Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
231210-10-Creal-33652f.exe

Overview

General Information

Sample name:231210-10-Creal-33652f.exe
Analysis ID:1480029
MD5:0b02e32e57e2345c026243f8f309f808
SHA1:33652fd7b37d46d8de6a51b914568fc4b9a82411
SHA256:7182c67494763b41a8ed5324ced374c1741e67197047d373e540c4c28ab9ac8e
Tags:exe
Infos:

Detection

Creal Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Creal Stealer
AI detected suspicious sample
Drops PE files to the startup folder
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal communication platform credentials (via file / registry access)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 231210-10-Creal-33652f.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\231210-10-Creal-33652f.exe" MD5: 0B02E32E57E2345C026243F8F309F808)
    • 231210-10-Creal-33652f.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\231210-10-Creal-33652f.exe" MD5: 0B02E32E57E2345C026243F8F309F808)
      • cmd.exe (PID: 1420 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6108 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 4928 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
  • 231210-10-Creal-33652f.exe (PID: 5476 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe" MD5: 0B02E32E57E2345C026243F8F309F808)
    • 231210-10-Creal-33652f.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe" MD5: 0B02E32E57E2345C026243F8F309F808)
      • cmd.exe (PID: 3448 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5472 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 3756 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
  • cleanup

Malware Configuration

Threatname: Creal Stealer

{"C2 url": "https://discord.com/api/webhooks/1181954406556643419/PdEX76ogNfGmtUmoAaCRcao4ZsPmjMQdocVt9Gw6WKQiJiHiVJxk5Wv282v3BEWYxn3Cz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3089238430.000001AFC16C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
    0000000B.00000002.3088138594.000001AFC0E57000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
      00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
        00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CrealStealerYara detected Creal StealerJoe Security
          Process Memory Space: 231210-10-Creal-33652f.exe PID: 6292JoeSecurity_CrealStealerYara detected Creal StealerJoe Security

            Sigma Signatures

            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\231210-10-Creal-33652f.exe, ProcessId: 6292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 231210-10-Creal-33652f.exeAvira: detected
            Found malware configuration
            Source: 231210-10-Creal-33652f.exe.6292.2.memstrminMalware Configuration Extractor: Creal Stealer {"C2 url": "https://discord.com/api/webhooks/1181954406556643419/PdEX76ogNfGmtUmoAaCRcao4ZsPmjMQdocVt9Gw6WKQiJiHiVJxk5Wv282v3BEWYxn3Cz"}
            Multi AV Scanner detection for submitted file
            Source: 231210-10-Creal-33652f.exeReversingLabs: Detection: 42%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 231210-10-Creal-33652f.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: geolocation-db.com
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF57990 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFDFAF57990
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3DFF0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,2_2_00007FFDFAF3DFF0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF475D0 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,2_2_00007FFDFAF475D0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF315E6 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,CRYPTO_malloc,BUF_reverse,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,2_2_00007FFDFAF315E6
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31122 CRYPTO_free,2_2_00007FFDFAF31122
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF310F5 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,2_2_00007FFDFAF310F5
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF81BD0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF81BD0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF51BE0 CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF51BE0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32022 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,2_2_00007FFDFAF32022
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF314FB EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFDFAF314FB
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4FC40 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,2_2_00007FFDFAF4FC40
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF37A60 CRYPTO_free,2_2_00007FFDFAF37A60
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF6FA70 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF6FA70
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3129E CRYPTO_THREAD_run_once,2_2_00007FFDFAF3129E
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67AB0 CRYPTO_free,2_2_00007FFDFAF67AB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31979 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF31979
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67B20 CRYPTO_free,2_2_00007FFDFAF67B20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF63B40 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFDFAF63B40
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67960 CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF67960
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF5F970 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFDFAF5F970
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF55987 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFDFAF55987
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF318DE CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFDFAF318DE
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF9D9C0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,2_2_00007FFDFAF9D9C0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7B9E0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF7B9E0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF81860 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,2_2_00007FFDFAF81860
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31A69 CRYPTO_free,2_2_00007FFDFAF31A69
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF77890 CRYPTO_free,CRYPTO_strndup,2_2_00007FFDFAF77890
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31398 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,EVP_PKEY_security_bits,DH_free,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,2_2_00007FFDFAF31398
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF310FF CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,2_2_00007FFDFAF310FF
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF678C0 CRYPTO_free,2_2_00007FFDFAF678C0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31069 CRYPTO_free,2_2_00007FFDFAF31069
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF323BF CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF323BF
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF81FD0 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF81FD0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4DFD0 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,2_2_00007FFDFAF4DFD0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF320FE BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,2_2_00007FFDFAF320FE
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF313B6 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF313B6
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4FE90 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,2_2_00007FFDFAF4FE90
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3DEE0 CRYPTO_free,2_2_00007FFDFAF3DEE0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF311B3 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFDFAF311B3
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF316F9 CRYPTO_free,2_2_00007FFDFAF316F9
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF83F40 CRYPTO_malloc,memcpy,2_2_00007FFDFAF83F40
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32293 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF32293
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF49F40 CRYPTO_free,CRYPTO_strndup,2_2_00007FFDFAF49F40
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF316D1 CRYPTO_zalloc,ERR_put_error,2_2_00007FFDFAF316D1
