD, xrefs: 00007FF8B7DE49C1
NFC, xrefs: 00007FF8B7DE4913
invalid normalization form, xrefs: 00007FF8B7DE49FC
NFKC, xrefs: 00007FF8B7DE49A1

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Unicode_$CompareString$With$DeallocErr_Ready
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1067165228-3528878251
Opcode ID: 84b6ee6fd32b1749266b3b3277a0080e416e3c06d1c571da1b6b520214c44c91
Instruction ID: a2152db0b0e4ccf31917a7f4a7372af6ec6d69cc078b9e571ea6dfd9fce93447
Opcode Fuzzy Hash: 84b6ee6fd32b1749266b3b3277a0080e416e3c06d1c571da1b6b520214c44c91
Instruction Fuzzy Hash: 67412B25A0CB4285EE568B19AD5423D63A0BF45BD4F8C0639DF6E876BCDF6CE0049310

Function 00007FF8B8B2692C Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B2695D
_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B8B26978
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B269A1
PyBuffer_FillInfo.PYTHON311 ref: 00007FF8B8B269CF
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B8B269F5
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B8B26A06
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B26A28
PyFloat_AsDouble.PYTHON311 ref: 00007FF8B8B26A30
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B26A45
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B26A6D

Strings

contiguous buffer, xrefs: 00007FF8B8B26A13
argument 1, xrefs: 00007FF8B8B26A1A
RAND_add, xrefs: 00007FF8B8B2696E, 00007FF8B8B26A21

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Buffer_$Arg_$ArgumentBufferCheckContiguousDoubleErr_FillFloat_InfoObject_OccurredPositionalReleaseSizeUnicode_memset
String ID: RAND_add$argument 1$contiguous buffer
API String ID: 2392993315-868614225
Opcode ID: 1b9e2eecc4020f2fc2e0eb2b79d1017b2ffb9fab5bf3a18d0856b06a322a387f
Instruction ID: 561f39b0eae13b51e454463ff9831a8be9c516651038f0895c4966003b1184ff
Opcode Fuzzy Hash: 1b9e2eecc4020f2fc2e0eb2b79d1017b2ffb9fab5bf3a18d0856b06a322a387f
Instruction Fuzzy Hash: B9418E22A18A8A81EB509F39D4553BE67A0FF56BC4F949035DB4E03664DF3CE94BC704

Function 00007FF8B8B23A9C Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B23ACE
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B23ADE
RAND_bytes.LIBCRYPTO-3 ref: 00007FF8B8B23AF6
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B23B23

Strings

(ks), xrefs: 00007FF8B8B23B56
num must be positive, xrefs: 00007FF8B8B23AC4

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: SizeString$BuildBytes_D_bytesErr_FromValue_
String ID: (ks)$num must be positive
API String ID: 413208185-3708576348
Opcode ID: 5413d4b00cf62b1f91e158371b34f37916e9ebd3c6ab2f0718aebc8591ef1ccf
Instruction ID: 4a78921891e1ed9840e24353ced2d0006004d89bddb7e12ed607b9a0abe4a01c
Opcode Fuzzy Hash: 5413d4b00cf62b1f91e158371b34f37916e9ebd3c6ab2f0718aebc8591ef1ccf
Instruction Fuzzy Hash: E6312F62E0CE4685EB549F7DE85817DABA0AF49BD0F984435CB0E47764DF2CE44A8708

Function 00007FF8B8B29D9C Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29DBB
BIO_s_file.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29DC4
BIO_new.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29DCD
PyErr_SetString.PYTHON311(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29DE6
PyBytes_AsString.PYTHON311(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29DF1
BIO_ctrl.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29E06
PEM_read_bio_X509.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29E24
X509_free.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29E4C
_Py_Dealloc.PYTHON311(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29E5B
BIO_free.LIBCRYPTO-3(?,?,?,00007FF8B8B29D89), ref: 00007FF8B8B29E69

Strings

Error decoding PEM-encoded file, xrefs: 00007FF8B8B29E32
Can't malloc memory to read file, xrefs: 00007FF8B8B29DDB
Can't open file, xrefs: 00007FF8B8B29E10

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: String$Bytes_DeallocErr_M_read_bio_Module_O_ctrlO_freeO_newO_s_fileStateX509X509_free
String ID: Can't malloc memory to read file$Can't open file$Error decoding PEM-encoded file
API String ID: 2561677103-2145957498
Opcode ID: 52107ff9255e82979f43b8cebe6df2cb6512fb21aaf01be6787176c6d9fadd33
Instruction ID: a77920eebef33f48abcea8c0c0b37c5598acbaa8601f8d97643efa05139e62fd
Opcode Fuzzy Hash: 52107ff9255e82979f43b8cebe6df2cb6512fb21aaf01be6787176c6d9fadd33
Instruction Fuzzy Hash: 9921EA21A09A5685FA149F3AE85457D6B61AF45FC0F985130DF4E07B54DF3CE45A8308

Function 00007FF8B8B272EC Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B8B27316
X509_STORE_get0_objects.LIBCRYPTO-3 ref: 00007FF8B8B2731F
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2732D
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B2733C
X509_OBJECT_get_type.LIBCRYPTO-3 ref: 00007FF8B8B27348
X509_OBJECT_get0_X509.LIBCRYPTO-3 ref: 00007FF8B8B27361
X509_check_ca.LIBCRYPTO-3 ref: 00007FF8B8B2736A
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2737B
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FF8B8B273B1

Strings

x509, xrefs: 00007FF8B8B273A3
x509_ca, xrefs: 00007FF8B8B27385
{sisisi}, xrefs: 00007FF8B8B273AA
crl, xrefs: 00007FF8B8B27395

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: X509_$L_sk_num$BuildE_get0_objectsL_sk_valueSizeT_get0_T_get_typeValue_X509X509_check_caX_get_cert_store
String ID: crl$x509$x509_ca${sisisi}
API String ID: 3289807285-1814362494
Opcode ID: 404e7197c22f9077ed36b148ac0e437149edac24c068f9a4f9e8e3821c03d761
Instruction ID: e2534cda26f9b1f99fe586ee81b46138b028f2d47b7f2e14019dd6469625f30d
Opcode Fuzzy Hash: 404e7197c22f9077ed36b148ac0e437149edac24c068f9a4f9e8e3821c03d761
Instruction Fuzzy Hash: 16211A21A48B46C6EA109F7EA85407D6AA0FF88BC0F948535DE5E43324DF3CE55B874C

Function 00007FF8B8B25618 Relevance: 21.1, APIs: 14, Instructions: 97COMMON

Download Yara Rule

APIs

X509_get_ext_d2i.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B2563F
PyList_New.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B2565B
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B25672
OPENSSL_sk_value.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B25685
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B2569D
OPENSSL_sk_value.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B256AD
PyUnicode_FromStringAndSize.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B256C3
PyList_Append.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B256D7
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B256E9
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B256FA
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B2570A
PyList_AsTuple.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B25721
_Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B2573C
CRL_DIST_POINTS_free.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2544E), ref: 00007FF8B8B25745

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: L_sk_num$List_$DeallocL_sk_value$AppendFromS_freeSizeStringTupleUnicode_X509_get_ext_d2i
String ID:
API String ID: 3668485020-0
Opcode ID: b71e57b5ad67c96256b7acb5803adcfac9a686cfff3ca5a2e366171d0d2f525f
Instruction ID: 8a7536ed0b1d589655ca2cb5230470a635575e5a10589c8c350b82112fbd852a
Opcode Fuzzy Hash: b71e57b5ad67c96256b7acb5803adcfac9a686cfff3ca5a2e366171d0d2f525f
Instruction Fuzzy Hash: F2312A25A09A4A85EA559F3AA85493D6BA0BF84FD5F984434DF0E47760DF3CE44BC308

Function 00007FF8B7DE24D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON311 ref: 00007FF8B7DE24F0
PyType_FromSpec.PYTHON311 ref: 00007FF8B7DE2505
PyModule_AddType.PYTHON311 ref: 00007FF8B7DE251D
_Py_Dealloc.PYTHON311 ref: 00007FF8B7DE3EBB

Part of subcall function 00007FF8B7DE25B0: _PyObject_GC_New.PYTHON311(?,?,00000000,00007FF8B7DE2533), ref: 00007FF8B7DE25B6
Part of subcall function 00007FF8B7DE25B0: PyObject_GC_Track.PYTHON311(?,?,00000000,00007FF8B7DE2533), ref: 00007FF8B7DE25E8

PyModule_AddObject.PYTHON311 ref: 00007FF8B7DE2552
PyModule_AddObjectRef.PYTHON311 ref: 00007FF8B7DE257A
_Py_Dealloc.PYTHON311 ref: 00007FF8B7DE3ECA
_Py_Dealloc.PYTHON311 ref: 00007FF8B7DE3EE8

Part of subcall function 00007FF8B7DE2620: PyMem_Malloc.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE262B
Part of subcall function 00007FF8B7DE2620: PyCapsule_New.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE2668

Strings

unidata_version, xrefs: 00007FF8B7DE24E9
ucd_3_2_0, xrefs: 00007FF8B7DE2548
_ucnhash_CAPI, xrefs: 00007FF8B7DE2570
14.0.0, xrefs: 00007FF8B7DE24DF

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$Dealloc$ObjectObject_$Capsule_ConstantFromMallocMem_SpecStringTrackTypeType_
String ID: 14.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 288921926-1430584071
Opcode ID: 093a6e99f6c7ac6b9da6a92ec34a7c46fe80505c17f2a94d6c5583e06f8421e3
Instruction ID: 19412c92ef86898f99d3e8092dff9825ba1b20f8d77848ba09436d68f10abbcd
Opcode Fuzzy Hash: 093a6e99f6c7ac6b9da6a92ec34a7c46fe80505c17f2a94d6c5583e06f8421e3
Instruction Fuzzy Hash: D621F561E1DF4381FE169B2AAD1017D22A4AF8DBD0B4C5334CB2E4A6BCDE2CF5018310

Function 00007FF8B8B2A8D8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

i2d_SSL_SESSION.LIBSSL-3(?,?,?,00007FF8B8B23FA5), ref: 00007FF8B8B2A8FD
PyMem_Malloc.PYTHON311(?,?,?,00007FF8B8B23FA5), ref: 00007FF8B8B2A91D
PyErr_NoMemory.PYTHON311(?,?,?,00007FF8B8B23FA5), ref: 00007FF8B8B2A92B
PyErr_SetString.PYTHON311(?,?,?,00007FF8B8B23FA5), ref: 00007FF8B8B2A9B4

Strings

i2d() failed, xrefs: 00007FF8B8B2A94D, 00007FF8B8B2A9A3
d2i() failed, xrefs: 00007FF8B8B2A973
Invalid session, xrefs: 00007FF8B8B2A8EF

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$MallocMem_MemoryStringi2d_
String ID: Invalid session$d2i() failed$i2d() failed
API String ID: 982646903-2456513230
Opcode ID: a52d5c8c10833e6d11a4b322a8e2a53254da9a2d396a4afef34a8e83ca8ddf6d
Instruction ID: 3c8c6577c4340457aebecad75627b1e3abdeb0312751ae9fe9f72ab9a50c531b
Opcode Fuzzy Hash: a52d5c8c10833e6d11a4b322a8e2a53254da9a2d396a4afef34a8e83ca8ddf6d
Instruction Fuzzy Hash: 0D211020A0DB0681EB549F3EE85413D2BA1BF89BD0FD96435DB4E46A59DF3CE44B8308

Function 00007FF8BA24B280 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24B2D1
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24B39A
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24B3E3
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24B3F4

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction ID: e4d68d96e8ab085582df12d27f60b4cd173005ffa3b5da80338e12494fd96c2f
Opcode Fuzzy Hash: 9a3856515ab70ac0cbef49cb78169d28014df4ca819d0bec0dbbb0bc7461e156
Instruction Fuzzy Hash: 1AF13A7AE08A829DE710DF68D4901FC37B1AB04B8CB4444B6EF4D57A99DE38E559E340

Function 00007FF8B8B27484 Relevance: 19.6, APIs: 13, Instructions: 86COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 00007FF8B8B274A4
SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B8B274BD
X509_STORE_get0_objects.LIBCRYPTO-3 ref: 00007FF8B8B274C6
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B274D4
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B274E7
X509_OBJECT_get_type.LIBCRYPTO-3 ref: 00007FF8B8B274F3
X509_OBJECT_get0_X509.LIBCRYPTO-3 ref: 00007FF8B8B27501
X509_check_ca.LIBCRYPTO-3 ref: 00007FF8B8B2750D
PyList_Append.PYTHON311 ref: 00007FF8B8B2753D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2755A
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B27565
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B27597
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B275AA

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocX509_$L_sk_numList_$AppendE_get0_objectsL_sk_valueT_get0_T_get_typeX509X509_check_caX_get_cert_store
String ID:
API String ID: 2012148854-0
Opcode ID: f57d79bb14f8e671029073d346d9bfae40111dd56b8c4aa204131e60685af141
Instruction ID: 7c30a5a96d9599709ebc2abf4992242469d2e5f359ae9680e59dc950049b8cc2
Opcode Fuzzy Hash: f57d79bb14f8e671029073d346d9bfae40111dd56b8c4aa204131e60685af141
Instruction Fuzzy Hash: 98315621A09A0785EA549F3EA90413D6AA0EF89FD0F980834DF1E47794EF3CF44A870C

Function 00007FF8B8B2B9EC Relevance: 19.6, APIs: 13, Instructions: 84encryptionCOMMON

Download Yara Rule

APIs

CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF8B8B2BA0B
GetLastError.KERNEL32(?,00007FF8B8B2A1A4), ref: 00007FF8B8B2BA15
PyErr_SetFromWindowsErr.PYTHON311(?,00007FF8B8B2A1A4), ref: 00007FF8B8B2BA33
PyMem_Malloc.PYTHON311(?,00007FF8B8B2A1A4), ref: 00007FF8B8B2BA42
PyErr_NoMemory.PYTHON311(?,00007FF8B8B2A1A4), ref: 00007FF8B8B2BA50

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$CertEnhancedErrorFromLastMallocMem_MemoryUsageWindows
String ID:
API String ID: 2062549779-0
Opcode ID: 0b91f4c22a7cffdb9fa4e0110e972a0f24063810307807cd17735cf55b87cf8e
Instruction ID: 5b2c65676b56d48047f16e58fba7a4cdb3fab539300c01dbc7733f13af5c93e3
Opcode Fuzzy Hash: 0b91f4c22a7cffdb9fa4e0110e972a0f24063810307807cd17735cf55b87cf8e
Instruction Fuzzy Hash: F6314021A0DA46C6FA559F7E985457D7BA0BF46BD0F984078DB0E027A0DF3CE44B8308

Function 00007FF8B7DE1090 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE10BD
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE10D5
PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE10FD

Part of subcall function 00007FF8B7DE11D0: PyMem_Malloc.PYTHON311 ref: 00007FF8B7DE1252
Part of subcall function 00007FF8B7DE11D0: PyMem_Free.PYTHON311 ref: 00007FF8B7DE136E

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE366E

Strings

NFKD, xrefs: 00007FF8B7DE36A6
NFD, xrefs: 00007FF8B7DE3664
NFC, xrefs: 00007FF8B7DE10B3
invalid normalization form, xrefs: 00007FF8B7DE36F6
NFKC, xrefs: 00007FF8B7DE10CB

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: 810bdfc32914a6b9f3e7d28e4da211caf2deacae3ab60a26b15fea2458299ecb
Instruction ID: b97b82abc4af6a9fab3a5ed6725859ff1bb1e03bb92ee73a9dd49184430057bc
Opcode Fuzzy Hash: 810bdfc32914a6b9f3e7d28e4da211caf2deacae3ab60a26b15fea2458299ecb
Instruction Fuzzy Hash: B2519F61B0C75381FE668B2AA81467D6394AF42BC4F4C5235DF6E47BADCE6EE4018720

Function 00007FF8B8B2BBC0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2BBEE
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2BC1F
PyErr_Format.PYTHON311 ref: 00007FF8B8B2BC8A
PyErr_WarnEx.PYTHON311 ref: 00007FF8B8B2BCB8
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B2BD1B

Strings

ssl.TLSVersion.SSLv3 is deprecated, xrefs: 00007FF8B8B2BCA4
ssl.TLSVersion.TLSv1 is deprecated, xrefs: 00007FF8B8B2BC9B
Unsupported protocol version 0x%x, xrefs: 00007FF8B8B2BD2A
ssl.TLSVersion.TLSv1_1 is deprecated, xrefs: 00007FF8B8B2BC92
Unsupported TLS/SSL version 0x%x, xrefs: 00007FF8B8B2BC79
The context's protocol doesn't support modification of highest and lowest version., xrefs: 00007FF8B8B2BC15

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$Arg_FormatParse_SizeStringWarnX_ctrl
String ID: The context's protocol doesn't support modification of highest and lowest version.$Unsupported TLS/SSL version 0x%x$Unsupported protocol version 0x%x$ssl.TLSVersion.SSLv3 is deprecated$ssl.TLSVersion.TLSv1 is deprecated$ssl.TLSVersion.TLSv1_1 is deprecated
API String ID: 1675272777-3879554506
Opcode ID: 03ffc9000f624844aef7fc2d1d66e61de32b0c60db77b69c1caa9f973f8f666f
Instruction ID: c04703abe0c1ce98e842b3ace4668853b02097e224fcd1634928b76eac4498ac
Opcode Fuzzy Hash: 03ffc9000f624844aef7fc2d1d66e61de32b0c60db77b69c1caa9f973f8f666f
Instruction Fuzzy Hash: 9C416F21B1C912C5FA704F3DD85467D2A60AF817E0FE45639CB1D42AE4CF6DE98B8B09

Function 00007FF8B8B25E08 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8String.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25E3F
PyErr_Format.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EB4
PyMem_Free.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EC0
PyMem_Malloc.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EC9
PyErr_SetString.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EE9
_Py_Dealloc.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EFD
memcpy.VCRUNTIME140(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25F0E
_Py_Dealloc.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25F25
PyErr_SetString.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25F3F

Strings

unable to allocate password buffer, xrefs: 00007FF8B8B25EDF
password cannot be longer than %d bytes, xrefs: 00007FF8B8B25EAA

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_String$DeallocMem_$FormatFreeMallocUnicode_memcpy
String ID: password cannot be longer than %d bytes$unable to allocate password buffer
API String ID: 1570515377-2395793021
Opcode ID: 7a039f6debe8f3d6dd0c9d685eaea68fe0459fb8b2a8274287c728e286edeecf
Instruction ID: 5d86f447e78254cc2ac851f578f3bf0cd005e5e0f381863eb5137e5864609daf
Opcode Fuzzy Hash: 7a039f6debe8f3d6dd0c9d685eaea68fe0459fb8b2a8274287c728e286edeecf
Instruction Fuzzy Hash: 5E411D32A08A5685EA649F3AE44497C6BA4BF89FD0F984171DF5E47B54CF3CE4478308