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF320B8 CRYPTO_free,CRYPTO_malloc,memcpy,2_2_00007FFDFAF320B8
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32590 CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF32590
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67DC0 CRYPTO_free,2_2_00007FFDFAF67DC0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF311EA CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,2_2_00007FFDFAF311EA
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32527 ERR_put_error,CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF32527
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3DE30 CRYPTO_free,2_2_00007FFDFAF3DE30
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF39E50 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF39E50
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF47C70 CRYPTO_zalloc,2_2_00007FFDFAF47C70
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31348 CRYPTO_zalloc,ERR_put_error,2_2_00007FFDFAF31348
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31C8F CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF31C8F
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3102D CRYPTO_malloc,COMP_expand_block,2_2_00007FFDFAF3102D
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF53CE0 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF53CE0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF45CF0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,2_2_00007FFDFAF45CF0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31FF5 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF31FF5
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31C99 HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,2_2_00007FFDFAF31C99
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32298 CRYPTO_memdup,ERR_put_error,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF32298
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31433 CRYPTO_free,CRYPTO_strndup,2_2_00007FFDFAF31433
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31933 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31933
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF673B0 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,2_2_00007FFDFAF673B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31073 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,2_2_00007FFDFAF31073
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31951 ERR_put_error,ASN1_item_free,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,2_2_00007FFDFAF31951
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF893F0 CRYPTO_free,CRYPTO_strndup,2_2_00007FFDFAF893F0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31988 CRYPTO_free,CRYPTO_memdup,memcmp,CRYPTO_memdup,2_2_00007FFDFAF31988
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF63270 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,2_2_00007FFDFAF63270
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7B290 CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,2_2_00007FFDFAF7B290
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF83290 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,memcpy,2_2_00007FFDFAF83290
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31A8C memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31A8C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67340 CRYPTO_free,2_2_00007FFDFAF67340
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3160E CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,2_2_00007FFDFAF3160E
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32004 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,_time64,2_2_00007FFDFAF32004
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF319F1 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF319F1
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31929 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF31929
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF391D0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF391D0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32289 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,2_2_00007FFDFAF32289
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF891D0 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF891D0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF314B5 ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,2_2_00007FFDFAF314B5
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31195 CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31195
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31114 CRYPTO_zalloc,CRYPTO_free,2_2_00007FFDFAF31114
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3176C CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,2_2_00007FFDFAF3176C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31163 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31163
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31235 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,2_2_00007FFDFAF31235
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7D810 CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF7D810
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31A0A CRYPTO_zalloc,memcpy,memcpy,memcpy,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31A0A
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF6F840 CRYPTO_realloc,2_2_00007FFDFAF6F840
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31DCF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,2_2_00007FFDFAF31DCF
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7B660 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,2_2_00007FFDFAF7B660
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31E15 ERR_put_error,CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF31E15
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF9D6B0 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,2_2_00007FFDFAF9D6B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF896B0 CRYPTO_malloc,EVP_CIPHER_CTX_new,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_iv_length,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,2_2_00007FFDFAF896B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF59700 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,2_2_00007FFDFAF59700
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF316F4 CRYPTO_malloc,CRYPTO_THREAD_lock_new,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,2_2_00007FFDFAF316F4
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF67740 CRYPTO_free,2_2_00007FFDFAF67740
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32063 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFDFAF32063
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF77600 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF77600
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF39610 CRYPTO_malloc,ERR_put_error,CRYPTO_free,2_2_00007FFDFAF39610
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF63640 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,2_2_00007FFDFAF63640
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF59470 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,2_2_00007FFDFAF59470
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF8B49C CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF8B49C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3247D CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,2_2_00007FFDFAF3247D
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF68B60 CRYPTO_zalloc,CRYPTO_free,2_2_00007FFDFAF68B60
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF64B90 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,memcpy,2_2_00007FFDFAF64B90
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF98BA0 CRYPTO_free,CRYPTO_malloc,ERR_put_error,2_2_00007FFDFAF98BA0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3163B CRYPTO_free,CRYPTO_malloc,2_2_00007FFDFAF3163B
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF82A80 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,2_2_00007FFDFAF82A80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF78A97 CRYPTO_malloc,2_2_00007FFDFAF78A97
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31F37 CRYPTO_free,CRYPTO_malloc,RAND_bytes,2_2_00007FFDFAF31F37
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31DA2 CRYPTO_THREAD_run_once,2_2_00007FFDFAF31DA2
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31B81 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,2_2_00007FFDFAF31B81