Function 00007FF8B8B2648C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B264B7
PyModule_GetState.PYTHON311 ref: 00007FF8B8B264C0
PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B264D6
PyModule_GetState.PYTHON311 ref: 00007FF8B8B264DF
_PyArg_NoPositional.PYTHON311 ref: 00007FF8B8B26514
PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B26528
PyModule_GetState.PYTHON311 ref: 00007FF8B8B26531
PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B26547
PyModule_GetState.PYTHON311 ref: 00007FF8B8B26550
_PyArg_NoKeywords.PYTHON311 ref: 00007FF8B8B26575

Strings

MemoryBIO, xrefs: 00007FF8B8B2650D, 00007FF8B8B2656E

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ModuleModule_StateType_$Arg_$KeywordsPositional
String ID: MemoryBIO
API String ID: 1528309267-1677681617
Opcode ID: e8a2bea2c804dcb7256b373421a9b772333c64ad152529ccc489dce4d6474577
Instruction ID: 828a253c1357bfd0d0bdbaba9c1d418919d1250d70a7c7af0c691fe27ff72549
Opcode Fuzzy Hash: e8a2bea2c804dcb7256b373421a9b772333c64ad152529ccc489dce4d6474577
Instruction Fuzzy Hash: 92313625A09A0A92EA54DF3AE95417C6B61FB89FC0F881075DF5E53728DF3CE45A8308

Function 00007FF8B8B27E40 Relevance: 18.1, APIs: 12, Instructions: 72threadCOMMON

Download Yara Rule

APIs

_Py_fopen_obj.PYTHON311 ref: 00007FF8B8B27E69
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B27E77
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B27E80
PEM_read_DHparams.LIBCRYPTO-3 ref: 00007FF8B8B27E94
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B8B27EA0
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B27EA9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B27EB4
PyErr_SetFromErrnoWithFilenameObject.PYTHON311 ref: 00007FF8B8B27ECB
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B27ED1
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B27F1A
DH_free.LIBCRYPTO-3 ref: 00007FF8B8B27F27
DH_free.LIBCRYPTO-3 ref: 00007FF8B8B27F45

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_H_freeThread_errno$Err_ErrnoFilenameFromHparamsM_read_ObjectPy_fopen_objR_clear_errorRestoreSaveWithX_ctrlfclose
String ID:
API String ID: 1346594628-0
Opcode ID: 4afbd7a0d5713feadd50593f44757e85e3356b1a02a1e59b0b00d6403a5012b7
Instruction ID: 84f4176a18153c9784d1851c38bf74f6ebd82255a395ff9e037d18a5db01fb1f
Opcode Fuzzy Hash: 4afbd7a0d5713feadd50593f44757e85e3356b1a02a1e59b0b00d6403a5012b7
Instruction Fuzzy Hash: 86310B25A18A9682E7509F7AE85452D6BA4FF88BC1F984130DF4E43B64DF3CE44AC718

Function 00007FF8BA243334 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 309COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF8BA243390

Part of subcall function 00007FF8BA245768: __GetUnwindTryBlock.LIBCMT ref: 00007FF8BA2457AB
Part of subcall function 00007FF8BA245768: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF8BA2457D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BA243468
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243475
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF8BA2436B9
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2436E7

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2437AD
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BA2437E2

Strings

csm, xrefs: 00007FF8BA243411
csm, xrefs: 00007FF8BA2433AA
csm, xrefs: 00007FF8BA24348D

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction ID: 52258cefde020b94d2549cce7fc375e86b14277ee76ae0645d1922b17c57c3c3
Opcode Fuzzy Hash: dcb3548c504605ccad87c1df068e82445ce8bfed626f824eb2c4e809fdb80efd
Instruction Fuzzy Hash: 55D18E72A08B428AEB209F69D4402AD77A0FB49FD8F500275EF8D57B95DF38E591D700

Function 00007FF8BA24ED94 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24EDEE

Strings

template-parameter-, xrefs: 00007FF8BA24EE50
`template-parameter-, xrefs: 00007FF8BA24EE83
generic-type-, xrefs: 00007FF8BA24EE97
`generic-type-, xrefs: 00007FF8BA24EECA

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction ID: 65cbaff8fa1d9bdfe5fbced3f11813883d359bb8affa4622627cf013577596ff
Opcode Fuzzy Hash: 73310b6c18e80224c33410df5d9c8b136be81ee7f088e8962b8740eac16092a6
Instruction Fuzzy Hash: 0E916B72B08A8799FB209F28D4502F837A1AB94BC8F8541B2EF4D03695DF7DE645E740

Function 00007FF615A220F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF615A2211B
SelectObject.GDI32 ref: 00007FF615A22162
DrawTextW.USER32 ref: 00007FF615A22185
SelectObject.GDI32 ref: 00007FF615A2219B
ReleaseDC.USER32 ref: 00007FF615A221AB
MoveWindow.USER32 ref: 00007FF615A221FB
MoveWindow.USER32 ref: 00007FF615A2223B
MoveWindow.USER32 ref: 00007FF615A2228E
MoveWindow.USER32 ref: 00007FF615A222D6

Strings

P%, xrefs: 00007FF615A2216F

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction ID: e9c747987b85b0afa0ed168aec6bdbe81edfbb2a4b0122591a0c6c942ab87450
Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction Fuzzy Hash: 9A51E626614BA186DA349F32A4181BAF7A1FB98F71F044221EBDE83694DF3CD485DB10

Function 00007FF8B8B248E0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON311 ref: 00007FF8B8B24908
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B8B2491B
PyWeakref_GetObject.PYTHON311 ref: 00007FF8B8B24945
_PyObject_CallFunction_SizeT.PYTHON311 ref: 00007FF8B8B249DD
PyErr_Fetch.PYTHON311 ref: 00007FF8B8B249F4
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24A05
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24A14

Strings

read, xrefs: 00007FF8B8B2499B
Osiiiy#, xrefs: 00007FF8B8B249CD
write, xrefs: 00007FF8B8B249A5

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$CallEnsureErr_FetchFunction_L_get_ex_dataObjectObject_SizeState_Weakref_
String ID: Osiiiy#$read$write
API String ID: 671906545-708132800
Opcode ID: 4dedae0a1523f256da8ed8f48c6fc58330b6e0995d94e8687b53d423bc5f3eee
Instruction ID: 729fe526d6799db086284abad88445f205891600ce564cdcae53e02eaf6e057b
Opcode Fuzzy Hash: 4dedae0a1523f256da8ed8f48c6fc58330b6e0995d94e8687b53d423bc5f3eee
Instruction Fuzzy Hash: 6B418332A08A8685EB688F39A85427D7FA0FB89BD0F484575CB5E13B54DF3CE446C708

Function 00007FF8B7DE45FC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE462F
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4664
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4674
_PyUnicode_ToDigit.PYTHON311 ref: 00007FF8B7DE4699
PyErr_SetString.PYTHON311 ref: 00007FF8B7DE46B9

Strings

argument 1, xrefs: 00007FF8B7DE465D
not a digit, xrefs: 00007FF8B7DE46AF
a unicode character, xrefs: 00007FF8B7DE464F
digit, xrefs: 00007FF8B7DE4628, 00007FF8B7DE4656

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_Unicode_$ArgumentCheckDigitErr_PositionalReadyString
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 3305933226-4278345224
Opcode ID: 3217a924504a57fe459749e66487c061ed53d5ecb5f468087b61bf9f04998d2c
Instruction ID: b7a862267bb2bf9f65cf8584baeebf7ab426cd671ade0d685d604ed2802ea5c9
Opcode Fuzzy Hash: 3217a924504a57fe459749e66487c061ed53d5ecb5f468087b61bf9f04998d2c
Instruction Fuzzy Hash: E5212B61A08B4791EF129B29E8445BD2360EF44FC8F984635DB2E8767CDF2CE455C310

Function 00007FF8B8B25D28 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 59threadCOMMON

Download Yara Rule

APIs

PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B25D47
PyObject_CallNoArgs.PYTHON311 ref: 00007FF8B8B25D5C

Part of subcall function 00007FF8B8B25E08: PyUnicode_AsUTF8String.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25E3F
Part of subcall function 00007FF8B8B25E08: PyErr_Format.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EB4
Part of subcall function 00007FF8B8B25E08: _Py_Dealloc.PYTHON311(?,?,?,00007FF8B8B25D7C), ref: 00007FF8B8B25EFD

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25D89
PyErr_Format.PYTHON311 ref: 00007FF8B8B25DA8
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B25DAE
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B25DDF
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B25DE7
memcpy.VCRUNTIME140 ref: 00007FF8B8B25DFB

Strings

password callback must return a string, xrefs: 00007FF8B8B25D6A
password cannot be longer than %d bytes, xrefs: 00007FF8B8B25D9B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocEval_Thread$Err_FormatSave$ArgsCallObject_RestoreStringUnicode_memcpy
String ID: password callback must return a string$password cannot be longer than %d bytes
API String ID: 1551476282-1265974473
Opcode ID: b9ad5b883f70c21d53e302c230b13f6c4ffb0a1d091fcce54eaa940bff9ffee8
Instruction ID: 37c7336ec47f1dc2e85f2a3b644bddc33dc7f7559a5eef80110c6baa812d0e32
Opcode Fuzzy Hash: b9ad5b883f70c21d53e302c230b13f6c4ffb0a1d091fcce54eaa940bff9ffee8
Instruction Fuzzy Hash: AB217C35A08A4685EBA49F39E85897C3BA0EB45BD4F884131DB1E02B98CF3CE456C784

Function 00007FF8B8B28760 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B2879A
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B287AA
PyErr_SetString.PYTHON311 ref: 00007FF8B8B287DC

Strings

set_ciphers, xrefs: 00007FF8B8B28793
str, xrefs: 00007FF8B8B28785
argument, xrefs: 00007FF8B8B2878C
embedded null character, xrefs: 00007FF8B8B287D2
No cipher can be selected., xrefs: 00007FF8B8B287FC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ArgumentErr_SizeStringUnicode_
String ID: No cipher can be selected.$argument$embedded null character$set_ciphers$str
API String ID: 4155279725-2765033273
Opcode ID: cbc34ef1a02719620d127c326886b9fe1fcc69ff5d4ca4366160a565347b9524
Instruction ID: 8a3a194e7155ee5cb49432f7c8d6d4c5d1a62db2f93b37be12db3289788ecb6c
Opcode Fuzzy Hash: cbc34ef1a02719620d127c326886b9fe1fcc69ff5d4ca4366160a565347b9524
Instruction Fuzzy Hash: 28212E65A08A4691EE508F39E89017D2B60FF84BD4F985131DB2E476A4DF6CE49BC308

Function 00007FF8B8B2284C Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B8B22874
__scrt_initialize_crt.LIBCMT ref: 00007FF8B8B228B9
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B8B228C6
_RTC_Initialize.LIBCMT ref: 00007FF8B8B228F4
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B8B2291A
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B8B22945

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
Instruction ID: 4f00322f59e667c285259c5da04062c1f04f1bf7f12921d837472e2ae1118990
Opcode Fuzzy Hash: 8bc07dac1d2a15841653c24e65cbf90d53687740eca8f36c6e0f4d9ec23f2963
Instruction Fuzzy Hash: 23819A21E1C64386FA54AF7E94412BDBA90AF897C0FD84535EB0C87796DF3CE9478608

Function 00007FF8B7DE2730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B7DE2758
__scrt_initialize_crt.LIBCMT ref: 00007FF8B7DE279D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B7DE27AA
_RTC_Initialize.LIBCMT ref: 00007FF8B7DE27D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B7DE27FE
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B7DE2829

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction ID: 0af64d35c462a26704f3911a49c3b3935d4b568d034bbfa949a079977f58ed9d
Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction Fuzzy Hash: 8F81A021E08B4745FE56AB6D984127D2290AF49BC0F5C4235DB6D877BEDE3CFA458200

Function 00007FF8BA249164 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2491CC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA2492C9
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249322
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24934E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249360
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24938F

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction ID: df7ebd3fe1f5275230f1c6a7f82641149e5efcbab67909d516bf4097f7e8f458
Opcode Fuzzy Hash: 3cac31fbce2037cca8b65a6457a1f6e1f72e09754060cc87a73fdfbcf94b07ef
Instruction Fuzzy Hash: 6D712A72B18A46ADEB10DF68D4911EC33B1AB44BCCB804872DF1D67A99DF38D619D390

Function 00007FF8B8B22274 Relevance: 16.6, APIs: 11, Instructions: 72COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B22281
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FF8B8B22297
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FF8B8B222B6
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FF8B8B222D6
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FF8B8B222F6
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FF8B8B22312
PyModule_AddType.PYTHON311 ref: 00007FF8B8B22327
PyModule_AddType.PYTHON311 ref: 00007FF8B8B22338
PyModule_AddType.PYTHON311 ref: 00007FF8B8B22349
PyModule_AddType.PYTHON311 ref: 00007FF8B8B2235A
PyModule_AddType.PYTHON311 ref: 00007FF8B8B2236B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Module_$FromModuleSpecTypeType_$State
String ID:
API String ID: 1138651315-0
Opcode ID: 47cdc940ff4b91a51c86818dd6ced2d78f07b15e551b4ece380ee1e2cec1c294
Instruction ID: 91c1594dd3a3115e97d344d03bbe4ce4645366aaea8a4d511306d15d14642b96
Opcode Fuzzy Hash: 47cdc940ff4b91a51c86818dd6ced2d78f07b15e551b4ece380ee1e2cec1c294
Instruction Fuzzy Hash: BF310A25B59B4796EF549F3DA95152D26A0BF0ABC0F985A30CB0E47754EF3CE0268248

Function 00007FF8BA24AAC8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AB22
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AC58

Strings

`unknown ecsu', xrefs: 00007FF8BA24AAEE
class , xrefs: 00007FF8BA24AC6D
coclass , xrefs: 00007FF8BA24AC11
struct , xrefs: 00007FF8BA24AC7C
enum , xrefs: 00007FF8BA24AC35
cointerface , xrefs: 00007FF8BA24ABFF
union , xrefs: 00007FF8BA24AC85

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction ID: 192f0ea64de39892614b19ff632c7d0c9d8ba57bc134f08d81acd4e55f60497f
Opcode Fuzzy Hash: 50e8110e92645124a6d82ffc9330fdaa6dc52167fa44e73d911cd3f80f86a47a
Instruction Fuzzy Hash: 5F515832E09A5399FB10CB6AE8805BC37B2BB14BC8F9040B5DF4D17A99DF39A544E700

Function 00007FF8B8B21350 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B213B2
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B213EE
PyObject_IsTrue.PYTHON311 ref: 00007FF8B8B21423

Strings

txt2obj, xrefs: 00007FF8B8B235CF
str, xrefs: 00007FF8B8B235C8
argument 'txt', xrefs: 00007FF8B8B235C1
embedded null character, xrefs: 00007FF8B8B235E9

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_KeywordsObject_SizeTrueUnicode_Unpack
String ID: argument 'txt'$embedded null character$str$txt2obj
API String ID: 3371007025-2001486153
Opcode ID: 959f5737da16641b00553c8e7d233da7cdfdf94c9ae612db7a25b7a40e44e655
Instruction ID: c7dd318d380db3a0371677011e4310be8d02ac6c4d824b405a1761e55608b536
Opcode Fuzzy Hash: 959f5737da16641b00553c8e7d233da7cdfdf94c9ae612db7a25b7a40e44e655
Instruction Fuzzy Hash: 4B319222A0CA4395EA608F29E4502BD6B60FB95BD4F984131DB6E47694DF3CE44BC708

Function 00007FF8B8B28C40 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B28CAC
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B28CEE
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B28CFB
PyErr_SetString.PYTHON311 ref: 00007FF8B8B28D2D

Part of subcall function 00007FF8B8B28D54: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8B28D83
Part of subcall function 00007FF8B8B28D54: SSL_session_reused.LIBSSL-3 ref: 00007FF8B8B28D93
Part of subcall function 00007FF8B8B28D54: SSL_get_finished.LIBSSL-3 ref: 00007FF8B8B28DB3

Strings

str, xrefs: 00007FF8B8B28CD9
get_channel_binding, xrefs: 00007FF8B8B28CE0
argument 'cb_type', xrefs: 00007FF8B8B28CE7
embedded null character, xrefs: 00007FF8B8B28D23
tls-unique, xrefs: 00007FF8B8B28C4E

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsL_get_finishedL_session_reusedSizeStringUnicode_Unpackstrcmp
String ID: argument 'cb_type'$embedded null character$get_channel_binding$str$tls-unique
API String ID: 2734880604-851902044
Opcode ID: 1f7a693b08fb8d66b148374fa4710b4b7c030c21cb8cd7b43a613a48802ec21d
Instruction ID: ae84c2ba013ad66d7d5fb1c3d0b9c158597ea310a6a958280d4c1b04d408d30d
Opcode Fuzzy Hash: 1f7a693b08fb8d66b148374fa4710b4b7c030c21cb8cd7b43a613a48802ec21d
Instruction Fuzzy Hash: C731AF21A08A5286EA608F3DE4405B86B60FF55BD0F984235DF1D07BA4DF3CE84BC708

Function 00007FF8B7DE1000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE359B
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE35C2
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE35CF
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE35F7
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE3604

Part of subcall function 00007FF8B7DE1090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE10BD
Part of subcall function 00007FF8B7DE1090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FF8B7DE10D5
Part of subcall function 00007FF8B7DE1090: PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE10FD

Strings

argument 1, xrefs: 00007FF8B7DE35BB
normalize, xrefs: 00007FF8B7DE358E, 00007FF8B7DE35B4, 00007FF8B7DE35E9
str, xrefs: 00007FF8B7DE35AD, 00007FF8B7DE35E2
argument 2, xrefs: 00007FF8B7DE35F0

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Unicode_$Arg_$ArgumentCompareReadyStringWith$CheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 3621440800-1320425463
Opcode ID: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction ID: 5e13afef2bcb961bac91ce23a6c014cabe9c73927e3886c6dfa478e9eeb20d19
Opcode Fuzzy Hash: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction Fuzzy Hash: 64212F61A18B8691EA528B1DA84467D2750AF45BD8FAC4331DB6E567FCCF2CE446C310

Function 00007FF8B8B26C08 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B26C2E
PyModule_GetState.PYTHON311 ref: 00007FF8B8B26C37
PyType_GetModuleByDef.PYTHON311 ref: 00007FF8B8B26C4C
PyModule_GetState.PYTHON311 ref: 00007FF8B8B26C55
_PyArg_NoKeywords.PYTHON311 ref: 00007FF8B8B26C7D
_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B8B26CA0
_PyLong_AsInt.PYTHON311 ref: 00007FF8B8B26CAE
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B26CBB