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF5CB20 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,2_2_00007FFDFAF5CB20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF70B30 CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF70B30
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF315C8 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,2_2_00007FFDFAF315C8
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF38990 CRYPTO_free,2_2_00007FFDFAF38990
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31D61 CRYPTO_clear_free,2_2_00007FFDFAF31D61
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31393 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,2_2_00007FFDFAF31393
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4CA00 OPENSSL_sk_num,X509_STORE_CTX_new,ERR_put_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_put_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_put_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,2_2_00007FFDFAF4CA00
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32469 CRYPTO_malloc,memcpy,2_2_00007FFDFAF32469
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF5CA30 CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF5CA30
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31FBE CRYPTO_free,2_2_00007FFDFAF31FBE
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF90880 EVP_PKEY_get0_RSA,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,2_2_00007FFDFAF90880
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF5C890 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,2_2_00007FFDFAF5C890
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32153 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFDFAF32153
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3132A CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,2_2_00007FFDFAF3132A
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31410 CRYPTO_malloc,ERR_put_error,BIO_snprintf,2_2_00007FFDFAF31410
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF90F80 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,CRYPTO_memcmp,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,2_2_00007FFDFAF90F80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3115E OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,2_2_00007FFDFAF3115E
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32388 CRYPTO_malloc,2_2_00007FFDFAF32388
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31E29 CRYPTO_malloc,2_2_00007FFDFAF31E29
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF46E79 CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF46E79
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3AEB0 CRYPTO_free,2_2_00007FFDFAF3AEB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31FD2 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF31FD2
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF46F48 CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF46F48
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3177B EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,_time64,EVP_MD_CTX_free,EVP_PKEY_free,EVP_MD_CTX_free,EVP_PKEY_free,2_2_00007FFDFAF3177B
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF90D90 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,2_2_00007FFDFAF90D90
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4CDA0 CRYPTO_get_ex_new_index,2_2_00007FFDFAF4CDA0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF78DD2 CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF78DD2
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF4CE00 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,2_2_00007FFDFAF4CE00
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31A50 OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,2_2_00007FFDFAF31A50
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF88E20 CRYPTO_memcmp,2_2_00007FFDFAF88E20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32554 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,2_2_00007FFDFAF32554
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31BE0 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,2_2_00007FFDFAF31BE0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7AE50 CRYPTO_malloc,EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,2_2_00007FFDFAF7AE50
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31802 CRYPTO_strdup,2_2_00007FFDFAF31802
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF324FA CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFDFAF324FA
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31DC0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,2_2_00007FFDFAF31DC0
            Source: 231210-10-Creal-33652f.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094480819.00007FFDFF3AC000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmp
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3105827665.00007FFE11072000.00000002.00000001.01000000.0000001C.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094480819.00007FFDFF3AC000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB22E000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python3.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085152643.000001CD61160000.00000002.00000001.01000000.00000007.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2007629779.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834079339.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3108203122.00007FFE13311000.00000002.00000001.01000000.00000006.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999017144.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107187638.00007FFE126F0000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834079339.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3108203122.00007FFE13311000.00000002.00000001.01000000.00000006.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999017144.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107689378.00007FFE130C3000.00000002.00000001.01000000.0000000F.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000625614.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106489836.00007FFDFFCD3000.00000002.00000001.01000000.0000003E.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3102786848.00007FFE0EB2C000.00000002.00000001.01000000.00000019.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106654341.00007FFE120C5000.00000002.00000001.01000000.00000018.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000537649.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3093745689.00007FFDFB674000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103304948.00007FFE0EB50000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834288865.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107494140.00007FFE12E15000.00000002.00000001.01000000.00000011.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999175950.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106339246.00007FFE1151C000.00000002.00000001.01000000.0000000B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000244257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106226098.00007FFDFF6DC000.00000002.00000001.01000000.0000003A.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3103871386.00007FFE101D7000.00000002.00000001.01000000.00000017.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999307273.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106339246.00007FFE1151C000.00000002.00000001.01000000.0000000B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000244257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106226098.00007FFDFF6DC000.00000002.00000001.01000000.0000003A.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000410857.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101827149.00007FFE0E173000.00000002.00000001.01000000.00000013.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3103316403.00007FFDFF193000.00000002.00000001.01000000.00000042.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107919344.00007FFE13243000.00000002.00000001.01000000.0000000D.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2010096133.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101827149.00007FFE0E173000.00000002.00000001.01000000.00000013.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3103316403.00007FFDFF193000.00000002.00000001.01000000.00000042.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3105506912.00007FFE10308000.00000002.00000001.01000000.0000000C.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000725378.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3100480589.00007FFE0E13D000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103304948.00007FFE0EB50000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106970433.00007FFE126CD000.00000002.00000001.01000000.0000000A.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999439755.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB22E000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834288865.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107494140.00007FFE12E15000.00000002.00000001.01000000.00000011.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999175950.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106122302.00007FFE110F6000.00000002.00000001.01000000.0000001B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000090134.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB2B0000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3105067023.00007FFE10252000.00000002.00000001.01000000.0000000E.sdmp