Strings

_SSLContext, xrefs: 00007FF8B8B26C76, 00007FF8B8B26C99

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ModuleModule_StateType_$CheckErr_KeywordsLong_OccurredPositional
String ID: _SSLContext
API String ID: 2062694701-1468230856
Opcode ID: a7d274fb358438f1be0fb2a29868ff8fe6ad0857d5f4556286ed11194ea03964
Instruction ID: 2106ff9a79e47c0bc36b72c9133a2060bbec6d45de899667dfac29e5e628f7c8
Opcode Fuzzy Hash: a7d274fb358438f1be0fb2a29868ff8fe6ad0857d5f4556286ed11194ea03964
Instruction Fuzzy Hash: 34216D61B09A1685EA50AF3AE8442BD6B60EF49FD0F984434DB1D43B64DF3CE84B8348

Function 00007FF8B7DE47D8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE4804
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4839
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4849
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4888
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4898

Strings

argument 1, xrefs: 00007FF8B7DE4832
is_normalized, xrefs: 00007FF8B7DE47F7, 00007FF8B7DE482B, 00007FF8B7DE487A
str, xrefs: 00007FF8B7DE4824, 00007FF8B7DE4873
argument 2, xrefs: 00007FF8B7DE4881

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentReadyUnicode_$CheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 396090033-184702317
Opcode ID: 083d934e8de19c9f3ecc87de63ad9be438488cb32d0c3822875fb99c87d5c9cf
Instruction ID: 1dc277153e6d2cf3c58c76205152071c9df4254c24a7628d56f9e16c34fa9183
Opcode Fuzzy Hash: 083d934e8de19c9f3ecc87de63ad9be438488cb32d0c3822875fb99c87d5c9cf
Instruction Fuzzy Hash: A9212C21A08B8695EF518B59E8846BD3760AF54FD8F584331EB6E476BCCF2CE54AC310

Function 00007FF8B8B2BEB8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B2BEDF
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2BF01
SSL_CTX_callback_ctrl.LIBSSL-3 ref: 00007FF8B8B2BF1B

Strings

sni_callback cannot be set on TLS_CLIENT context, xrefs: 00007FF8B8B2BED5
not a callable object, xrefs: 00007FF8B8B2BF49

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocErr_StringX_callback_ctrl
String ID: not a callable object$sni_callback cannot be set on TLS_CLIENT context
API String ID: 3136334877-1539510184
Opcode ID: 4fd7f80077f1759e6f4afa11edbea34fd88629746f410f677fb886db3138ed84
Instruction ID: 00d7665e524a14d5f8e78e721c224f815aa46830fe56ca5caffb01aa37913f07
Opcode Fuzzy Hash: 4fd7f80077f1759e6f4afa11edbea34fd88629746f410f677fb886db3138ed84
Instruction Fuzzy Hash: 36211931A18A06C6EB509F39D89467C3760FF88BD8F945536DB5E46668CF3CE44AC708

Function 00007FF8B8B2248C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B22492
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B8B224A2
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B8B224BB
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B8B224D4
PyUnicode_InternFromString.PYTHON311 ref: 00007FF8B8B224ED

Strings

verify_code, xrefs: 00007FF8B8B224E6
reason, xrefs: 00007FF8B8B224B4
library, xrefs: 00007FF8B8B22498
verify_message, xrefs: 00007FF8B8B224CD

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FromInternStringUnicode_$Module_State
String ID: library$reason$verify_code$verify_message
API String ID: 1970222510-435783180
Opcode ID: 1402c12357f8a8a74b39a311a053b1d6e57728cfe69972c1f2afc845fee4e05e
Instruction ID: 0be6818d923b3b5238074dd7e167709450b876e6851487027499ce5b97ac0f75
Opcode Fuzzy Hash: 1402c12357f8a8a74b39a311a053b1d6e57728cfe69972c1f2afc845fee4e05e
Instruction Fuzzy Hash: 0401FB2091AB0780EE659F78A85427C2BA0BF28B90F984535CA0DC53A5EF3CA14EC318

Function 00007FF615A355A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A355E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A359D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A35C6C

Strings

-, xrefs: 00007FF615A35679
p, xrefs: 00007FF615A3570D
f, xrefs: 00007FF615A35705
:, xrefs: 00007FF615A3579C
p, xrefs: 00007FF615A35695

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction ID: 95ff3ae406755393466d112469a1b7d323fed17433884e8319897231c1bf3863
Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction Fuzzy Hash: 93129261E48A4386FBA0DB19E054279E791FF45F78F944236D6C9866E4EF3CED908B00

Function 00007FF8BA2437F8 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF8BA243996
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2439A3

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243C57
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243CA2
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF8BA243CD7

Strings

csm, xrefs: 00007FF8BA2439BF
csm, xrefs: 00007FF8BA2438DD
csm, xrefs: 00007FF8BA24393F

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction ID: 59b567ac5a80a0f04c648e9b350b19dbb1a831d5b7eee4a7394540bfbadba9e8
Opcode Fuzzy Hash: aad8d4203d0b1849c4fce47835e3c613ec0ba3b35d99662ed70f641d37e67567
Instruction Fuzzy Hash: 21E1BE73A087928AE7219F38D4843AD77A0FB44B98F144275EF8D57A96CF38E581E700

Function 00007FF8BA24C7F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C9AC

Part of subcall function 00007FF8BA2494B8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249A29
Part of subcall function 00007FF8BA2494B8: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA249A5E

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C95E

Strings

void, xrefs: 00007FF8BA24C842
void , xrefs: 00007FF8BA24C86A
std::nullptr_t, xrefs: 00007FF8BA24C8D7
cli::array<, xrefs: 00007FF8BA24C92B
cli::pin_ptr<, xrefs: 00007FF8BA24C975
std::nullptr_t , xrefs: 00007FF8BA24C8EA

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction ID: 38437e0c07e1d14015ac009dfcf568d13c2dd3ba31268a612ccadcb5a22e8a4f
Opcode Fuzzy Hash: 0e84257edd8271f32b759845b73cd3eefe07970f5e22a962a9d02e38f5861642
Instruction Fuzzy Hash: C7514972E18B5298FB528B68E8412BC77B0BF08B88F4441B6DF4D12B99DF7CA144E710

Function 00007FF615A21050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF615A210C5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF615A210F5
malloc, xrefs: 00007FF615A210FC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF615A21097
fseek, xrefs: 00007FF615A210CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF615A211D0
fread, xrefs: 00007FF615A211D7

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: fe0539693312307a6548d1b6f9691386f436f5edd5898c8b8ef1b4374cb7018a
Instruction ID: 6bdf0ec1ca5633ce4051ee18f72d52e1d1420df51a3c2ef20fbdb4288cb4dd45
Opcode Fuzzy Hash: fe0539693312307a6548d1b6f9691386f436f5edd5898c8b8ef1b4374cb7018a
Instruction Fuzzy Hash: 35419E25B88E4642EA149B63A8421BAE791FF44FE4F444235DD1D87BA5EF3CF8058300

Function 00007FF8B8B24218 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B24250
SSL_is_init_finished.LIBSSL-3 ref: 00007FF8B8B2428F
SSL_set_session.LIBSSL-3 ref: 00007FF8B8B242BA
SSL_SESSION_free.LIBSSL-3 ref: 00007FF8B8B242C5

Strings

Cannot set session after handshake., xrefs: 00007FF8B8B24299
Value is not a SSLSession., xrefs: 00007FF8B8B24246
Session refers to a different SSLContext., xrefs: 00007FF8B8B2426C
Cannot set session for server-side SSLSocket., xrefs: 00007FF8B8B24282

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_L_is_init_finishedL_set_sessionN_freeString
String ID: Cannot set session after handshake.$Cannot set session for server-side SSLSocket.$Session refers to a different SSLContext.$Value is not a SSLSession.
API String ID: 2514955158-3160731334
Opcode ID: ed5b4e7d2d943de9a6add9e8ab532b976d9486503f624a5ae1c8bd460d17f373
Instruction ID: 4177349f340e3d2a2a097330abbcc5178d89342fddab6c9fbba91d662495a97c
Opcode Fuzzy Hash: ed5b4e7d2d943de9a6add9e8ab532b976d9486503f624a5ae1c8bd460d17f373
Instruction Fuzzy Hash: 0A212B61A18A4681EA18CF7EE48013D2BA1FB84BC4F945131DB1D87AA5DF7CE497C748

Function 00007FF8B8B29140 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B29170
PyErr_SetString.PYTHON311 ref: 00007FF8B8B29196
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B8B291B5
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FF8B8B291D8
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B2920A

Strings

n:read, xrefs: 00007FF8B8B291D1
nw*:read, xrefs: 00007FF8B8B291AE
_ssl._SSLSocket.read requires 1 to 2 arguments, xrefs: 00007FF8B8B2918C

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ParseSizeTuple_$Buffer_Err_ReleaseStringmemset
String ID: _ssl._SSLSocket.read requires 1 to 2 arguments$n:read$nw*:read
API String ID: 2062789907-3684439920
Opcode ID: 4d9f674cb8f01c2ec8c7eb491a0306551e557c933bd5ac34a25333a9ad965d85
Instruction ID: 21495b30c74c98a9bb533fc7c22226ada10682848821f9159731bccd1893a1ec
Opcode Fuzzy Hash: 4d9f674cb8f01c2ec8c7eb491a0306551e557c933bd5ac34a25333a9ad965d85
Instruction Fuzzy Hash: 45215322B18A4A91EB20DF3AE8446AD7761FB88BC1F948131DB5D43764DF3CD94AC704

Function 00007FF8B8B2A364 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B2A3B5
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B2A3EE
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B2A3FB
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2A42D

Strings

enum_crls, xrefs: 00007FF8B8B2A3E0
argument 'store_name', xrefs: 00007FF8B8B2A3E7
str, xrefs: 00007FF8B8B2A3D9
embedded null character, xrefs: 00007FF8B8B2A423

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsSizeStringUnicode_Unpack
String ID: argument 'store_name'$embedded null character$enum_crls$str
API String ID: 2966986319-2641223161
Opcode ID: edebcfdd8289f7a9c3fc563b68228b3e132f1c0e94ef5d0d028ad48f2d59ef7b
Instruction ID: ddf3cac7d6f2b1ce2fdff880e60635d8f07415af6ff6315cf9495aef7ef8d81c
Opcode Fuzzy Hash: edebcfdd8289f7a9c3fc563b68228b3e132f1c0e94ef5d0d028ad48f2d59ef7b
Instruction Fuzzy Hash: 9A219C61A08B4685EE509F38E45426D6BA1FF45BD0FD81631DB6E033A4EF3CE44AC708

Function 00007FF8B8B2A018 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B2A069
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B2A0A2
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FF8B8B2A0AF
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2A0E1

Strings

argument 'store_name', xrefs: 00007FF8B8B2A09B
str, xrefs: 00007FF8B8B2A08D
enum_certificates, xrefs: 00007FF8B8B2A094
embedded null character, xrefs: 00007FF8B8B2A0D7

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsSizeStringUnicode_Unpack
String ID: argument 'store_name'$embedded null character$enum_certificates$str
API String ID: 2966986319-2881692381
Opcode ID: 53f086db60f9b04d6a2f02615ecfc5c48306b52590faff6202af7552c9614c75
Instruction ID: 72102b66e54792f0e2c5ec669cab16580b73730478f4b923717b22cd19ca2ff8
Opcode Fuzzy Hash: 53f086db60f9b04d6a2f02615ecfc5c48306b52590faff6202af7552c9614c75
Instruction Fuzzy Hash: F9217C61A08B4685EE508F39E45067A7BA0FB44BE0F945235DB1D437A4EF3DE88AC708

Function 00007FF8B8B28FDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

SSL_is_init_finished.LIBSSL-3(?,?,00000000,00007FF8B8B28FBA), ref: 00007FF8B8B28FF4
PyErr_SetString.PYTHON311(?,?,00000000,00007FF8B8B28FBA), ref: 00007FF8B8B2900F
SSL_get1_peer_certificate.LIBSSL-3(?,?,00000000,00007FF8B8B28FBA), ref: 00007FF8B8B2901D

Strings

handshake not done yet, xrefs: 00007FF8B8B29005

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_L_get1_peer_certificateL_is_init_finishedString
String ID: handshake not done yet
API String ID: 1333720006-2620869922
Opcode ID: 79220f5fe6ea8fc6b2c70bdc56a1d20f8411fd76aa474a053c1e0f70df4ce9f8
Instruction ID: b28312c11c8e8c415e8f963969a7b76517296db57248df2ce7480a92203e6112
Opcode Fuzzy Hash: 79220f5fe6ea8fc6b2c70bdc56a1d20f8411fd76aa474a053c1e0f70df4ce9f8
Instruction Fuzzy Hash: EE211D21A08A5A81EA149F3EE95443E2B60BF88FD4F980131DF0E87774DF2DE4578308

Function 00007FF8B8B28D54 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8B28D83
SSL_session_reused.LIBSSL-3 ref: 00007FF8B8B28D93
SSL_get_finished.LIBSSL-3 ref: 00007FF8B8B28DB3
SSL_get_peer_finished.LIBSSL-3 ref: 00007FF8B8B28DBB
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B28DDA
PyErr_Format.PYTHON311 ref: 00007FF8B8B28DF6

Strings

'%s' channel binding type not implemented, xrefs: 00007FF8B8B28DE9
tls-unique, xrefs: 00007FF8B8B28D59, 00007FF8B8B28D7C

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Bytes_Err_FormatFromL_get_finishedL_get_peer_finishedL_session_reusedSizeStringstrcmp
String ID: '%s' channel binding type not implemented$tls-unique
API String ID: 797867279-2744131590
Opcode ID: 21146a2112b2ad7085c28b3d21b7c7292de9ba5a06dba59da6786d702b1b3277
Instruction ID: 1bff89cd121aed374d73e74afc404482bd15845e10de6a508f9340f0ce9cc121
Opcode Fuzzy Hash: 21146a2112b2ad7085c28b3d21b7c7292de9ba5a06dba59da6786d702b1b3277
Instruction Fuzzy Hash: BB113061B08A4681EB209F3DE89037D2760BF98BC4F984135CB4D47A65DF2CE45A8704

Function 00007FF8B8B2678C Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B267B6
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B8B267C6
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B8B267D7
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B267F9
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B2681E

Strings

argument, xrefs: 00007FF8B8B267EB
contiguous buffer, xrefs: 00007FF8B8B267E4
write, xrefs: 00007FF8B8B267F2

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Buffer_$Arg_ArgumentBufferContiguousObject_Releasememset
String ID: argument$contiguous buffer$write
API String ID: 365628853-2056178395
Opcode ID: cc61c2993cc4346274ecbbec02443e0238b67ce1d0f3286e9f77d67aad708846
Instruction ID: d83da8c12f27e96562a98ca5abacd12700683316ad49533328429018df3dd4bb
Opcode Fuzzy Hash: cc61c2993cc4346274ecbbec02443e0238b67ce1d0f3286e9f77d67aad708846
Instruction Fuzzy Hash: CF11B622B08A4681EB109F39E8542BD6760FB49BC4FD48135DB4D47664EF3CE54AC744

Function 00007FF8B8B26CEC Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B26D16
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B8B26D26
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B8B26D37
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B26D59
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B26D7E

Strings

_set_alpn_protocols, xrefs: 00007FF8B8B26D52
argument, xrefs: 00007FF8B8B26D4B
contiguous buffer, xrefs: 00007FF8B8B26D44

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Buffer_$Arg_ArgumentBufferContiguousObject_Releasememset
String ID: _set_alpn_protocols$argument$contiguous buffer
API String ID: 365628853-4024966138
Opcode ID: 1392f1b1f5bd8f698a70ceaa6f21d61dbeb0dfddf111f35acff58b2a9a9a809f
Instruction ID: 80eba8103a2cdd27e3becf8794d4906e19e3b922bf48967e4eb87ee8316692a9
Opcode Fuzzy Hash: 1392f1b1f5bd8f698a70ceaa6f21d61dbeb0dfddf111f35acff58b2a9a9a809f
Instruction Fuzzy Hash: DE119326B08A4AC1EB209F39E8542BD6760FB89BC4F988235DB4D43664DF3CE54AC704

Function 00007FF8B8B29A0C Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B8B29A36
PyObject_GetBuffer.PYTHON311 ref: 00007FF8B8B29A46
PyBuffer_IsContiguous.PYTHON311 ref: 00007FF8B8B29A57
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B29A79
PyBuffer_Release.PYTHON311 ref: 00007FF8B8B29A9E

Strings

argument, xrefs: 00007FF8B8B29A6B
contiguous buffer, xrefs: 00007FF8B8B29A64
write, xrefs: 00007FF8B8B29A72

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Buffer_$Arg_ArgumentBufferContiguousObject_Releasememset
String ID: argument$contiguous buffer$write
API String ID: 365628853-2056178395
Opcode ID: c8bb77e8611b4a60aad0a4be1a272d77f1b9e7e505abc08805f5cc3e93e89f8b
Instruction ID: 132c94fccdd8194f29fc99da28e44a79426c26b0320c6b5f5d6e1eb566a998ef
Opcode Fuzzy Hash: c8bb77e8611b4a60aad0a4be1a272d77f1b9e7e505abc08805f5cc3e93e89f8b
Instruction Fuzzy Hash: 5F119322B08B4A82EB109F39E8546AD6760FB89BC4F948171DB4D43664DF3CD94AC704

Function 00007FF8B8B26D9C Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311(?,?,?,00007FF8B8B26D6E), ref: 00007FF8B8B26DC9
PyMem_Free.PYTHON311(?,?,?,00007FF8B8B26D6E), ref: 00007FF8B8B26DD7
PyMem_Malloc.PYTHON311(?,?,?,00007FF8B8B26D6E), ref: 00007FF8B8B26DE1
PyErr_NoMemory.PYTHON311(?,?,?,00007FF8B8B26D6E), ref: 00007FF8B8B26DF0

Strings

protocols longer than %u bytes, xrefs: 00007FF8B8B26DBF

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_Mem_$FormatFreeMallocMemory
String ID: protocols longer than %u bytes
API String ID: 2903777688-895981740
Opcode ID: 39fea56072f3fada9465762c4a1f8beb2e0cdbcfd0e0a9ed28ff2a549860dcfe
Instruction ID: b9ea864125872282a7a16d8938386caf70a54c163dc61154bf08f058448a8129
Opcode Fuzzy Hash: 39fea56072f3fada9465762c4a1f8beb2e0cdbcfd0e0a9ed28ff2a549860dcfe
Instruction Fuzzy Hash: 2311DA66A18B4A82EB149F3EE85402C2B70FB89BD4F944535CF2E47764DF2CE4668344

Function 00007FF8B8B26880 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268A6
PyType_GetModule.PYTHON311(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268BE
PyModule_GetState.PYTHON311(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268CC
PyErr_SetString.PYTHON311(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268DD
BIO_write.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268F0
PyType_GetModuleState.PYTHON311(?,?,?,?,00000000,00007FF8B8B2680E), ref: 00007FF8B8B268FE