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780481D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF780481D94
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780468880 FindFirstFileExW,FindClose,1_2_00007FF780468880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F528880 FindFirstFileExW,FindClose,10_2_00007FF60F528880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F541D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00007FF60F541D94
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F3229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,11_2_00007FFDFA4F3229
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
            Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
            Source: Joe Sandbox ViewIP Address: 159.89.102.253 159.89.102.253
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownDNS query: name: api.ipify.org
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
            Source: global trafficDNS traffic detected: DNS query: api.gofile.io
            Source: global trafficDNS traffic detected: DNS query: geolocation-db.com
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089140867.000001CD632B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B76000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62D74000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620F2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3088647877.000001AFC108F000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD639B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue23606)
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006041820.0000013616BF4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD63994000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD621BE000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1861305699.000001CD61C90000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD621BE000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD623B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860115685.000001CD61C90000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2033725198.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1858755102.000001CD61896000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1858521427.000001CD61CE2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD6188D000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085426778.000001AFBFA25000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2028234051.000001AFBFA68000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2024847364.000001AFBFD35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088890789.000001CD62DFD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1895881441.000001CD62E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl);
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl_
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088890789.000001CD62DFD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1895881441.000001CD62E13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl29
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006041820.0000013616BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000537649.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006041820.0000013616BF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B76000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620F2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3088647877.000001AFC108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62D74000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3089641413.000001CD63878000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3089985729.000001CD63AE0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087751544.000001CD628B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD639B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089534854.000001AFC1A38000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089825042.000001AFC1C60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089641413.000001CD63878000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089534854.000001AFC1A38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089140867.000001CD632B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087546457.000001CD626B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD621BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD623B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2033725198.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1859724068.000001CD61CC9000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859928973.000001CD61CD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/ActiveState/appdirs
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.esH
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006041820.0000013616BF4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146814000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085684455.000001CD61A50000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62BDB000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898315293.000001CD62BDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/C
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087546457.000001CD626B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/questions/19622133/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089985729.000001CD63A90000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD63994000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5869
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089641413.000001CD63878000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089534854.000001AFC1A38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3088647877.000001AFC108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1899002674.000001CD62DDD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD6245D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1899002674.000001CD62DDD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1899002674.000001CD62DDD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD6245D000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898292468.000001CD62DFF000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085426778.000001AFBFA25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898292468.000001CD62DFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/CU
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD63A48000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dabeaz.com/ply)
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000003.2039786013.000001AFC0EAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dabeaz.com/ply)F
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1843775856.0000029146813000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1848254768.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006041820.0000013616BF4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD623B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3088647877.000001AFC108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)z&
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3090204077.000001CD63C8C000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3090091504.000001AFC1DD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://binance.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://binance.com)z
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.jaraco.com/skeleton
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087546457.000001CD626B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue44497.
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
            Source: 231210-10-Creal-33652f.exeString found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://codecov.io/gh/pypa/setuptools
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)z
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/changelog/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/installation/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cryptography.io/en/latest/security/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/users/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/users/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1181954406556643419/PdEX76ogNfGmtUmoAaCRcao4ZsPmjMQdocVt9Gw6WKQiJiH
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://disney.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disney.com)z$
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD622E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/pprint.ht
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1866642326.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD622E2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860808415.000001CD61CD7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/pprint.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1866642326.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860808415.000001CD61CD7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2041426642.000001AFBFD79000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/re.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62193000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD62359000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62153000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087358680.000001CD62580000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD622FA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3087435465.000001AFC07C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089140867.000001CD632B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)z$
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)r6
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3090204077.000001CD63C5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/8.46.123.33
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1855698972.000001CD5F841000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
            Source: 231210-10-Creal-33652f.exe, 231210-10-Creal-33652f.exe, 00000002.00000002.3103467498.00007FFE0EB61000.00000002.00000001.01000000.00000010.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3094657353.00007FFDFF3F4000.00000002.00000001.01000000.00000012.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3101965256.00007FFE0E181000.00000002.00000001.01000000.00000013.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1997805431.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2009452330.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015845508.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015483930.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BF6000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2009890295.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/psf/black
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/issues
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1861305699.000001CD61BF8000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860115685.000001CD61C1F000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085426778.000001AFBFA25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packagingn_py
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/discussions
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087358680.000001CD62580000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3087435465.000001AFC07C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085684455.000001CD61A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3084972109.000001CD61060000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085156249.000001AFBF570000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1855698972.000001CD5F841000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1855698972.000001CD5F841000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1897642549.000001CD61CFD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085957069.000001CD61CFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920bc
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620C2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620C2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD621BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/discord/803025117553754132
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)z
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://netflix.com))
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62D51000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://origin.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://origin.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)z&
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1866642326.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD623D0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1864334805.000001CD62406000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2033725198.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/installing/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087358680.000001CD62580000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3087435465.000001AFC07C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)z
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/cryptography/
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/setuptools
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3093745689.00007FFDFB674000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgz#https://cdn.discordapp.com/a
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsFc
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089779330.000001CD63980000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)z
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1859724068.000001CD61CC9000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1858591023.000001CD61CBC000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1858108263.000001CD61CC4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1858163274.000001CD61C6D000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859928973.000001CD61CD3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860808415.000001CD61CD7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2027413114.000001AFBFCD7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2023964656.000001AFBFC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62193000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD62359000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD62276000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62153000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1866642326.000001CD6228C000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863609483.000001CD622E2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD622FA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2041426642.000001AFBFD79000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steam.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)z
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/security
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://uber.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uber.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146808000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146816000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839121269.0000029146816000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839288756.0000029146817000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146808000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002871800.0000013616BF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3093293536.00007FFDFB326000.00000002.00000001.01000000.00000015.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2007062794.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837762486.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085684455.000001CD61A50000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001497773.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3084972109.000001CD61060000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085156249.000001AFBF570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898292468.000001CD62DFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088890789.000001CD62DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
            Source: 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898292468.000001CD62DFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/6
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)z
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620C2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)z
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58847
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58849
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58848