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Strings

cannot write() after write_eof(), xrefs: 00007FF8B8B268D2
string longer than %d bytes, xrefs: 00007FF8B8B2689C

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_ModuleStateType_$FormatModule_O_writeR_clear_errorR_peek_last_errorString
String ID: cannot write() after write_eof()$string longer than %d bytes
API String ID: 11717643-118187971
Opcode ID: 19f2ded5fd9fb4c8a1b9f1457ca27de781a3e5e88470d39e3a5cd985d7c12adc
Instruction ID: 1b483987ed2d3534bb9804c462653b994f770fcd5923d9409f48cb00402ec85d
Opcode Fuzzy Hash: 19f2ded5fd9fb4c8a1b9f1457ca27de781a3e5e88470d39e3a5cd985d7c12adc
Instruction Fuzzy Hash: 59112B61B1890AC1EB149F39D85417C2BA0FB85BD4F984535CB0E8B6A4DF3DE48BC708

Function 00007FF8B8B295B4 Relevance: 13.6, APIs: 9, Instructions: 78COMMON

Download Yara Rule

APIs

SSL_get_ciphers.LIBSSL-3 ref: 00007FF8B8B295E0
SSL_get_client_ciphers.LIBSSL-3 ref: 00007FF8B8B29601
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B29612
PyList_New.PYTHON311 ref: 00007FF8B8B2961B
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B29630
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B29642
OPENSSL_sk_find.LIBCRYPTO-3 ref: 00007FF8B8B29651
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2967B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: L_sk_num$L_get_ciphersL_get_client_ciphersL_sk_findL_sk_valueList_
String ID:
API String ID: 1815754784-0
Opcode ID: e1125bb4d621d2ba6061570ce7d485875dac23ddf1f437e6e1f39d5413b124bd
Instruction ID: 52bd1f9a80b8eb4de1fa0de954d64648927b11594b74bf4261941fa8ade869fb
Opcode Fuzzy Hash: e1125bb4d621d2ba6061570ce7d485875dac23ddf1f437e6e1f39d5413b124bd
Instruction Fuzzy Hash: 7131F721A09B4A81EB199F3AA95453D6AE0BF89FD1F980434CF4E87754EF3CE4578348

Function 00007FF8B8B275B8 Relevance: 13.6, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

SSL_new.LIBSSL-3 ref: 00007FF8B8B275E2
SSL_get_ciphers.LIBSSL-3 ref: 00007FF8B8B2760E
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2761A
PyList_New.PYTHON311 ref: 00007FF8B8B27623
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B27636
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B27648
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2766C
SSL_free.LIBSSL-3 ref: 00007FF8B8B2768C

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: L_sk_num$L_freeL_get_ciphersL_newL_sk_valueList_R_clear_errorR_peek_last_error
String ID:
API String ID: 722909353-0
Opcode ID: 0755245ea7af00cb45e25f8db7755cfce4f2b330fd28a278580c78b5433de7c0
Instruction ID: f862c8a32a2b13b155a40ec8ca78ff47fac98dcca309c1457a47cdcbc59c52a4
Opcode Fuzzy Hash: 0755245ea7af00cb45e25f8db7755cfce4f2b330fd28a278580c78b5433de7c0
Instruction Fuzzy Hash: A5211721A09B4686EA159F7EA85413D6AA0EF88FC0F984434CB4E43754EF7CE40A870C

Function 00007FF8BA24662A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246B10: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA246B60
Part of subcall function 00007FF8BA246B10: RaiseException.KERNEL32 ref: 00007FF8BA246BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA2466C7
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FF8BA246723

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FF8BA246828
Bad dynamic_cast!, xrefs: 00007FF8BA246792
Attempted a typeid of nullptr pointer!, xrefs: 00007FF8BA246805
Access violation - no RTTI data!, xrefs: 00007FF8BA24662A, 00007FF8BA24684B

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction ID: 950325911d2b9327a3654f96a0f9d5ad9a8bcb44b9dd2235e6b0919bcecd3fbd
Opcode Fuzzy Hash: 4ef8ad2c729168d00ef0645f383a1968f42c4eb1f6a8b3717fe5ffb80b324514
Instruction Fuzzy Hash: 09516B62A18A8792EA20CB68EA906B96361FF44FC4F404571EF8D47A65EF3DE505E700

Function 00007FF8B7DE16E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE17C0
PyUnicode_FromString.PYTHON311 ref: 00007FF8B7DE1824
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE391A
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE392B

Strings

argument, xrefs: 00007FF8B7DE390C
a unicode character, xrefs: 00007FF8B7DE3905
category, xrefs: 00007FF8B7DE3913

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$category
API String ID: 2803103377-2068800536
Opcode ID: a6d96ab8f4d74e2785bc45c139f4dad4c1c002ec39197cd78705e508cfcb3221
Instruction ID: 257fb1867ec301439a0c88f37d80bb9532675f865db686fe433700968fc9f388
Opcode Fuzzy Hash: a6d96ab8f4d74e2785bc45c139f4dad4c1c002ec39197cd78705e508cfcb3221
Instruction Fuzzy Hash: B1517F61B08B5692EF5A8B1DD8902BD23A1EB44BC4F5C4235DBAE477A8DF2DE845C310

Function 00007FF8B8B26E4C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B26EE6
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B26F31

Part of subcall function 00007FF8B8B237BC: PyType_IsSubtype.PYTHON311 ref: 00007FF8B8B237C9

_PyLong_AsInt.PYTHON311 ref: 00007FF8B8B26F6B
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B26F79

Strings

argument 'incoming', xrefs: 00007FF8B8B26F1C
_wrap_bio, xrefs: 00007FF8B8B26F2A
argument 'outgoing', xrefs: 00007FF8B8B26F5A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsLong_OccurredSubtypeType_Unpack
String ID: _wrap_bio$argument 'incoming'$argument 'outgoing'
API String ID: 1983060003-586963342
Opcode ID: a3a91b4470d632ea0959dd1c880afab1b37646f1eae7cf510c8b9dc2dea6cdaa
Instruction ID: d1d53e70330ffbd60fc32846310c795a005f0572d3c43189750856dc6616b7d4
Opcode Fuzzy Hash: a3a91b4470d632ea0959dd1c880afab1b37646f1eae7cf510c8b9dc2dea6cdaa
Instruction Fuzzy Hash: CC419F62A09B9282EE509F6AE44066D7BA4FB49BD4F84043ADF5C43B54DF3CE4968308

Function 00007FF8B7DE1590 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE1668
PyUnicode_FromString.PYTHON311 ref: 00007FF8B7DE168D
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE38AE
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE38BE

Strings

argument, xrefs: 00007FF8B7DE38A0
a unicode character, xrefs: 00007FF8B7DE3899
bidirectional, xrefs: 00007FF8B7DE38A7

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$bidirectional
API String ID: 2803103377-2110215792
Opcode ID: 36da06cb25986c62c4c3f8f899b6a59008b4eccd6e6682e03f445f584b43c37d
Instruction ID: c49fabea1b8324885ae3e6c988d11b4d838ba366f7a026ed89d45798e6f59ca4
Opcode Fuzzy Hash: 36da06cb25986c62c4c3f8f899b6a59008b4eccd6e6682e03f445f584b43c37d
Instruction Fuzzy Hash: C341A261B1874282EF568B1DD89437D23A1EB44BC4F5D4239DB6E476BCDE3DE8458340

Function 00007FF8BA246FE4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA247069
GetLastError.KERNEL32(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA247077
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA247090
LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA2470A2
FreeLibrary.KERNEL32(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA247110
GetProcAddress.KERNEL32(?,?,?,00007FF8BA2471A3,?,?,00000000,00007FF8BA246FD4,?,?,?,?,00007FF8BA246D11), ref: 00007FF8BA24711C

Strings

api-ms-, xrefs: 00007FF8BA247089

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction ID: 4efddd9899aa022dc13c524ee5ba553284b138d0da538d39b0c6f3b01c417e33
Opcode Fuzzy Hash: 76e9ed00015fa7378e2762435fe1c6674923b12dca3248f544122840abba5d3b
Instruction Fuzzy Hash: 99318F21F1AB4391EE169B1AA8105B56794FF08FE4F196575DF2E0BB80EE3DE544A300

Function 00007FF8B7DE4494 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE44CB
PyUnicode_FromString.PYTHON311 ref: 00007FF8B7DE44E7
memcpy.VCRUNTIME140 ref: 00007FF8B7DE4563
PyOS_snprintf.PYTHON311 ref: 00007FF8B7DE45A5
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B7DE45D2

Strings

%04X, xrefs: 00007FF8B7DE4590
, xrefs: 00007FF8B7DE457B

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: FromStringUnicode_$S_snprintfSizeSubtypeType_memcpy
String ID: $%04X
API String ID: 762632776-4013080060
Opcode ID: efaac3812b1e45b0806d1ffd24ca6100d0016fb643bf3bb04f79384b0d54b902
Instruction ID: f797298f46846d27a43bdd4364b9a336e08be7e8a31ad6ca1259ecf1c9a69ff5
Opcode Fuzzy Hash: efaac3812b1e45b0806d1ffd24ca6100d0016fb643bf3bb04f79384b0d54b902
Instruction Fuzzy Hash: 1A316E62A08B8141EE628B19E8543BD67A1FF49BD4F584335EB7E47AE8DF2CE5458300

Function 00007FF8B8B2A9CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B8B2A9E6
BIO_new.LIBCRYPTO-3 ref: 00007FF8B8B2A9EF
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2AA10
X509_NAME_print_ex.LIBCRYPTO-3 ref: 00007FF8B8B2AA29
BIO_free.LIBCRYPTO-3 ref: 00007FF8B8B2AA5F

Strings

failed to allocate BIO, xrefs: 00007FF8B8B2AA06
strict, xrefs: 00007FF8B8B2AA4A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: E_print_exErr_O_freeO_newO_s_memStringX509_
String ID: failed to allocate BIO$strict
API String ID: 220268057-2811890329
Opcode ID: f3bd8290070eb6edf1ca0f46686a835670ffb4ee5c39d9d56ef1657fad3d7d60
Instruction ID: 0b4511a72f7c830b8c2a07390392085f4be52c45f05d790dc108304fa98a695b
Opcode Fuzzy Hash: f3bd8290070eb6edf1ca0f46686a835670ffb4ee5c39d9d56ef1657fad3d7d60
Instruction Fuzzy Hash: 60114C61B18A4785EA409F3AB81452EAB60BF89FC0F986030DF4E47B25DF3CE0478708

Function 00007FF8B8B214C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214EA
OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214FC
OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21507

Part of subcall function 00007FF8B8B21558: OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B8B2159D
Part of subcall function 00007FF8B8B21558: PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B215C3

_Py_BuildValue_SizeT.PYTHON311(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21535
PyErr_Format.PYTHON311(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B23633

Strings

Unknown object, xrefs: 00007FF8B8B23629
issN, xrefs: 00007FF8B8B2152C

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Size$BuildErr_FormatFromJ_nid2lnJ_nid2snJ_obj2nidJ_obj2txtStringUnicode_Value_
String ID: Unknown object$issN
API String ID: 1805764990-847857892
Opcode ID: 36dc22c37b80143fa571bc994d527e926e6cf506b95b83dc09d1e569a5f0b79d
Instruction ID: 53c05b22c6e653e4835c482fec4d1c4fb4ee33682b69f4a653b972053e586c1f
Opcode Fuzzy Hash: 36dc22c37b80143fa571bc994d527e926e6cf506b95b83dc09d1e569a5f0b79d
Instruction Fuzzy Hash: 76115B25B18B4685EA109F3AF80406DABA0BB88FD0F884135DF4D87B24DF7CE44A8708

Function 00007FF8B7DE41C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE41FD
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4210
PyErr_Occurred.PYTHON311 ref: 00007FF8B7DE423A
PyLong_FromLong.PYTHON311 ref: 00007FF8B7DE4247

Strings

argument, xrefs: 00007FF8B7DE41EF
combining, xrefs: 00007FF8B7DE41F6
a unicode character, xrefs: 00007FF8B7DE41E8

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$combining
API String ID: 3097524968-4202047184
Opcode ID: 6ee8f634c8bf377dd992d2f0ff6affb9e81d614e22d3a0a0852f92623d6c53f6
Instruction ID: 7422297fe686b9d2ec2cdc5ce5d05c44e5df7c8f3d19507e53b3e8097d0015f7
Opcode Fuzzy Hash: 6ee8f634c8bf377dd992d2f0ff6affb9e81d614e22d3a0a0852f92623d6c53f6
Instruction Fuzzy Hash: 8C014420E0874742EE569B69A84427D2290EF49BD8F585335EB7E476BDDF3CE4858300

Function 00007FF8B7DE4A40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4A79
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4A8C
PyErr_Occurred.PYTHON311 ref: 00007FF8B7DE4AB6
PyLong_FromLong.PYTHON311 ref: 00007FF8B7DE4AC3

Strings

argument, xrefs: 00007FF8B7DE4A6B
a unicode character, xrefs: 00007FF8B7DE4A64
mirrored, xrefs: 00007FF8B7DE4A72

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$mirrored
API String ID: 3097524968-4001128513
Opcode ID: 77cb7ad6de355ad8668d3817cb236b2b5105f7e73bd8a590f5e838a9add7c01f
Instruction ID: e69412e8b1446bf9cb7027c875d6a00e4a54b0899de981ca7cdfd3d7e85530f7
Opcode Fuzzy Hash: 77cb7ad6de355ad8668d3817cb236b2b5105f7e73bd8a590f5e838a9add7c01f
Instruction Fuzzy Hash: AD018420A0874341EE569B2DAA4417C2350AF49BE8F4C5334EB2E476BDDF3CE8448304

Function 00007FF8B8B2A844 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,00000000,00007FF8B8B2A82D), ref: 00007FF8B8B2A86D
OBJ_nid2obj.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2A82D), ref: 00007FF8B8B2A879
PyErr_Format.PYTHON311(?,?,00000000,00007FF8B8B2A82D), ref: 00007FF8B8B2A89B
PyModule_GetState.PYTHON311(?,?,00000000,00007FF8B8B2A82D), ref: 00007FF8B8B2A8A6

Part of subcall function 00007FF8B8B214C8: OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214EA
Part of subcall function 00007FF8B8B214C8: OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214FC
Part of subcall function 00007FF8B8B214C8: OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21507
Part of subcall function 00007FF8B8B214C8: _Py_BuildValue_SizeT.PYTHON311(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21535

ASN1_OBJECT_free.LIBCRYPTO-3(?,?,00000000,00007FF8B8B2A82D), ref: 00007FF8B8B2A8BD

Strings

unknown NID %i, xrefs: 00007FF8B8B2A88E
NID must be positive., xrefs: 00007FF8B8B2A863

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_$BuildFormatJ_nid2lnJ_nid2objJ_nid2snJ_obj2nidModule_SizeStateStringT_freeValue_
String ID: NID must be positive.$unknown NID %i
API String ID: 278606715-2656559464
Opcode ID: 781b65defdf33130c69221b13b130f0b8eb1561745a09ecb98b7b2dcb7949935
Instruction ID: a9b6001711bd459f92cbc45d17c9ec8021539a37404fa540bde90206bc96c5b6
Opcode Fuzzy Hash: 781b65defdf33130c69221b13b130f0b8eb1561745a09ecb98b7b2dcb7949935
Instruction Fuzzy Hash: 07011724F0CA4781EA048F3EE85453D6B61AF89BD4F985175CB0E4BB25DF2CE44B8308

Function 00007FF8B8B265A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B265B5
BIO_new.LIBCRYPTO-3(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B265BE
PyErr_SetString.PYTHON311(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B265DD
BIO_set_flags.LIBCRYPTO-3(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B265EF
BIO_ctrl.LIBCRYPTO-3(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B26604
BIO_free.LIBCRYPTO-3(?,?,?,00007FF8B8B26587), ref: 00007FF8B8B2661D

Strings

failed to allocate BIO, xrefs: 00007FF8B8B265D3

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_O_ctrlO_freeO_newO_s_memO_set_flagsString
String ID: failed to allocate BIO
API String ID: 68942223-3472608418
Opcode ID: b4841f7cb48ad26e6a7df2d2d5ff6b3eb66126841573f36bf7c96289b451f945
Instruction ID: 60a1836cbc02090c160ed9e3a033c5f3c2d4eb42858cfb5effc54dc3d389323b
Opcode Fuzzy Hash: b4841f7cb48ad26e6a7df2d2d5ff6b3eb66126841573f36bf7c96289b451f945
Instruction Fuzzy Hash: 30014C61B08A0782EB189F39F91463D6BA0FF89BC5FA85134CB1E46754DF3CE44A8308

Function 00007FF8BA242C38 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242CF0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242D0E
__AdjustPointer.LIBCMT ref: 00007FF8BA242D4F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242D5C
__AdjustPointer.LIBCMT ref: 00007FF8BA242D98
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242DAD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242DF2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242DF9

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction ID: f5799c9498a2da6d9f9e2241bf69edfd60325f826d00daff20a1d7ca0f9b41d2
Opcode Fuzzy Hash: 65b26e5f074ca0aafdff43cbb52cf6556557cf4e92b090b05be647d0b4ff5bec
Instruction Fuzzy Hash: FE517C22A0DF5381FA69DB2ED45463963A4BF54FC4B0A84B5DF4E06795DF2CE842E300

Function 00007FF8BA242E1C Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242ED6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242EF5
__AdjustPointer.LIBCMT ref: 00007FF8BA242F36
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242F43
__AdjustPointer.LIBCMT ref: 00007FF8BA242F7F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242F94
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242FD9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242FE0

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction ID: 7f72b5c37c942687c209fb45d295043fc594dc58c3ab21786f07d471afbef8a7
Opcode Fuzzy Hash: d568fcbafcd5d9e8e83e95e63f5b62363508f79f2b2b670005157146ca98b55e
Instruction Fuzzy Hash: FE519E22A0EA4391EA65DB5E94446386398FF54FC0F4A84B5DF4E06785DF2CF882AB10

Function 00007FF8B8B2AEF8 Relevance: 12.1, APIs: 8, Instructions: 54COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON311 ref: 00007FF8B8B2AF0A
SSL_CIPHER_get_name.LIBSSL-3 ref: 00007FF8B8B2AF1F
PyUnicode_FromString.PYTHON311 ref: 00007FF8B8B2AF40
SSL_CIPHER_get_version.LIBSSL-3 ref: 00007FF8B8B2AF52
PyUnicode_FromString.PYTHON311 ref: 00007FF8B8B2AF73
SSL_CIPHER_get_bits.LIBSSL-3 ref: 00007FF8B8B2AF87
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B2AF8F
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2AFAC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: From$StringUnicode_$DeallocLongLong_R_get_bitsR_get_nameR_get_versionTuple_
String ID:
API String ID: 4201023408-0
Opcode ID: abd7184fc6f38644f9f77e97a2ae4beadb791884bfb1fff1d07f4d283dc1fe0e
Instruction ID: 1768941c3a756f73309d7153645ae378812630ec47ff4735e8f1e313b4f22648
Opcode Fuzzy Hash: abd7184fc6f38644f9f77e97a2ae4beadb791884bfb1fff1d07f4d283dc1fe0e
Instruction Fuzzy Hash: 6E212164A1DB0682EE559F3DA95423C6BA0AF48BC0F881434DB0E47754DF3CA4468308