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58851 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58850 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58850
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58851
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58847 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 58848 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58849 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78048716C1_2_00007FF78048716C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804862201_2_00007FF780486220
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804679001_2_00007FF780467900
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804841301_2_00007FF780484130
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780480DE81_2_00007FF780480DE8
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047E9E01_2_00007FF78047E9E0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780473A941_2_00007FF780473A94
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780471A341_2_00007FF780471A34
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804722541_2_00007FF780472254
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047A2E01_2_00007FF78047A2E0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047E3601_2_00007FF78047E360
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477B481_2_00007FF780477B48
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780486C201_2_00007FF780486C20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780471C401_2_00007FF780471C40
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780472D001_2_00007FF780472D00
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78048649C1_2_00007FF78048649C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780481D941_2_00007FF780481D94
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804785801_2_00007FF780478580
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780480DE81_2_00007FF780480DE8
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780475DE01_2_00007FF780475DE0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804845CC1_2_00007FF7804845CC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804736901_2_00007FF780473690
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780471E441_2_00007FF780471E44
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780461EF01_2_00007FF780461EF0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780489EA81_2_00007FF780489EA8
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047DECC1_2_00007FF78047DECC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780468F801_2_00007FF780468F80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804718301_2_00007FF780471830
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804720501_2_00007FF780472050
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFACA18802_2_00007FFDFACA1880
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADDFF202_2_00007FFDFADDFF20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE3ED102_2_00007FFDFAE3ED10
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC8AB02_2_00007FFDFADC8AB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE7BBA02_2_00007FFDFAE7BBA0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADEB9102_2_00007FFDFADEB910
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE458B02_2_00007FFDFAE458B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE068802_2_00007FFDFAE06880
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE448702_2_00007FFDFAE44870
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC3A502_2_00007FFDFADC3A50
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE26A002_2_00007FFDFAE26A00
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC69A22_2_00007FFDFADC69A2
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE1B9802_2_00007FFDFAE1B980
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADD4F202_2_00007FFDFADD4F20
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC3F102_2_00007FFDFADC3F10
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE0BEC02_2_00007FFDFAE0BEC0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE1FEA02_2_00007FFDFAE1FEA0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE01E602_2_00007FFDFAE01E60
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADCE0402_2_00007FFDFADCE040
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADDB0102_2_00007FFDFADDB010
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE0CCF02_2_00007FFDFAE0CCF0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADD1CB02_2_00007FFDFADD1CB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE16C702_2_00007FFDFAE16C70
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE6CC702_2_00007FFDFAE6CC70
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE2EE502_2_00007FFDFAE2EE50
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE5DE302_2_00007FFDFAE5DE30
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE37D802_2_00007FFDFAE37D80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE36D702_2_00007FFDFAE36D70
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE2BD602_2_00007FFDFAE2BD60
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE1DD602_2_00007FFDFAE1DD60
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE0B3002_2_00007FFDFAE0B300
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE172C02_2_00007FFDFAE172C0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADE22802_2_00007FFDFADE2280
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADD82902_2_00007FFDFADD8290
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE042702_2_00007FFDFAE04270
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADCF4002_2_00007FFDFADCF400
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADEB1502_2_00007FFDFADEB150
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADE70B02_2_00007FFDFADE70B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE510702_2_00007FFDFAE51070
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC60602_2_00007FFDFADC6060
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADCA0602_2_00007FFDFADCA060
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE440602_2_00007FFDFAE44060
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE181A02_2_00007FFDFAE181A0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADD67402_2_00007FFDFADD6740
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC27582_2_00007FFDFADC2758
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADEE7102_2_00007FFDFADEE710
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADDB6B02_2_00007FFDFADDB6B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADEC6902_2_00007FFDFADEC690
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE6A8502_2_00007FFDFAE6A850
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADE58002_2_00007FFDFADE5800
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADE48102_2_00007FFDFADE4810
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADDA7B02_2_00007FFDFADDA7B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADEA7702_2_00007FFDFADEA770
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADF35102_2_00007FFDFADF3510
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE224F02_2_00007FFDFAE224F0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE514602_2_00007FFDFAE51460
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAE325D02_2_00007FFDFAE325D0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADC65DB2_2_00007FFDFADC65DB
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3B3702_2_00007FFDFAF3B370
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF313982_2_00007FFDFAF31398
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3F9052_2_00007FFDFAF3F905
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF314512_2_00007FFDFAF31451
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF7FEB02_2_00007FFDFAF7FEB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3199C2_2_00007FFDFAF3199C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31C992_2_00007FFDFAF31C99
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31A8C2_2_00007FFDFAF31A8C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF412302_2_00007FFDFAF41230
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF313F22_2_00007FFDFAF313F2
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3114F2_2_00007FFDFAF3114F
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF315372_2_00007FFDFAF31537
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF36BB02_2_00007FFDFAF36BB0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF908802_2_00007FFDFAF90880
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF90F802_2_00007FFDFAF90F80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3115E2_2_00007FFDFAF3115E
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF315B42_2_00007FFDFAF315B4
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF3168B2_2_00007FFDFAF3168B
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF31BE02_2_00007FFDFAF31BE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F52790010_2_00007FF60F527900
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F540DE810_2_00007FF60F540DE8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F54716C10_2_00007FF60F54716C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F54622010_2_00007FF60F546220
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53205010_2_00007FF60F532050
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F54413010_2_00007FF60F544130
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F528F8010_2_00007FF60F528F80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53183010_2_00007FF60F531830
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F549EA810_2_00007FF60F549EA8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53369010_2_00007FF60F533690
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F531E4410_2_00007FF60F531E44
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F521EF010_2_00007FF60F521EF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53DECC10_2_00007FF60F53DECC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53858010_2_00007FF60F538580
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F541D9410_2_00007FF60F541D94
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F535DE010_2_00007FF60F535DE0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F5445CC10_2_00007FF60F5445CC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F54649C10_2_00007FF60F54649C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F531C4010_2_00007FF60F531C40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F532D0010_2_00007FF60F532D00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53E36010_2_00007FF60F53E360
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537B4810_2_00007FF60F537B48
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F546C2010_2_00007FF60F546C20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F533A9410_2_00007FF60F533A94
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53225410_2_00007FF60F532254
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53A2E010_2_00007FF60F53A2E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F540DE810_2_00007FF60F540DE8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F531A3410_2_00007FF60F531A34
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53E9E010_2_00007FF60F53E9E0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA14244011_2_00007FFDFA142440
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA141FD011_2_00007FFDFA141FD0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1545D011_2_00007FFDFA1545D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA15482011_2_00007FFDFA154820
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA161D8011_2_00007FFDFA161D80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA161FF011_2_00007FFDFA161FF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1629C011_2_00007FFDFA1629C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA162EC011_2_00007FFDFA162EC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA16355011_2_00007FFDFA163550
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1624A011_2_00007FFDFA1624A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA171D4011_2_00007FFDFA171D40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA17213011_2_00007FFDFA172130
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA181F1011_2_00007FFDFA181F10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1821C011_2_00007FFDFA1821C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1A1FA011_2_00007FFDFA1A1FA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1B238011_2_00007FFDFA1B2380
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1B227011_2_00007FFDFA1B2270
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1B1D4011_2_00007FFDFA1B1D40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1C1D4011_2_00007FFDFA1C1D40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1C255011_2_00007FFDFA1C2550
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1D1D4011_2_00007FFDFA1D1D40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1D22D011_2_00007FFDFA1D22D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1E216011_2_00007FFDFA1E2160
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1F207011_2_00007FFDFA1F2070
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA21222011_2_00007FFDFA212220
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA26188011_2_00007FFDFA261880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39FF2011_2_00007FFDFA39FF20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3FED1011_2_00007FFDFA3FED10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA388AB011_2_00007FFDFA388AB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA43BBA011_2_00007FFDFA43BBA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4058B011_2_00007FFDFA4058B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA40487011_2_00007FFDFA404870
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3C688011_2_00007FFDFA3C6880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3AB91011_2_00007FFDFA3AB910
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3869A211_2_00007FFDFA3869A2
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3DB98011_2_00007FFDFA3DB980
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA383A5011_2_00007FFDFA383A50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3E6A0011_2_00007FFDFA3E6A00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3DFEA011_2_00007FFDFA3DFEA0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3CBEC011_2_00007FFDFA3CBEC0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3C1E6011_2_00007FFDFA3C1E60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA394F2011_2_00007FFDFA394F20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA383F1011_2_00007FFDFA383F10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA38E04011_2_00007FFDFA38E040
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39B01011_2_00007FFDFA39B010
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA391CB011_2_00007FFDFA391CB0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA42CC7011_2_00007FFDFA42CC70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3D6C7011_2_00007FFDFA3D6C70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3CCCF011_2_00007FFDFA3CCCF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3EBD6011_2_00007FFDFA3EBD60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3DDD6011_2_00007FFDFA3DDD60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3F6D7011_2_00007FFDFA3F6D70
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3F7D8011_2_00007FFDFA3F7D80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA41DE3011_2_00007FFDFA41DE30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3EEE5011_2_00007FFDFA3EEE50
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3D72C011_2_00007FFDFA3D72C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3C427011_2_00007FFDFA3C4270
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3A228011_2_00007FFDFA3A2280
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39829011_2_00007FFDFA398290
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3CB30011_2_00007FFDFA3CB300
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA38F40011_2_00007FFDFA38F400
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3A70B011_2_00007FFDFA3A70B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA41107011_2_00007FFDFA411070
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA38606011_2_00007FFDFA386060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA38A06011_2_00007FFDFA38A060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA40406011_2_00007FFDFA404060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3AB15011_2_00007FFDFA3AB150
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3D81A011_2_00007FFDFA3D81A0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39B6B011_2_00007FFDFA39B6B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3AC69011_2_00007FFDFA3AC690
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39674011_2_00007FFDFA396740
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA38275811_2_00007FFDFA382758
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3AE71011_2_00007FFDFA3AE710
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA39A7B011_2_00007FFDFA39A7B0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3AA77011_2_00007FFDFA3AA770
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA42A85011_2_00007FFDFA42A850
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3A580011_2_00007FFDFA3A5800
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3A481011_2_00007FFDFA3A4810
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA41146011_2_00007FFDFA411460
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3E24F011_2_00007FFDFA3E24F0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3B351011_2_00007FFDFA3B3510
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3865DB11_2_00007FFDFA3865DB
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA3F25D011_2_00007FFDFA3F25D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA72F46011_2_00007FFDFA72F460
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA627AF011_2_00007FFDFA627AF0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F30C111_2_00007FFDFA4F30C1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F3FDA11_2_00007FFDFA4F3FDA
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F655A11_2_00007FFDFA4F655A
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F6A8211_2_00007FFDFA4F6A82