Function 00007FF8B8B23E7C Relevance: 12.0, APIs: 8, Instructions: 44COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON311 ref: 00007FF8B8B23E8D
SSL_free.LIBSSL-3 ref: 00007FF8B8B23E9C
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23EB1
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23EC6
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23EDB
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23EF0
PyObject_GC_Del.PYTHON311 ref: 00007FF8B8B23EF9
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23F08

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Object_$L_freeTrack
String ID:
API String ID: 970091570-0
Opcode ID: e3d824a64c23f5aa5d9beb24dd4d29c7206220b1af59a27399d64d8b1e93205b
Instruction ID: 947387645a0fa4c7e03e51863f20d93410939bbf0f589757f90abfd2f059b3f7
Opcode Fuzzy Hash: e3d824a64c23f5aa5d9beb24dd4d29c7206220b1af59a27399d64d8b1e93205b
Instruction Fuzzy Hash: 53110D36E0AA06C5FE59AF79D55413C6B60AF59FE4F984530CB1E02A64CF2DD48B8318

Function 00007FF8B7DE11D0 Relevance: 10.8, APIs: 7, Instructions: 321COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7DE18A0: PyMem_Malloc.PYTHON311 ref: 00007FF8B7DE190B
Part of subcall function 00007FF8B7DE18A0: PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE19F5
Part of subcall function 00007FF8B7DE18A0: PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE1A52

PyMem_Malloc.PYTHON311 ref: 00007FF8B7DE1252
PyMem_Free.PYTHON311 ref: 00007FF8B7DE136E
PyErr_NoMemory.PYTHON311 ref: 00007FF8B7DE387A
_Py_Dealloc.PYTHON311 ref: 00007FF8B7DE3889

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: 28f3761f3b9b36c355cab414f80724fd73af126df89ae3bbe0a4b4c216283ad1
Instruction ID: 41d5fae2dc18a93da9e7066b7ed6bb54e4d976420950b2643824e91ec4451d53
Opcode Fuzzy Hash: 28f3761f3b9b36c355cab414f80724fd73af126df89ae3bbe0a4b4c216283ad1
Instruction Fuzzy Hash: 72D19B72A0CB5282EE328B1D944467D73A1FB457C4F5C0331DBAE466A8EE7EE841C700

Function 00007FF8BA24EB88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24EBFC
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24EC0B

Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE4D
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE86
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ECAB
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ECBB
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ED67

Strings

{for , xrefs: 00007FF8BA24EC34

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction ID: 7bbe88f6f5bfeebaaa2a86b6760b2ae2096421c5058e40fed11b4649e59e3e51
Opcode Fuzzy Hash: ad201dfe96a96ae0dc6555201844fc758e8e36effd4b63a30410ed7392a88b68
Instruction Fuzzy Hash: CD511972A08A86A9F7019F28D4413E877A5EB44B88F8484B1EB4C07B99DF7CE655D340

Function 00007FF8B8B270C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FF8B8B2715E
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B8B271A4
_PyLong_AsInt.PYTHON311 ref: 00007FF8B8B271B0
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B271C1

Strings

argument 'sock', xrefs: 00007FF8B8B2718B
_wrap_socket, xrefs: 00007FF8B8B27195

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsLong_OccurredUnpack
String ID: _wrap_socket$argument 'sock'
API String ID: 3416574803-3343203394
Opcode ID: 2ce16b05ca7704c2f44a8d2a6420770c9f586b2a5aac0beda5ab974c2b11777e
Instruction ID: d4c520b438079b2f25eee8ef0a88ed840dffc10a04955a90a3fa6fef0266c81b
Opcode Fuzzy Hash: 2ce16b05ca7704c2f44a8d2a6420770c9f586b2a5aac0beda5ab974c2b11777e
Instruction Fuzzy Hash: 9E416D22B09A42C2EA61DF2AA84066E6BA4FF49BD5F844435DF4C47754DF3CE45ACB0C

Function 00007FF8BA24E174 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF8BA24D86D), ref: 00007FF8BA24E238
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24E257

Strings

void, xrefs: 00007FF8BA24E1BA
`template-parameter, xrefs: 00007FF8BA24E265

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction ID: 5cb6c1a04484e6980bd0e1ec20f9770ce1436dda0e46485cd77d59e82a3e8cbf
Opcode Fuzzy Hash: 1a349dcf90f4e371f1810c8875e562b3843b42aeee856190ba29246ab6ec8260
Instruction Fuzzy Hash: 4D413422F08B5698FB00DBA8D8512FC23B1BB48BC8F9451B5DF0D26A59DF7CA645E340

Function 00007FF8B8B21558 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B8B2159D
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B8B215C3
OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B8B2366E
PyMem_Malloc.PYTHON311 ref: 00007FF8B8B2367B
OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B8B23695

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: J_obj2txt$FromMallocMem_SizeStringUnicode_
String ID:
API String ID: 2822617359-0
Opcode ID: 98683cb0245338a9515093b87542fdb12a4b1f49cc3e46ef3079e3984ffcab4a
Instruction ID: 60211ab6496755d1c6af9ba971da853cf36187905d60fc646d14bc60a983b160
Opcode Fuzzy Hash: 98683cb0245338a9515093b87542fdb12a4b1f49cc3e46ef3079e3984ffcab4a
Instruction Fuzzy Hash: 90316D21B1CA4645EB618F3AA81567EAA94AF89BC4F884031DF0E47765DF3CE00B8708

Function 00007FF8BA248EC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA248D3C: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA248DFD

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA248F72

Strings

void, xrefs: 00007FF8BA248FE4
,..., xrefs: 00007FF8BA248F40
..., xrefs: 00007FF8BA248FAF
,<ellipsis>, xrefs: 00007FF8BA248F50
<ellipsis>, xrefs: 00007FF8BA248FBF

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction ID: 18b2d0aadd78b6abb03db3ed102fcd26e239d881f1c0c97594ce8c55968ae4e9
Opcode Fuzzy Hash: cc95b6719b0dfac949915fa95283a824f9a94d2610a8c8b5f10b5de908d24d67
Instruction Fuzzy Hash: 71414AB2E18B429CFB118B6CD8502BC77A1BB08B88F9545B1DF4D12765EF7DA540E740

Function 00007FF8BA24ACC4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24ADA7

Strings

int , xrefs: 00007FF8BA24AD35
char , xrefs: 00007FF8BA24AD4D
long , xrefs: 00007FF8BA24AD26
short , xrefs: 00007FF8BA24AD44
unsigned , xrefs: 00007FF8BA24AD7B

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction ID: e74d11a10f0740477c1660ad3ab79769629d6a4d13e475f86713824d3f83a753
Opcode Fuzzy Hash: 041e2dffe1b489bc893f09ff0a4f423b3d9eca273271e83df22d622629981137
Instruction Fuzzy Hash: D3313872E18A52C8FB168B6DD8501B83BB1BB09B88F4481B5DF4D06BA8DE39E504E700

Function 00007FF8B8B23910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SSL_SESSION_get_id.LIBSSL-3 ref: 00007FF8B8B23969
SSL_SESSION_get_id.LIBSSL-3 ref: 00007FF8B8B2397B
memcmp.VCRUNTIME140 ref: 00007FF8B8B23994
PyErr_BadArgument.PYTHON311 ref: 00007FF8B8B239BF
_PyErr_BadInternalCall.PYTHON311 ref: 00007FF8B8B239F9

Strings

D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B8B239F2

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_N_get_id$ArgumentCallInternalmemcmp
String ID: D:\a\1\s\Modules\_ssl.c
API String ID: 2709062062-132925792
Opcode ID: c2a8348eb9e6693873ab47f985ca8bfd22968f8ee8dfdbdba6370d880fe16349
Instruction ID: 374e365cb58069fa4b9d473631f0c448837127b22d738b08ede560d35a9418bc
Opcode Fuzzy Hash: c2a8348eb9e6693873ab47f985ca8bfd22968f8ee8dfdbdba6370d880fe16349
Instruction Fuzzy Hash: EE314422A0D64681EA588F3DD49513CAAA0FF4ABC4F944536DB4F477B4DF2EE8438708

Function 00007FF8B8B266CC Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

BIO_ctrl_pending.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B266DF
BIO_ctrl_pending.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B266F3
PyBytes_FromStringAndSize.PYTHON311(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B2670A
BIO_read.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B26729
PyType_GetModuleState.PYTHON311(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B26737
_Py_Dealloc.PYTHON311(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B2674B
_PyBytes_Resize.PYTHON311(?,?,?,?,?,00007FF8B8B266AB), ref: 00007FF8B8B26776

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Bytes_O_ctrl_pending$DeallocFromModuleO_readResizeSizeStateStringType_
String ID:
API String ID: 3878297189-0
Opcode ID: dfee8e4881b599a4f54a2ab518126c7bb26f6b3ec1a7d89fa806b26f09941069
Instruction ID: a17b1f82299394ae41398186c8892c757315a0f0cf724c2e94aa4c8f53a68b64
Opcode Fuzzy Hash: dfee8e4881b599a4f54a2ab518126c7bb26f6b3ec1a7d89fa806b26f09941069
Instruction Fuzzy Hash: 93216265B08B4282EB149F39E98003D6AA1FF89BC4FA84935DF0E82764DF2DE4468704

Function 00007FF8B7DE42B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE42F3
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4328
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4339

Strings

argument 1, xrefs: 00007FF8B7DE4321
a unicode character, xrefs: 00007FF8B7DE4313
decimal, xrefs: 00007FF8B7DE42EC, 00007FF8B7DE431A

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$decimal
API String ID: 3545102714-2474051849
Opcode ID: f4a4db4005ce5b44fbbedd951a978a9de4f901ebc22dc2e68f9535657243f817
Instruction ID: 6db48bdfff64a910ff765f6b73c9d2c170cffa730270b0ea286e06f9c2d02f78
Opcode Fuzzy Hash: f4a4db4005ce5b44fbbedd951a978a9de4f901ebc22dc2e68f9535657243f817
Instruction Fuzzy Hash: E3213B31A08B8295EE519B59E8411AD7360EF44BC4F9C4231EB6D4777DDF2CE556C700

Function 00007FF8B7DE4C8C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE4CC7
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4CFC
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4D0D

Strings

argument 1, xrefs: 00007FF8B7DE4CF5
a unicode character, xrefs: 00007FF8B7DE4CE7
numeric, xrefs: 00007FF8B7DE4CC0, 00007FF8B7DE4CEE

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$numeric
API String ID: 3545102714-2385192657
Opcode ID: 9cf334a25039c3b0788d85340cb18b310c84a749129293f830eaee71995b6e63
Instruction ID: b139418c8cc91e698fc1cada0cd6f952ce16daaeead0de9be9b41aeb22a565e9
Opcode Fuzzy Hash: 9cf334a25039c3b0788d85340cb18b310c84a749129293f830eaee71995b6e63
Instruction Fuzzy Hash: B1214D31A08B8685EF919B1AE8411AD3360EB44FC8F5C4231EB6E47779DF2CE595C700

Function 00007FF8B7DE4B3C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B7DE4B77
_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4BAC
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4BBD

Strings

name, xrefs: 00007FF8B7DE4B70, 00007FF8B7DE4B9E
argument 1, xrefs: 00007FF8B7DE4BA5
a unicode character, xrefs: 00007FF8B7DE4B97

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$name
API String ID: 3545102714-4190364640
Opcode ID: 98823aa8ffd1578c5263bbca0bedab94c0d76701b0ad0a7228cb953a239c43b9
Instruction ID: 3bce4591a30269ca6c18cde1d8a0bb9fc8c655b9567232e32dc8d0a4366baedf
Opcode Fuzzy Hash: 98823aa8ffd1578c5263bbca0bedab94c0d76701b0ad0a7228cb953a239c43b9
Instruction Fuzzy Hash: 3D214D31A08B8685EE519F5AE8412AE3760EB44BC8F584231EBAD4777DDF2CE555C300

Function 00007FF8B8B2BF8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2BFB0
SSL_CTX_get0_param.LIBSSL-3 ref: 00007FF8B8B2BFC3
X509_VERIFY_PARAM_get_flags.LIBCRYPTO-3 ref: 00007FF8B8B2BFCF
X509_VERIFY_PARAM_clear_flags.LIBCRYPTO-3 ref: 00007FF8B8B2BFEA
X509_VERIFY_PARAM_set_flags.LIBCRYPTO-3 ref: 00007FF8B8B2C015

Strings

y, xrefs: 00007FF8B8B2BFF4

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: X509_$Arg_M_clear_flagsM_get_flagsM_set_flagsParse_SizeX_get0_param
String ID: y
API String ID: 3791563005-3247811837
Opcode ID: a6f7386a19a810f4f7fe1bb19cf5cb670392074563fc389e9f70955544fdafe1
Instruction ID: b100441bb5b0615c09a47b90bc48c9498cecc7ea0348a2d3e2f85655ab3f80db
Opcode Fuzzy Hash: a6f7386a19a810f4f7fe1bb19cf5cb670392074563fc389e9f70955544fdafe1
Instruction Fuzzy Hash: A4116025B0CA5282F7508F7AE45013E6BA0BF88BD4F944135DB5D436A8DF7CE44A8B09

Function 00007FF8B8B2BDC8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2BDEC
SSL_CTX_get_options.LIBSSL-3 ref: 00007FF8B8B2BDFA
PyErr_WarnEx.PYTHON311 ref: 00007FF8B8B2BE30
SSL_CTX_clear_options.LIBSSL-3 ref: 00007FF8B8B2BE45
SSL_CTX_set_options.LIBSSL-3 ref: 00007FF8B8B2BE56

Strings

ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated, xrefs: 00007FF8B8B2BE20

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_Err_Parse_SizeWarnX_clear_optionsX_get_optionsX_set_options
String ID: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
API String ID: 476201610-2795599882
Opcode ID: b9e0414bf8dfc93871d24a40954165cf8dc8189ab5ee71978250bacf9efb8c41
Instruction ID: 00f5d1c0a7908cd88f66ca46392e7d647da9d641153236d2642f39104a556de3
Opcode Fuzzy Hash: b9e0414bf8dfc93871d24a40954165cf8dc8189ab5ee71978250bacf9efb8c41
Instruction Fuzzy Hash: BC114265A08B0682EB109F3DF48417D6B71EF84BD1F985435DB6E47764DF2CE44A8704

Function 00007FF8B8B28890 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

PyUnicode_FSConverter.PYTHON311 ref: 00007FF8B8B288A8
OBJ_sn2nid.LIBCRYPTO-3 ref: 00007FF8B8B288C2
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B288D7
PyErr_Format.PYTHON311 ref: 00007FF8B8B288F8
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B8B28912

Part of subcall function 00007FF8B8B261C8: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B261E0
Part of subcall function 00007FF8B8B261C8: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B26209

Strings

unknown elliptic curve name %R, xrefs: 00007FF8B8B288EB

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ConverterDeallocErr_FormatJ_sn2nidR_clear_errorR_peek_last_errorUnicode_X_ctrl
String ID: unknown elliptic curve name %R
API String ID: 3792718242-553976147
Opcode ID: 6639daee6b3a6ecb1720df9ca2e8b5f1aefabcd95c7d83a5a5ea68336d1a1e57
Instruction ID: 16041ccd24422653e48aa377b6f80e28264fc107bd187f315c90e3cdb2045ed4
Opcode Fuzzy Hash: 6639daee6b3a6ecb1720df9ca2e8b5f1aefabcd95c7d83a5a5ea68336d1a1e57
Instruction Fuzzy Hash: BC115131A0C94681EB108F79E84013EAB61FF84BD4F944031DB4D87A69DF7CE44AC709

Function 00007FF8B8B24514 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24538
PyCallable_Check.PYTHON311 ref: 00007FF8B8B2454E
SSL_CTX_set_msg_callback.LIBSSL-3 ref: 00007FF8B8B2455E
PyErr_SetString.PYTHON311 ref: 00007FF8B8B24575
SSL_CTX_set_msg_callback.LIBSSL-3 ref: 00007FF8B8B24592

Strings

not a callable object, xrefs: 00007FF8B8B2456B

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: X_set_msg_callback$Callable_CheckDeallocErr_String
String ID: not a callable object
API String ID: 3435843511-3332612890
Opcode ID: 95106ae4221e8b19012489c333b5f2e66c47aa29e76483eaedf5bd8f66dace62
Instruction ID: 61230e54237e122395cd411d45b140cb5196910a0c33022774a9d95d234310f9
Opcode Fuzzy Hash: 95106ae4221e8b19012489c333b5f2e66c47aa29e76483eaedf5bd8f66dace62
Instruction Fuzzy Hash: C2114431A0990682EB189F3DE94423C2BA1FF88FD4F944531DB5E46954DF3CE44B8308

Function 00007FF8B8B2BD48 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2BD63
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2BD8C
SSL_CTX_set_num_tickets.LIBSSL-3 ref: 00007FF8B8B2BDAA

Strings

failed to set num tickets., xrefs: 00007FF8B8B2BDB5
value must be non-negative, xrefs: 00007FF8B8B2BD7B
SSLContext is not a server context., xrefs: 00007FF8B8B2BD9A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_Err_Parse_SizeStringX_set_num_tickets
String ID: SSLContext is not a server context.$failed to set num tickets.$value must be non-negative
API String ID: 2130650243-3995814857
Opcode ID: 9555f25f47c46f5ccf57cac2100dd865d1e80091c718ee7adcb5dad95f2e815e
Instruction ID: e7d61c6cd665fe57c1a8ea47ed2e7f5463fa7b3878e39cd90f92147308c43536
Opcode Fuzzy Hash: 9555f25f47c46f5ccf57cac2100dd865d1e80091c718ee7adcb5dad95f2e815e
Instruction Fuzzy Hash: 44018460E0CA06C1EA248F7DE8801FC2B60BF45BD0FE41235CB1D862A4DF2CE48AC308

Function 00007FF8BA24ADEC Relevance: 9.2, APIs: 6, Instructions: 161COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24AE9E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AEAE
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AECB
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AF3E
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24AF67

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction ID: 10d55651892aeda376d7aa32beb1f80ebe33b7c9f95dd434b121209df34d54f1
Opcode Fuzzy Hash: 80a690cc5bf4571957900b2ba371d1f0df44bd22a0b18b914ff66e25afa9163e
Instruction Fuzzy Hash: F4717772E18A5299F711CF69E8902BC37A1BB44B88F9080B5DF1D17A99DF7EE441E340

Function 00007FF8BA2469F0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FF8BA246A43
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA246A86
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8BA246AB0
InterlockedPushEntrySList.KERNEL32 ref: 00007FF8BA246ACD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA246AD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8BA246AE2