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA6939D011_2_00007FFDFA6939D0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F416511_2_00007FFDFA4F4165
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA6A7A1011_2_00007FFDFA6A7A10
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA50BF2011_2_00007FFDFA50BF20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F4C3711_2_00007FFDFA4F4C37
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F32E711_2_00007FFDFA4F32E7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA50BD6011_2_00007FFDFA50BD60
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F228911_2_00007FFDFA4F2289
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA61FE3011_2_00007FFDFA61FE30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F276611_2_00007FFDFA4F2766
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F5D8511_2_00007FFDFA4F5D85
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA62731011_2_00007FFDFA627310
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F516911_2_00007FFDFA4F5169
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F3B9311_2_00007FFDFA4F3B93
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F29CD11_2_00007FFDFA4F29CD
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA50F06011_2_00007FFDFA50F060
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F6CB711_2_00007FFDFA4F6CB7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA51B1C011_2_00007FFDFA51B1C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F114F11_2_00007FFDFA4F114F
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA50F20011_2_00007FFDFA50F200
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F6F2311_2_00007FFDFA4F6F23
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F22E811_2_00007FFDFA4F22E8
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA55F70011_2_00007FFDFA55F700
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F609B11_2_00007FFDFA4F609B
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F21B711_2_00007FFDFA4F21B7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA51B55011_2_00007FFDFA51B550
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F704511_2_00007FFDFA4F7045
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F1EA111_2_00007FFDFA4F1EA1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA692A9011_2_00007FFDFA692A90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA5D2B4011_2_00007FFDFA5D2B40
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F4D0411_2_00007FFDFA4F4D04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F5B0F11_2_00007FFDFA4F5B0F
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F1B2211_2_00007FFDFA4F1B22
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F23F111_2_00007FFDFA4F23F1
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F5D9E11_2_00007FFDFA4F5D9E
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F213F11_2_00007FFDFA4F213F
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA50EF0011_2_00007FFDFA50EF00
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA62B02011_2_00007FFDFA62B020
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F6EEC11_2_00007FFDFA4F6EEC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F72C011_2_00007FFDFA4F72C0
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F463311_2_00007FFDFA4F4633
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F369311_2_00007FFDFA4F3693
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F707711_2_00007FFDFA4F7077
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F1A4B11_2_00007FFDFA4F1A4B
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F6FFA11_2_00007FFDFA4F6FFA
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F1B3111_2_00007FFDFA4F1B31
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA62613011_2_00007FFDFA626130
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F348611_2_00007FFDFA4F3486
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA62267011_2_00007FFDFA622670
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F5E2011_2_00007FFDFA4F5E20
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F60D711_2_00007FFDFA4F60D7
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA3886B0 appears 119 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F4057 appears 379 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA389310 appears 158 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FF60F522AD0 appears 47 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F2734 appears 254 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F300D appears 50 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F1EF1 appears 658 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F24B9 appears 49 times
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFA4F483B appears 55 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FF780462AD0 appears 47 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFADC86B0 appears 119 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFAF9DCDF appears 164 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFAF9DD75 appears 67 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFAF312EE appears 415 times
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: String function: 00007FFDFADC9310 appears 158 times
            Source: _overlapped.pyd.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: unicodedata.pyd.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: _overlapped.pyd.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: python3.dll.10.drStatic PE information: No import functions for PE file found
            Source: python3.dll.1.drStatic PE information: No import functions for PE file found
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846689847.0000029146809000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836849584.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834079339.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835070660.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835256745.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836661908.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1833462228.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32ui.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1846349323.0000029146809000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834288865.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exeBinary or memory string: OriginalFilename vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3105284077.00007FFE1025D000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103127737.00007FFE0EB36000.00000002.00000001.01000000.00000019.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103467498.00007FFE0EB61000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamepywintypes310.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107567231.00007FFE12E19000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085152643.000001CD61160000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3104128136.00007FFE101DE000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3105627805.00007FFE10312000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3108012062.00007FFE13246000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3108272710.00007FFE13317000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107266458.00007FFE126FD000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107778863.00007FFE130C6000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: OriginalFilenamelibsslH vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3106745633.00007FFE120CA000.00000002.00000001.01000000.00000018.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094318733.00007FFDFB780000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094657353.00007FFDFF3F4000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilenamepythoncom310.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3093293536.00007FFDFB326000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107059523.00007FFE126D2000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3105973834.00007FFE11074000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3106203273.00007FFE110FD000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101169486.00007FFE0E155000.00000002.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3106468962.00007FFE11525000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101965256.00007FFE0E181000.00000002.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1997805431.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32ui.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000867888.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_win32sysloader.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32trace.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2009452330.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepythoncom310.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015845508.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshell.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_uuid.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2013861971.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999307273.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_asyncio.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015