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction ID: faf21833ac4bc5c1e7527b3c5da9c81a929dfa0666292319ce628f69199fac23
Opcode Fuzzy Hash: 0fa2fcead297943da074142d2fbec92c84cd60449e30d9ad217028345c3eb4d3
Instruction Fuzzy Hash: 4D31D622B19BA290EF15DF29AA1456963A0FF48FE0F599571DF2D03780EE3DE445E300

Function 00007FF8B8B28E20 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

SSL_get_peer_cert_chain.LIBSSL-3 ref: 00007FF8B8B28E3E
SSL_get1_peer_certificate.LIBSSL-3 ref: 00007FF8B8B28E7E
PyList_Insert.PYTHON311 ref: 00007FF8B8B28EC8
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B28ED9

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocInsertL_get1_peer_certificateL_get_peer_cert_chainList_
String ID:
API String ID: 710524685-0
Opcode ID: 28eff91168d659fc0ad5f7a6fb4e4da58eab0f778793f6e716cba1adfe9d5eef
Instruction ID: 467edf880b508be80a5ad77419294d8d68cc04a137b575bd55c25527d1502cd9
Opcode Fuzzy Hash: 28eff91168d659fc0ad5f7a6fb4e4da58eab0f778793f6e716cba1adfe9d5eef
Instruction Fuzzy Hash: 81215E32A09A5681EA159F3E985413D2BA1FF88FE0F884535DB2E07B94DF3CE4578308

Function 00007FF8B8B24604 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B8B2462A
PyList_New.PYTHON311 ref: 00007FF8B8B24636
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B8B2464F
X509_up_ref.LIBCRYPTO-3 ref: 00007FF8B8B24673
PyList_SetItem.PYTHON311 ref: 00007FF8B8B2468B
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B246A5

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: List_$DeallocItemL_sk_numL_sk_valueX509_up_ref
String ID:
API String ID: 2540853196-0
Opcode ID: a29fb3de930c74fd7dfb48e481c500c0c0289393999c6b46459c04c3a7227b1b
Instruction ID: 364b9418c988fa243d00a81812e717b8929b6c9ddec099cfb3cc5202d68fbe03
Opcode Fuzzy Hash: a29fb3de930c74fd7dfb48e481c500c0c0289393999c6b46459c04c3a7227b1b
Instruction Fuzzy Hash: 3611A221A05B5685EA1A8F3AA84406D6BA1FF89FE4F894931DF5D07B94DF3CE4478304

Function 00007FF615A3A5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A5E7
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A61D
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A64A
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A65B
FlsSetValue.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A66C
SetLastError.KERNEL32(?,?,?,00007FF615A343FD,?,?,?,?,00007FF615A3979A,?,?,?,?,00007FF615A3649F), ref: 00007FF615A3A687

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction ID: 517795d1abf381fa0427b58fd4b4c4e2e02d04a8ddd00eab3aae9a3bbec5f86a
Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction Fuzzy Hash: 59113820F88E524AFA94E7215661139E2825F88FB8F144734D93ECB6F6DF7CAC414701

Function 00007FF8B8B2AFC0 Relevance: 9.0, APIs: 6, Instructions: 39threadCOMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2AFE1
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2AFFB
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2B015
PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B2B022
BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B8B2B02F
PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B2B038

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Eval_Thread$O_free_allRestoreSave
String ID:
API String ID: 86175192-0
Opcode ID: 46ed533e6c83a35b49080775b07df26f1aab52a1a543c17bfc3a09b58e663565
Instruction ID: b665c329a9f43b389003a2371a376cea9fec23b162fe79c7460f1663f7b46da8
Opcode Fuzzy Hash: 46ed533e6c83a35b49080775b07df26f1aab52a1a543c17bfc3a09b58e663565
Instruction Fuzzy Hash: 3E110C72A19A06D7FB598F79EA5873D27A4FF48BA4F480534CB0D46950CF3DE4AA8304

Function 00007FF8BA243F60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

EncodePointer.KERNEL32 ref: 00007FF8BA243FD0
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BA24401B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24424E

Strings

MOC, xrefs: 00007FF8BA243FE4
RCC, xrefs: 00007FF8BA243FEC

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction ID: 95230984921b04941742dbec05d325a4491256879aa9769ad7f61aace1ffb7cb
Opcode Fuzzy Hash: 93ffbb8a8c38b724cb13d32310db34e78531563cac4ba1370c621256939a6833
Instruction Fuzzy Hash: 3D91B373A08B928AEB51CB69E8502AD7BA0FB44BC8F104179EF8D17B55DF38E195D700

Function 00007FF8BA24C540 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24C7E0

Strings

std::nullptr_t, xrefs: 00007FF8BA24C799
volatile, xrefs: 00007FF8BA24C5B6, 00007FF8BA24C6E7
volatile , xrefs: 00007FF8BA24C5A7, 00007FF8BA24C6D8
std::nullptr_t , xrefs: 00007FF8BA24C770

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction ID: 6627ebf2c447e95ccaa3caa502da5f6436e5011ed09ef6966f42fc8b46614e83
Opcode Fuzzy Hash: 01adbf8b940f63687fb8b05ad2c3f4aee868cfabe9c87335b9cb2bee01f92b8d
Instruction Fuzzy Hash: 1B7122B2A08A4399FB148B2CD9501B867A5BF05BC4F8485B5CF4D56B99EF3DE160E300

Function 00007FF8BA243CF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

EncodePointer.KERNEL32 ref: 00007FF8BA243D4F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF8BA243D9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA243F57

Strings

RCC, xrefs: 00007FF8BA243D6B
MOC, xrefs: 00007FF8BA243D63

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction ID: 39b4c57ad71f77890c198cc931a162f177303b44a188efb1b89fb6099df38287
Opcode Fuzzy Hash: 8e034f92e989b9960bc08160daca0ef1833c14a7b13808a87468da7d70181806
Instruction Fuzzy Hash: 5E619032908BC686DB619B19E4403AAB7A0FB85BD4F044275EF8D07B95DF7CE194CB00

Function 00007FF8BA245C50 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA245D22

Strings

csm, xrefs: 00007FF8BA245CB2
MOC, xrefs: 00007FF8BA245C90
csm, xrefs: 00007FF8BA245DDF
RCC, xrefs: 00007FF8BA245C9C

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileHeader
String ID: MOC$RCC$csm$csm
API String ID: 104395404-1441736206
Opcode ID: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction ID: 5c7e9ef0ca995d3b03b2864a7dfe23b93fa3899433409351eda37a5b2e4fb6e4
Opcode Fuzzy Hash: 5815091cf7d4bf77be2b6452b49c3696097c0f3c73df3e225fc204c9d15c1510
Instruction Fuzzy Hash: B8519B32A09A5397EAA49F29954017E36A0FF48FC4F1401B1EF8D47B85DF3CE961AB41

Function 00007FF8B7DE4D54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE4D80
_PyUnicode_ToNumeric.PYTHON311 ref: 00007FF8B7DE4DB3
PyErr_SetString.PYTHON311 ref: 00007FF8B7DE4DDB
PyFloat_FromDouble.PYTHON311 ref: 00007FF8B7DE4DED

Strings

not a numeric character, xrefs: 00007FF8B7DE4DD1

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: ae5864331190d99266549655542a2a8f2e04feb98f737cbb9499cc14618bbe38
Instruction ID: 0b6936912749da9f2d4ccaa957868ba142327a938942ac9696c53a489f32a973
Opcode Fuzzy Hash: ae5864331190d99266549655542a2a8f2e04feb98f737cbb9499cc14618bbe38
Instruction Fuzzy Hash: 04114F25E08B4681FE968B2DA85413D63A1AF44BD8F5C8331EB2F4667DDF2CF8858250

Function 00007FF8B7DE4380 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FF8B7DE43AC
_PyUnicode_ToDecimalDigit.PYTHON311 ref: 00007FF8B7DE43CB
PyErr_SetString.PYTHON311 ref: 00007FF8B7DE43EB
PyLong_FromLong.PYTHON311 ref: 00007FF8B7DE43FF

Strings

not a decimal, xrefs: 00007FF8B7DE43E1

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 456184b784fa7efc8fe9d8897fb77cbbb081413c450d27b41a848b68105fcfc3
Instruction ID: 9899c60d10310d7c9e72bd2456b6269401024bc9ce63e04e47a84003b32c0734
Opcode Fuzzy Hash: 456184b784fa7efc8fe9d8897fb77cbbb081413c450d27b41a848b68105fcfc3
Instruction Fuzzy Hash: 7D112A21B08B4281FE168B2AE85413D63A1AF84BC4F4D8635EB2F8667CDF2CE8558310

Function 00007FF8B8B2412C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B8B237BC: PyType_IsSubtype.PYTHON311 ref: 00007FF8B8B237C9

_Py_Dealloc.PYTHON311 ref: 00007FF8B8B24164
SSL_set_SSL_CTX.LIBSSL-3 ref: 00007FF8B8B24176
SSL_set_msg_callback.LIBSSL-3 ref: 00007FF8B8B24198
PyErr_SetString.PYTHON311 ref: 00007FF8B8B241B3

Strings

The value must be a SSLContext, xrefs: 00007FF8B8B241A9

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocErr_L_set_L_set_msg_callbackStringSubtypeType_
String ID: The value must be a SSLContext
API String ID: 40619448-677980480
Opcode ID: 394ac2fa61f267975ade5a47f813cdf12de2fcbd668e233ddbe45757f84e86c3
Instruction ID: be099607d6d74f7adbea27023a5c3f9a5c80dbe88747e28ed62ab54b93144578
Opcode Fuzzy Hash: 394ac2fa61f267975ade5a47f813cdf12de2fcbd668e233ddbe45757f84e86c3
Instruction Fuzzy Hash: C7111CB6A08A4681DB149F3AE98402D3BB1FB88FD5B549131DF5D47768CF2CD45AC344

Function 00007FF8B8B21460 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

OBJ_txt2obj.LIBCRYPTO-3 ref: 00007FF8B8B21480
PyModule_GetState.PYTHON311 ref: 00007FF8B8B21495

Part of subcall function 00007FF8B8B214C8: OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214EA
Part of subcall function 00007FF8B8B214C8: OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B214FC
Part of subcall function 00007FF8B8B214C8: OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21507
Part of subcall function 00007FF8B8B214C8: _Py_BuildValue_SizeT.PYTHON311(?,?,?,?,?,00007FF8B8B214A6), ref: 00007FF8B8B21535

ASN1_OBJECT_free.LIBCRYPTO-3 ref: 00007FF8B8B214AC
PyErr_Format.PYTHON311 ref: 00007FF8B8B23614

Strings

unknown object '%.100s', xrefs: 00007FF8B8B23607

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: BuildErr_FormatJ_nid2lnJ_nid2snJ_obj2nidJ_txt2objModule_SizeStateT_freeValue_
String ID: unknown object '%.100s'
API String ID: 2376969911-3113687063
Opcode ID: b5d45e1b3159c0210a2dcfbd056b4fed1a47d8c8d60440e740920665be194752
Instruction ID: fafe4a92b4a8f244cf27bd956dfb730b9cb9e621ce9b54ea845176d29bc1f7e3
Opcode Fuzzy Hash: b5d45e1b3159c0210a2dcfbd056b4fed1a47d8c8d60440e740920665be194752
Instruction Fuzzy Hash: 74F01D61B1CA4781EA04CF3AA95443DAA91AF89FD0F8C8130DF1E47B28DF2CE0468704

Function 00007FF8B8B2AB80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

X509_get_subject_name.LIBCRYPTO-3 ref: 00007FF8B8B2AB9A
PyType_GetModuleState.PYTHON311 ref: 00007FF8B8B2ABA6

Part of subcall function 00007FF8B8B2A9CC: BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B8B2A9E6
Part of subcall function 00007FF8B8B2A9CC: BIO_new.LIBCRYPTO-3 ref: 00007FF8B8B2A9EF
Part of subcall function 00007FF8B8B2A9CC: PyErr_SetString.PYTHON311 ref: 00007FF8B8B2AA10

PyUnicode_FromFormat.PYTHON311 ref: 00007FF8B8B2ABD1
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2ABE3

Strings

<%s '%U'>, xrefs: 00007FF8B8B2ABC3

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocErr_FormatFromModuleO_newO_s_memStateStringType_Unicode_X509_get_subject_name
String ID: <%s '%U'>
API String ID: 652521511-3496504151
Opcode ID: bfad1c9a2df2547f65aed7cc543a789bee4611461373e23b73206238e9355141
Instruction ID: dcd087f2f93bbd834363a1373ab3fa7361ef6f8a754965c92a9427a3bf17bd02
Opcode Fuzzy Hash: bfad1c9a2df2547f65aed7cc543a789bee4611461373e23b73206238e9355141
Instruction Fuzzy Hash: B101F625A09A8681EA049F2AE94402D6B61FB48FD4F986431DF4E47769DF3CE486C304

Function 00007FF8B7DE46E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE471D
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4730

Strings

east_asian_width, xrefs: 00007FF8B7DE4716
argument, xrefs: 00007FF8B7DE470F
a unicode character, xrefs: 00007FF8B7DE4708

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$east_asian_width
API String ID: 1875788646-3913127203
Opcode ID: e1dea5a4efee597cabc79f5f4f9b1c361292688d97fad454cab5bbac9e71014d
Instruction ID: 9e261907e053b732d9122e27ea7be52a1da8b7503110389f1735b50a0bb15492
Opcode Fuzzy Hash: e1dea5a4efee597cabc79f5f4f9b1c361292688d97fad454cab5bbac9e71014d
Instruction Fuzzy Hash: BD01A260A0878381EE51AB29A94017D2360EF46BD4F485231EBAE4667CDE3CE4858380

Function 00007FF8B7DE4418 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FF8B7DE4451
_PyUnicode_Ready.PYTHON311 ref: 00007FF8B7DE4464

Strings

decomposition, xrefs: 00007FF8B7DE444A
argument, xrefs: 00007FF8B7DE4443
a unicode character, xrefs: 00007FF8B7DE443C

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$decomposition
API String ID: 1875788646-2471543666
Opcode ID: ac2962689f343f1b3e1879047209e348276c37b5dff3c3435d3d8175ead54011
Instruction ID: c2ab42dfc2e2e5e723aad71462865760902326737084aa58ab064730e8af2ab0
Opcode Fuzzy Hash: ac2962689f343f1b3e1879047209e348276c37b5dff3c3435d3d8175ead54011
Instruction Fuzzy Hash: 1B01D121B08B8381FE51CB19A8402BD2360AF48BD4F4C1231EB6E466BDDF7CE4898300

Function 00007FF8B7DE2620 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE262B
PyCapsule_New.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE2668
PyErr_NoMemory.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE3EF4
PyMem_Free.PYTHON311(?,?,00000000,00007FF8B7DE2565), ref: 00007FF8B7DE3F04

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FF8B7DE265D

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 1ac5af153bf2bbb2bda3b9d9d9136918d1f6bd182a880703478f12c765018ae7
Instruction ID: e075eeb24635322f90e64878e1d62292ff1ff5e715e396a6e014088a269e6c12
Opcode Fuzzy Hash: 1ac5af153bf2bbb2bda3b9d9d9136918d1f6bd182a880703478f12c765018ae7
Instruction Fuzzy Hash: AAF01420A09B4291EE568B19A80017C72A4BF08BC8F4C1635CB6E0637CEE3CE1448360

Function 00007FF615A38DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF615A38DC5
GetProcAddress.KERNEL32 ref: 00007FF615A38DDB
FreeLibrary.KERNEL32 ref: 00007FF615A38E02

Strings

mscoree.dll, xrefs: 00007FF615A38DBC
CorExitProcess, xrefs: 00007FF615A38DD4

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: 996a73f0bfe029ec2f1c2ea4fb0f7b05c248e06a2d52a5cee8b65f6d548034d5
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 25F06261A59F0681EF108B64E4487799360AF85FB5F581736D66D861F4CF3CD849C310

Function 00007FF8BA24A920 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A99B
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A9BD
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24A9CC
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24AA03
DName::DName.LIBVCRUNTIME ref: 00007FF8BA24AA0E

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction ID: 2bce9aebfb46b9ba43fa1a099953f10d3adbbdb6d3464025026b805be5c0f058
Opcode Fuzzy Hash: f125dc20a4fc2cff283c2e4d5124f38be857c51718d1d3c9008137230ed817e4
Instruction Fuzzy Hash: A6415532A19B5398FB00CB2AE9901B837B4BB18BC4B9444B2EF4D53795DF39E955E300

Function 00007FF8B8B2C0F4 Relevance: 7.6, APIs: 5, Instructions: 64encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF8B8B2C11F
CertOpenStore.CRYPT32 ref: 00007FF8B8B2C152
CertAddStoreToCollection.CRYPT32 ref: 00007FF8B8B2C16D
CertCloseStore.CRYPT32 ref: 00007FF8B8B2C17A
CertCloseStore.CRYPT32 ref: 00007FF8B8B2C1A2

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CertStore$CloseOpen$Collection
String ID:
API String ID: 1995843185-0
Opcode ID: bd11785bf98fe9174426880ce2bd286796db4b743bc5c2560542b8e3adf2f1d7
Instruction ID: fdb839e6728e0e61aa044c19b74967ca958f355e999ead7a61780b9d3fddefe7
Opcode Fuzzy Hash: bd11785bf98fe9174426880ce2bd286796db4b743bc5c2560542b8e3adf2f1d7
Instruction Fuzzy Hash: 6C218332B1865586F714DF3AE865A6E6A51FB84BD0F884430CE0D03764DF3CE557C604

Function 00007FF615A48678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF615A486A0
_set_statfp.LIBCMT ref: 00007FF615A486BB
_set_statfp.LIBCMT ref: 00007FF615A486D7
_set_statfp.LIBCMT ref: 00007FF615A48713

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 8c00375e6a3182cfdc9756efab3e7f699c90e7ff99eb073456a55613ac92f26e
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 3411BF32ED8E0341F79411A9F466376D1406F56FB4F1D4734EA6E966F68F2CAC40C110

Function 00007FF615A3A6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A6BF
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A6DE
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A706
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A717
FlsSetValue.KERNEL32(?,?,?,00007FF615A398B3,?,?,00000000,00007FF615A39B4E,?,?,?,?,?,00007FF615A39ADA), ref: 00007FF615A3A728

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction ID: a4c539fbde22c590053b2205852199ef3efebd6fe476f67bc90ee02192f06523
Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction Fuzzy Hash: 2F116D20F88A5246FAD8D32556A1579E1926F98FB8E044334E93DCA6F6DF7CAC018700

Function 00007FF8B8B23F70 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

SSL_get_session.LIBSSL-3 ref: 00007FF8B8B23F86

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: L_get_session
String ID:
API String ID: 1156357689-0
Opcode ID: 412ab88cb6b3608a0184366fb7cd7560aecfe6a833c2579db5c50b705b4d490f
Instruction ID: c8d60a8fb9f111b74ece9f6739d38c6895a0a3bb0d34122d24e2b4037fa6d90c
Opcode Fuzzy Hash: 412ab88cb6b3608a0184366fb7cd7560aecfe6a833c2579db5c50b705b4d490f
Instruction Fuzzy Hash: 4411E622A19B4681EA249F2AB46413D6BA0FB88FC0F980435DF4E03764DF2DE4478748

Function 00007FF8B8B2380C Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON311 ref: 00007FF8B8B2381D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23832
SSL_SESSION_free.LIBSSL-3 ref: 00007FF8B8B23841
PyObject_GC_Del.PYTHON311 ref: 00007FF8B8B2384A
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B23859

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DeallocObject_$N_freeTrack
String ID:
API String ID: 1683932209-0
Opcode ID: 73466ddfc36bf957d1f27849d204b3954713433a3c8e205f38a25ddfc3ec53d8
Instruction ID: 6fb0a73ecd7b54e0f024d01c4cfb0d2f977ba9aa59556d4852eb71727cc3cc01
Opcode Fuzzy Hash: 73466ddfc36bf957d1f27849d204b3954713433a3c8e205f38a25ddfc3ec53d8
Instruction Fuzzy Hash: 05F03A36E09A4681EA589F79E55413C6B60EF49FD4F884030CB0E0A621CF2DD49AC308

Function 00007FF615A3EED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3F1B7

Part of subcall function 00007FF615A36D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A36D69

Strings

ccs, xrefs: 00007FF615A3F0F2
UTF-8, xrefs: 00007FF615A3F136
UTF-16LEUNICODE, xrefs: 00007FF615A3F155

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 6a51c174f0d765dd3309aca0a35bd518829f5ebf650714d9449d9b68928a8dd0
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: D181DA32DA890385FBE4CF29D110279A6A4AF12F6CF558271CA99D72B5EF2DEC018701

Function 00007FF8BA24470C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24488B

Strings

csm, xrefs: 00007FF8BA24475B
csm, xrefs: 00007FF8BA2448C5
, xrefs: 00007FF8BA2447DC

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction ID: 37aea0310eb91b4fea4c0f065677be59fb0ceea9d51182bc560ea6ef1b850756
Opcode Fuzzy Hash: bd14039b9dc44c48f3afba7226bd4a8f48c08aeb5fb2f86f7c5774b76e28317a
Instruction Fuzzy Hash: 74718B32A08A8287DB618F29D5A077DABA0FB45FC8F048175DF8D47A89CF2CE551E740

Function 00007FF615A2E5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF615A2E5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF615A2E6B8

Strings

csm, xrefs: 00007FF615A2E70A
csm, xrefs: 00007FF615A2E5F2

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 4f69219a8bcea51ed3d2f4fbe79b06a84bf405d859bcef183dd9f661a0255bbb
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 81517132A48A828AEB648B339045278B691EF55FA4F148335DB5D87BE5CF3CE891C741

Function 00007FF8BA2444E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2445DB
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BA2445EB

Strings

csm, xrefs: 00007FF8BA24463D
csm, xrefs: 00007FF8BA24452E

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction ID: da1fac4179437da111651e8712289eb98d6c9caeea835a4f0199125db6df8a62
Opcode Fuzzy Hash: 08ef0bffa0d8dc861c4a01b7d2fd628c67e896dc6c26123b9582640005c51e48
Instruction Fuzzy Hash: CE516D7290828387EF648B29955436876A0FB94FD9F148176DF8D47B95CF3CE4A1DB00

Function 00007FF8BA24B118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FF8BA24B172

Strings

%lf, xrefs: 00007FF8BA24B1AD, 00007FF8BA24B1E1, 00007FF8BA24B211

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction ID: ddc02c1e9b2b4dbac188683ca6e4a4c0218f77b125cc686b6fa4bac8fb28cd33
Opcode Fuzzy Hash: 7e0deb2cf17bd330c849068a4ca2fc9bc064bfcc9212df10860184869afe9d43
Instruction Fuzzy Hash: B931BF71A0CB8785EB10DB29A8510BAB7A1BF55FC0F4482B6EF8E53791DE3CE541A700

Function 00007FF615A225F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

MessageBoxW.USER32 ref: 00007FF615A22686
MessageBoxA.USER32 ref: 00007FF615A2269A

Strings

Error, xrefs: 00007FF615A22677
Error/warning (ANSI fallback), xrefs: 00007FF615A2268E

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 51c11ca983d5a56b14860e8cab357bc89f797b0cc5541e78ba16eef8ea252a50
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: 3F116D72668F8581FA208B61F451BA9B364FF48F94F905236EA4D97664DF3CDA09C700

Function 00007FF615A22870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A286B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF615A23FA4,00000000,00007FF615A21925), ref: 00007FF615A286E9

MessageBoxW.USER32 ref: 00007FF615A22906
MessageBoxA.USER32 ref: 00007FF615A2291A

Strings

Warning, xrefs: 00007FF615A228F7
Error/warning (ANSI fallback), xrefs: 00007FF615A2290E

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 2a019c74239c2c7fd815faa4ea7f23b616daffb490cce48f75354588fd08c458
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 8B119072668F8981FA208B21F451BA9B364FF44F94F905235DA4C87664CF3CDA04C700

Function 00007FF8B8B26638 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B8B26676
_PyLong_AsInt.PYTHON311 ref: 00007FF8B8B26689
PyErr_Occurred.PYTHON311 ref: 00007FF8B8B26696

Strings

read, xrefs: 00007FF8B8B2666F

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_CheckErr_Long_OccurredPositional
String ID: read
API String ID: 3612027452-2555855207
Opcode ID: 8a8e7eb9a6d2fd23c0527b5df7bfe1ba3a6bd226f027e0e78acf8f3acddc74f0
Instruction ID: 9a62eb6060a2ea2d288a3db1a51882c3328af6dda3ad6f603355fc3191ed799e
Opcode Fuzzy Hash: 8a8e7eb9a6d2fd23c0527b5df7bfe1ba3a6bd226f027e0e78acf8f3acddc74f0
Instruction Fuzzy Hash: 8E01D631B14A5185EA50AF3AE8001AD7AA4EF85FD0F984135DF5D837A4CF3CE8528708

Function 00007FF8B7DE1EF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,?,?,00007FF8B7DE1EDC), ref: 00007FF8B7DE3B6F

Part of subcall function 00007FF8B7DE1FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7DE2008
Part of subcall function 00007FF8B7DE1FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7DE2026

PyErr_Format.PYTHON311 ref: 00007FF8B7DE1F53

Strings

undefined character name '%s', xrefs: 00007FF8B7DE1F46
name too long, xrefs: 00007FF8B7DE3B65

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction ID: c2f1723670a7bb0bc2934306dec3ef93c6f341d97119aa6cbac27238f3534c52
Opcode Fuzzy Hash: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction Fuzzy Hash: C111E276A18B4795EF018B1CD8442BC7361FB987C9F880531CB1E86278DF6DD549C750

Function 00007FF8B8B2AA80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AA9B
PyUnicode_InternFromString.PYTHON311(?,?,00000000,00007FF8B8B2A18B), ref: 00007FF8B8B2AAC0

Strings

pkcs_7_asn, xrefs: 00007FF8B8B2AAB9
x509_asn, xrefs: 00007FF8B8B2AA94

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FromInternStringUnicode_
String ID: pkcs_7_asn$x509_asn
API String ID: 3337471625-3375957347
Opcode ID: c237cb97dbbad94ae287de8b25dae0ba831a19de8f6c9387e5957410867ff6f9
Instruction ID: cbb7560e26f745ade2767728ffc7650ff3552a1bee6d86c812370a1149a90454
Opcode Fuzzy Hash: c237cb97dbbad94ae287de8b25dae0ba831a19de8f6c9387e5957410867ff6f9
Instruction Fuzzy Hash: A6011E20E19E0780FE659F7DA89513827A0AF497D4F981535CB1E463A0EF3CB45BD308

Function 00007FF8B8B2621C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B2624A
SSL_CTX_get_verify_callback.LIBSSL-3 ref: 00007FF8B8B26265
SSL_CTX_set_verify.LIBSSL-3 ref: 00007FF8B8B26274

Strings

invalid value for verify_mode, xrefs: 00007FF8B8B26240

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_StringX_get_verify_callbackX_set_verify
String ID: invalid value for verify_mode
API String ID: 93861573-2668209411
Opcode ID: 4856f5f7de021945ac99fd8d1e173b09ad5d2f51963348923486f7d074500968
Instruction ID: c31770201b32602656d2543f0341d8bfe9f8da56af44019d0958f4ee6ae2050d
Opcode Fuzzy Hash: 4856f5f7de021945ac99fd8d1e173b09ad5d2f51963348923486f7d074500968
Instruction Fuzzy Hash: E9F06221F1CA0685EB558F7DE59813C2A60FF8ABD4FA84135CB1D476A4CF3DE44A8308

Function 00007FF8BA242A50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA242A8E

Strings

RCC, xrefs: 00007FF8BA242A60
csm, xrefs: 00007FF8BA242A70
MOC, xrefs: 00007FF8BA242A68

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction ID: e4aca3f5dcd241c1851cd99a78c1c5eb7369b40055d15a94e5b46cd1d832a055
Opcode Fuzzy Hash: 3ab94ae7472f91afbfb2fa40e8eaefdcfa6935c471aaf11af4776549d32657f7
Instruction Fuzzy Hash: 6AF04F32A1861785E7646B2AE28106D36A4FF4CFC0F1990B1DF4806652CF3CE491D701

Function 00007FF8B8B246CC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B246EE
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FF8B8B24708
PyErr_SetString.PYTHON311 ref: 00007FF8B8B24721

Strings

Not a memory BIO, xrefs: 00007FF8B8B24717

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: DecodeErr_O_ctrlStringUnicode_
String ID: Not a memory BIO
API String ID: 3520065620-587638661
Opcode ID: 64dfe8055ee3b1cd31987682b318179c1f452374172f5427dc3f21fadd9e4985
Instruction ID: d0f6f116e00eee6f1f1f6eb23452d7814ecf1250fda4daa0921be6524268bcbd
Opcode Fuzzy Hash: 64dfe8055ee3b1cd31987682b318179c1f452374172f5427dc3f21fadd9e4985
Instruction Fuzzy Hash: 79F09065A29A4686EB04CF75E444B7D2B61EF85BC0F845131DF0E46A24DF3CE44A8704

Function 00007FF8B8B299B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

SSL_is_init_finished.LIBSSL-3 ref: 00007FF8B8B299D2
SSL_get_version.LIBSSL-3 ref: 00007FF8B8B299E0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B8B299F3

Strings

unknown, xrefs: 00007FF8B8B299E9

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: L_get_versionL_is_init_finishedstrcmp
String ID: unknown
API String ID: 1061301088-2904991687
Opcode ID: eaffb4479277b7afc06a0f789e62f95ec0f0f56c5575d45baa8399530b0a07a3
Instruction ID: e4ad0f7fba098074869e4145c206e7daf18382f225ff3561abcc2c04bf49960d
Opcode Fuzzy Hash: eaffb4479277b7afc06a0f789e62f95ec0f0f56c5575d45baa8399530b0a07a3
Instruction Fuzzy Hash: E4F0F811B0990A80EE199F7AA89053C2BA0EF48FD4F981431CF5D4A260DF2CE4978308

Function 00007FF8B8B245A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B8B245C6
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FF8B8B245DD
PyErr_SetString.PYTHON311 ref: 00007FF8B8B245F6

Strings

Not a memory BIO, xrefs: 00007FF8B8B245EC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: String$Bytes_Err_FromO_ctrlSize
String ID: Not a memory BIO
API String ID: 2349510700-587638661
Opcode ID: d7394661b94f92f6a73cdb88a38c15a887adc7f5d70ad9ec87d922d267c36386
Instruction ID: 68130131e1a7ea28e24da34c3ec1eeb4755f7d79de8fb52c90aeb6aa7dead4e7
Opcode Fuzzy Hash: d7394661b94f92f6a73cdb88a38c15a887adc7f5d70ad9ec87d922d267c36386
Instruction Fuzzy Hash: 98F05E65B2994682EB04CF79E984B7D27A1BF847C0FC45131DB4E46928CF3CE04E8704

Function 00007FF615A3B8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF615A3B92F
WriteFile.KERNEL32 ref: 00007FF615A3BBF7
WriteFile.KERNEL32 ref: 00007FF615A3BC3D
GetLastError.KERNEL32 ref: 00007FF615A3BCF3

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction ID: 5bb38ad559e3eb652253f41b8c1ba81e8bfe731770c929ba15db7d6376dec092
Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction Fuzzy Hash: FCD1D172B58A8589E750CF65D4402AC77B2FB48FACB144236CE5E97BA9DF38D916C300

Function 00007FF8BA24A638 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE4D
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE86
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A793
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A7F2
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A824
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A834

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction ID: 29424758adb846d2623c34d3815c6ebc97dc9a37eb721087dc25896752a1d2c0
Opcode Fuzzy Hash: cc076bc81e8f2d48ba6aefa04368e4e4f2bc5c7ef048a26b3748b4f62f7846b0
Instruction Fuzzy Hash: 70912772E08A5399FB118B69D8403AC37B1FB04B88F5480B6DF4D17699DF7DA846E740

Function 00007FF8B7DE1FD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7DE2008
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7DE2026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FF8B7DE201C
HANGUL SYLLABLE , xrefs: 00007FF8B7DE1FF5

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: 315690625b96ec968e0fd3bff09a411a7d33ab15bbea3d9f0de0a272eac0e1aa
Instruction ID: f1fb8480b287719b9d8e15d5f1f9693a6fc7cad02c21362c027f84a667f18500
Opcode Fuzzy Hash: 315690625b96ec968e0fd3bff09a411a7d33ab15bbea3d9f0de0a272eac0e1aa
Instruction Fuzzy Hash: 6761E772B18B4246EA668B1DA80067E7652FF98BD0F484335EB6D476EDDF7CE6018700

Function 00007FF8BA24D274 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8BA24ED94: Replicator::operator[].LIBVCRUNTIME ref: 00007FF8BA24EDEE

Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE4D
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24CE86
Part of subcall function 00007FF8BA24CDBC: DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D1B1

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D2F4
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D303
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D380
DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24D38F

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction ID: 6b3100be82e900075b51567753f84b69ef8dce81179964bd339649905c6039b4
Opcode Fuzzy Hash: 57265f9aaea93611d8ae4b0edf9f43af56394ecd72ecd9aef4b3b93798ee479d
Instruction Fuzzy Hash: F7413572E08B8299FB01CF68D8403AC3BA0BB48B88F948476DF4D57759DF78A445D750

Function 00007FF8B8B24038 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3ecd30306d68961cb9200b597a246700d375a60376d027b0040ec7de20f592
Instruction ID: 84c45826d54a0c1966394972e332cb624d948eb7dc3eb21101a3265365d71e36
Opcode Fuzzy Hash: 5b3ecd30306d68961cb9200b597a246700d375a60376d027b0040ec7de20f592
Instruction Fuzzy Hash: D121BF26A0DB8682EB24CF38E44576A76A0FF48BA4F944631CF5D43B94EF3CE0468604

Function 00007FF8B8B2909C Relevance: 6.0, APIs: 4, Instructions: 41threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B290BB
SSL_pending.LIBSSL-3 ref: 00007FF8B8B290C8

Part of subcall function 00007FF8B8B24730: WSAGetLastError.WS2_32 ref: 00007FF8B8B24754
Part of subcall function 00007FF8B8B24730: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B8B2475D
Part of subcall function 00007FF8B8B24730: SSL_get_error.LIBSSL-3 ref: 00007FF8B8B2476D

PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B290F6
PyLong_FromLong.PYTHON311 ref: 00007FF8B8B29122

Part of subcall function 00007FF8B8B23BAC: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B8B23BE1
Part of subcall function 00007FF8B8B23BAC: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B8B23DEC

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Eval_Thread$ErrorFromL_get_errorL_pendingLastLongLong_R_clear_errorR_peek_last_errorRestoreSave_errno
String ID:
API String ID: 1598009871-0
Opcode ID: d2a7d47461be732cc6a1ae5316264d943ef1faa4ed19ea55c1e4dde8012ed04b
Instruction ID: 06f2a687887de8b83691e3c570f3ac0553606a365ba7d4f800bdb0e89d0915f2
Opcode Fuzzy Hash: d2a7d47461be732cc6a1ae5316264d943ef1faa4ed19ea55c1e4dde8012ed04b
Instruction Fuzzy Hash: A0115E26A08F858AD710DF39A40406EAB20FB89BD5F944235EF4D17B59DF3CD4828B84

Function 00007FF8BA2509FC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8BA250A28
GetCurrentThreadId.KERNEL32 ref: 00007FF8BA250A36
GetCurrentProcessId.KERNEL32 ref: 00007FF8BA250A42
QueryPerformanceCounter.KERNEL32 ref: 00007FF8BA250A52

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction ID: 09e2533a691a4fb4053497b93ffcbdbb750bddc2665bfac3e2903a1777cfe59d
Opcode Fuzzy Hash: 74344bb322e65ea4bb1ed5ded81f371800f489492d84809563666ba838173471
Instruction Fuzzy Hash: 7D115222B14F018AEB00CF64E8542B933A4F719B98F441E31DF6D46BA4DF7DE1589340

Function 00007FF8B8B22BAC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8B8B22BD8
GetCurrentThreadId.KERNEL32 ref: 00007FF8B8B22BE6
GetCurrentProcessId.KERNEL32 ref: 00007FF8B8B22BF2
QueryPerformanceCounter.KERNEL32 ref: 00007FF8B8B22C02

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1174b9e05e0ec077f58f84e71c627ec51327c8a58e7600726c525f8141592f8c
Instruction ID: bb0743f0a3bcbb8ac82fe80ee75549e4176f88480f5660308e27f3bdfa6804a2
Opcode Fuzzy Hash: 1174b9e05e0ec077f58f84e71c627ec51327c8a58e7600726c525f8141592f8c
Instruction Fuzzy Hash: 29115E22B14F0689EB40CF74E8552B933A4FB187A8F480D31DB6D467B4DF38D19A8344

Function 00007FF8B7DE2C0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8B7DE2C38
GetCurrentThreadId.KERNEL32 ref: 00007FF8B7DE2C46
GetCurrentProcessId.KERNEL32 ref: 00007FF8B7DE2C52
QueryPerformanceCounter.KERNEL32 ref: 00007FF8B7DE2C62

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 82f0f9c915ca38b27df9a13535bd7a8d6766dc117c9a79f3edaf6f20f04facae
Instruction ID: ad6d484cff0af42ab3204dceba5e2c48b23b7bd41724aef1367a64a6fb3cfc49
Opcode Fuzzy Hash: 82f0f9c915ca38b27df9a13535bd7a8d6766dc117c9a79f3edaf6f20f04facae
Instruction Fuzzy Hash: 49111F26B14F0189EB00CB64E8542AC33A4FB59798F440A31EB6D46768DF7CD1988380

Function 00007FF8B8B28980 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

SSL_get_current_compression.LIBSSL-3 ref: 00007FF8B8B2898F
COMP_get_type.LIBCRYPTO-3 ref: 00007FF8B8B289A0
COMP_get_type.LIBCRYPTO-3 ref: 00007FF8B8B289AD
OBJ_nid2sn.LIBCRYPTO-3 ref: 00007FF8B8B289B5

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: P_get_type$J_nid2snL_get_current_compression
String ID:
API String ID: 142675065-0
Opcode ID: ef5c6b9377a65607391c5da60103c15d5b34c6cfb642226678b6882f81df31a9
Instruction ID: e34ce91fac5381f86123c0e50f712b37cb85c069a35f6e003cfdb1da05249528
Opcode Fuzzy Hash: ef5c6b9377a65607391c5da60103c15d5b34c6cfb642226678b6882f81df31a9
Instruction Fuzzy Hash: FAF0DA11F0AA0A81FE599F79A85423C1B90AF4CFD0F8C1534CA1E06390DF2CE49B9209

Function 00007FF8B8B2B050 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON311 ref: 00007FF8B8B2B061

Part of subcall function 00007FF8B8B2AFC0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B2AFE1
Part of subcall function 00007FF8B8B2AFC0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B2AFFB
Part of subcall function 00007FF8B8B2AFC0: _Py_Dealloc.PYTHON311 ref: 00007FF8B8B2B015
Part of subcall function 00007FF8B8B2AFC0: PyEval_SaveThread.PYTHON311 ref: 00007FF8B8B2B022
Part of subcall function 00007FF8B8B2AFC0: BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B8B2B02F
Part of subcall function 00007FF8B8B2AFC0: PyEval_RestoreThread.PYTHON311 ref: 00007FF8B8B2B038

SSL_CTX_free.LIBSSL-3 ref: 00007FF8B8B2B073
PyMem_Free.PYTHON311 ref: 00007FF8B8B2B07D
_Py_Dealloc.PYTHON311 ref: 00007FF8B8B2B099

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Dealloc$Eval_Thread$FreeMem_O_free_allObject_RestoreSaveTrackX_free
String ID:
API String ID: 3459953665-0
Opcode ID: e9f5b987bf89cebd02a395e6cf559e4ee373507bedcf57f81c3745492d13cff4
Instruction ID: 7d670f372ca3ee73d6e99e40ed4648fbb9f870adec5fd358367349cc66373639
Opcode Fuzzy Hash: e9f5b987bf89cebd02a395e6cf559e4ee373507bedcf57f81c3745492d13cff4
Instruction Fuzzy Hash: 9FF0D426A08A4A82EB04AF3AE95407D2720FB89FD4F585030DF0E06765CF3CD49A8744

Function 00007FF8BA24F670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA24F732
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA24F435), ref: 00007FF8BA24F78C

Strings

csm, xrefs: 00007FF8BA24F719

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm
API String ID: 451473138-1018135373
Opcode ID: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction ID: 1911ac7282d0a1a600da55012aa55ae18aa9c7d6c7652b218789a39cc594925e
Opcode Fuzzy Hash: 88d75f8372be57577a220e465c4aa8d65e851ebfefcdd899ecde71752cd89d28
Instruction Fuzzy Hash: D5518A32A196028AEB148B29E444A7D37A6FB84FD8F108175EF4E47789EF7DE8459700

Function 00007FF615A44E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF615A40A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF615A40AA3

_get_daylight.LIBCMT ref: 00007FF615A44F44
_get_daylight.LIBCMT ref: 00007FF615A44F55

Strings

?, xrefs: 00007FF615A44ED5

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction ID: 51ef4fe3176a14be087320c08a13af8fd0cc335049b326a145b0d73c14eefa6b
Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction Fuzzy Hash: 1941D712A58B8256FB649BA5D4017B9E690EF80FB4F184335EE5D86AF5DF3CD8418700

Function 00007FF8BA244E40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF8BA244F16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244F74

Strings

csm, xrefs: 00007FF8BA24501A

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction ID: 392832909f98bd721152d81fdf2434349de32282aea377b3dfd3a85f62e3835a
Opcode Fuzzy Hash: a8b8ee24cb783e7d293a6e1db454b28b1bfc46eb23a73e5049af87221528bbc6
Instruction Fuzzy Hash: 12512837618B4286E620AB2AE54066E77A4FB89BD0F141175EF8D07B55DF3CE461DB00

Function 00007FF615A3F8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF615A3F916

Part of subcall function 00007FF615A3E8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E908

Strings

., xrefs: 00007FF615A3F967
:, xrefs: 00007FF615A3F956

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: 7a35d28534e01db8ffeaa6b4fa37230a72ad0a4b96bb2a626ac06d1e353ecb62
Instruction ID: 585798f5920ed84ab7eba90bfebe955fa87af950d5bf0fb519b50f26ec400e5e
Opcode Fuzzy Hash: 7a35d28534e01db8ffeaa6b4fa37230a72ad0a4b96bb2a626ac06d1e353ecb62
Instruction Fuzzy Hash: 28417F22F58F5298FB80DBB198511BC6AB86F14F6CF540235DE5DA7A65EF3C98458300

Function 00007FF8BA24A524 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FF8BA24A622

Strings

void, xrefs: 00007FF8BA24A584
void , xrefs: 00007FF8BA24A5AC

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction ID: 88fab13a9d7221db55ce7a4ef7a9830240ef83f386551bf3f6982c7ff4297b56
Opcode Fuzzy Hash: d81aed41cb4c8c5c69bd061dfd49733f36ea67ee8bb27e73bf8cb873ba0293ca
Instruction Fuzzy Hash: 1431F672E18B569CFB01CBA9E8410EC37B0BB48B88B440576EF4E66B59DF38A144D750

Function 00007FF615A3E8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF615A3E95A

Strings

:, xrefs: 00007FF615A3E91E

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction ID: 9c0129e4d225e4650168bcad57af644f6667f2ac263b68769772548d71f63256
Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction Fuzzy Hash: B121C122B48A8586EFA0DB15D44427EE3A1FF84F98F454235DB8C836A4DF7CED448740

Function 00007FF8B8B27000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2704E
PyMem_Free.PYTHON311 ref: 00007FF8B8B2709D

Strings

ascii, xrefs: 00007FF8B8B27040

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_FreeMem_Parse_Size
String ID: ascii
API String ID: 2971325497-3510295289
Opcode ID: a4bb0fd7286f087dd0d96e7648b22da2f1b4b2ca3ec14ac410f5bc383d07f14c
Instruction ID: 65a55468022fd4958dd64e73b90c99c7909a2c6f6d1a492bfe743a7ede0ce5ad
Opcode Fuzzy Hash: a4bb0fd7286f087dd0d96e7648b22da2f1b4b2ca3ec14ac410f5bc383d07f14c
Instruction Fuzzy Hash: D6110A36618B85C5DB10CF2AE88456AB7A4FB88BC0F584035EF8D83B24DF38D456CB48

Function 00007FF8BA24676F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246B10: RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA246B60
Part of subcall function 00007FF8BA246B10: RaiseException.KERNEL32 ref: 00007FF8BA246BA1

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA2467DF

Strings

Bad dynamic_cast!, xrefs: 00007FF8BA246792
Access violation - no RTTI data!, xrefs: 00007FF8BA24676F

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction ID: 6c73673abc1d69b1ecb44269566b90c8db66cd4e404f0cf4ebd56774907a395e
Opcode Fuzzy Hash: 161e8b28e34caca24568961a6528755d3751e4ffa6d3c1bec0c9a5cac7a2823b
Instruction Fuzzy Hash: F4015AA1A29A47A1EE40DB1CEA601B86361FF80FC4F4464B1EF0E07669EF7CE508D700

Function 00007FF8BA246B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF8BA246B60
RaiseException.KERNEL32 ref: 00007FF8BA246BA1

Strings

csm, xrefs: 00007FF8BA246B8E

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction ID: 4c9801a3278d9d800279c4bdfbe404c6429760e0a78e99eb6cb20999915a74d2
Opcode Fuzzy Hash: 96783e5d5ee86e7ed91570add2de904558e3ade983638e121ecc73efc59d9239
Instruction Fuzzy Hash: 78112B32618B4182EB618B29E940269B7E5FB88B98F584270EF8C07B58DF3DD551CB00

Function 00007FF8B8B27244 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B27285
PyMem_Free.PYTHON311(?,?,?,?,?,?,?,?,00007FF8B8B27219), ref: 00007FF8B8B272D3

Strings

ascii, xrefs: 00007FF8B8B27277

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_FreeMem_Parse_Size
String ID: ascii
API String ID: 2971325497-3510295289
Opcode ID: 1ccae27e2df3bc9fa8e4b2df3855de555f9f0df4c0960448b76b98603b4e6947
Instruction ID: 21be20f9e22956df0470680b12214a963d025264a0b2b4a309a34853df0f42f4
Opcode Fuzzy Hash: 1ccae27e2df3bc9fa8e4b2df3855de555f9f0df4c0960448b76b98603b4e6947
Instruction Fuzzy Hash: 6C111F31A18B49C1EB108F6AE444B6E77A4FB48BD4F544135EB8D47B18DF7CD4468B48

Function 00007FF615A2F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF615A2F0B8
RaiseException.KERNEL32 ref: 00007FF615A2F0F9

Strings

csm, xrefs: 00007FF615A2F0E6

Memory Dump Source

Source File: 00000002.00000002.3259986105.00007FF615A21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF615A20000, based on PE: true

Associated: 00000002.00000002.3259944406.00007FF615A20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260064010.00007FF615A4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260157531.00007FF615A63000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3260262206.00007FF615A66000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff615a20000_Q3pEXxmWAD.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: 315a32233af2962c37bdef8c9b6ab589f4bed42b29f502773b9ab69f260a68ca
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: 20113736619B8482EB218B25E440269B7A4FF88F94F184231DB8D47768EF3CC9518B00

Function 00007FF8B8B28F54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FF8B8B28F91
PyObject_IsTrue.PYTHON311 ref: 00007FF8B8B28FA4

Strings

getpeercert, xrefs: 00007FF8B8B28F8A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Arg_CheckObject_PositionalTrue
String ID: getpeercert
API String ID: 341638686-200429401
Opcode ID: 4391be54f3b9744dd8453b216c6fc47e843cf99a3f11d960a72bf402986a61e1
Instruction ID: 555d9a88d6cc1a96d0f254e0115d90e97c30a5f8bee6661e6b5196159b51b7f8
Opcode Fuzzy Hash: 4391be54f3b9744dd8453b216c6fc47e843cf99a3f11d960a72bf402986a61e1
Instruction Fuzzy Hash: E3014432B04A6189E750AF2AA850179BB65FB98FC0F995031EF4D87769CF39E4438704

Function 00007FF8B7DE4C04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B7DE4C54
PyUnicode_FromString.PYTHON311 ref: 00007FF8B7DE4C6B

Strings

no such name, xrefs: 00007FF8B7DE4C4A

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 3cee85899810c21b61c883871248d1595a37fae7423a3e6c68c232458049210f
Instruction ID: 766de25a36a720499724e8e3ef626e21739273026161d8ad519e2e8c4ac9e880
Opcode Fuzzy Hash: 3cee85899810c21b61c883871248d1595a37fae7423a3e6c68c232458049210f
Instruction Fuzzy Hash: D9014B71A18B4281FE229B29E8117BD2360BF98BC8F480131DB6E46778DF2CE1448610

Function 00007FF8B8B2C03C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON311 ref: 00007FF8B8B2C057
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2C084

Part of subcall function 00007FF8B8B2621C: PyErr_SetString.PYTHON311 ref: 00007FF8B8B2624A

Strings

Cannot set verify_mode to CERT_NONE when check_hostname is enabled., xrefs: 00007FF8B8B2C07A

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_String$Arg_Parse_Size
String ID: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.
API String ID: 1619524773-288992553
Opcode ID: 5d47b52a9f30d3d19b9c5793d997a53d4bf7f4bf2b3d2087eaa2a6f5e8030f54
Instruction ID: 25f4edfe04bd166b69e86d643cab1d9ccfedd6d2b24a2ec799d99332600a49a0
Opcode Fuzzy Hash: 5d47b52a9f30d3d19b9c5793d997a53d4bf7f4bf2b3d2087eaa2a6f5e8030f54
Instruction Fuzzy Hash: 8BF01D61E0C907C1EA148F7DA45057E2B60AF95BE0FA85232CB1D066A4EF3DE48A8748

Function 00007FF8B8B2B5CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SSL_CTX_get_verify_mode.LIBSSL-3 ref: 00007FF8B8B2B5D9
PyErr_SetString.PYTHON311 ref: 00007FF8B8B2B601

Strings

invalid return value from SSL_CTX_get_verify_mode, xrefs: 00007FF8B8B2B5F6

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_StringX_get_verify_mode
String ID: invalid return value from SSL_CTX_get_verify_mode
API String ID: 3939857436-2501269723
Opcode ID: f687a6c0c5a4183b4d75922872bd7ac6d5d320f5ad4b6ceb76a9824a91c458d1
Instruction ID: 16dcb42a02a1bdfbb36cdaddf5326113ccc4dfa8b938955c034f397e8c16c7cf
Opcode Fuzzy Hash: f687a6c0c5a4183b4d75922872bd7ac6d5d320f5ad4b6ceb76a9824a91c458d1
Instruction Fuzzy Hash: 0AF03722E19807C1EB195F7DD85517C5761EB48784FA80435C70E866A0CF5CE897C348

Function 00007FF8BA24F420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8BA246E48: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2429EE), ref: 00007FF8BA246E56

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24F45A

Strings

f, xrefs: 00007FF8BA24F435
csm, xrefs: 00007FF8BA24F43B

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: abortterminate
String ID: csm$f
API String ID: 661698970-629598281
Opcode ID: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction ID: 458d760605b96a84ea5506f0c33ef8d16aa9aaeeb83d23d9fa14b26964d5d85a
Opcode Fuzzy Hash: f31257b661c57643b6b4b1793288747ab2a9155158c122d579431834bbccefac
Instruction Fuzzy Hash: 7BE06D32D0875381FB216B69B28013D26A4AF89FD4F14C0B4EF4806686CE3DD8A4A701

Function 00007FF8B8B22510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FF8B8B22516
PyCapsule_Import.PYTHON311 ref: 00007FF8B8B2252B

Strings

_socket.CAPI, xrefs: 00007FF8B8B22521

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Capsule_ImportModule_State
String ID: _socket.CAPI
API String ID: 2652237932-3774308389
Opcode ID: f6bb12bf27002d4cccd5b8b37b61f5c59dc24c3f8fd27b4ee6771e3e226dd6f3
Instruction ID: 93d18d220ff059c698360b492f08196fd4e87f465ced4f169f659d6dfb4994ae
Opcode Fuzzy Hash: f6bb12bf27002d4cccd5b8b37b61f5c59dc24c3f8fd27b4ee6771e3e226dd6f3
Instruction Fuzzy Hash: 3EE01A20A1A60781FE148FB9946527C67A0AF59BA0FA84535CA2D822A0DF3CE486C318

Function 00007FF8B8B2BE74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FF8B8B2BE93
PyObject_IsTrue.PYTHON311 ref: 00007FF8B8B2BEA1

Strings

cannot delete attribute, xrefs: 00007FF8B8B2BE89

Memory Dump Source

Source File: 00000002.00000002.3267386125.00007FF8B8B21000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FF8B8B20000, based on PE: true

Associated: 00000002.00000002.3267342079.00007FF8B8B20000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267454200.00007FF8B8B2D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267519342.00007FF8B8B40000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267586768.00007FF8B8B41000.00000008.00000001.01000000.00000012.sdmpDownload File
Associated: 00000002.00000002.3267643901.00007FF8B8B49000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b8b20000_Q3pEXxmWAD.jbxd

Similarity

API ID: Err_Object_StringTrue
String ID: cannot delete attribute
API String ID: 1323943456-1747274469
Opcode ID: 2f8d69dcfa5688d08a09282bc1e201520617e2f06cf13dd042f272955c3b830a
Instruction ID: f90380beb9e98875f704bc3298ebd032ff517bbbce7a8828c0ecfef2de2353c3
Opcode Fuzzy Hash: 2f8d69dcfa5688d08a09282bc1e201520617e2f06cf13dd042f272955c3b830a
Instruction Fuzzy Hash: 96E06D64A08806C1EB14EF3D94850382751AF547E5FA44A31CB2D462E4DF2C948E8308

Function 00007FF8B7DE25B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON311(?,?,00000000,00007FF8B7DE2533), ref: 00007FF8B7DE25B6
PyObject_GC_Track.PYTHON311(?,?,00000000,00007FF8B7DE2533), ref: 00007FF8B7DE25E8

Strings

3.2.0, xrefs: 00007FF8B7DE25C4

Memory Dump Source

Source File: 00000002.00000002.3266207103.00007FF8B7DE1000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FF8B7DE0000, based on PE: true

Associated: 00000002.00000002.3266148560.00007FF8B7DE0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7DE5000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E42000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E8E000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E91000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7E96000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266268765.00007FF8B7EF0000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266902753.00007FF8B7EF3000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000002.00000002.3266961919.00007FF8B7EF5000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7de0000_Q3pEXxmWAD.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction ID: b219b9c88a98a8d35e9e7849875c8b1b08c7ed5cf40d26bac9372b8ce82821ae
Opcode Fuzzy Hash: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction Fuzzy Hash: F8E0E524A09F0695EF168F19A89006C32A4BF0CBC4B8C0239CF6E02378EF3DE264C350

Function 00007FF8BA246E64 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8BA246CE9,?,?,?,?,00007FF8BA250582,?,?,?,?,?), ref: 00007FF8BA246E83
SetLastError.KERNEL32(?,?,?,00007FF8BA246CE9,?,?,?,?,00007FF8BA250582,?,?,?,?,?), ref: 00007FF8BA246F0C

Memory Dump Source

Source File: 00000002.00000002.3271320577.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true

Associated: 00000002.00000002.3271278440.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271565433.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271649077.00007FF8BA258000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3271708065.00007FF8BA259000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8ba240000_Q3pEXxmWAD.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction ID: 746588043d73c163ac0dd1dd4733ab3771e59cb8a0c4443e05280a01afe1c01b
Opcode Fuzzy Hash: 29fbcb28d85caf8942357daff49778de6b87ab13b42ab574bfe6367f35ca65f9
Instruction Fuzzy Hash: 1C113D20F1964382FA149B2DA95017522D1BF48BE0F4446B4EF6E07BD5DE3DF841BB10

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Q3pEXxmWAD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI50042\Blsvr.exe

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd

Windows Analysis Report
Q3pEXxmWAD.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre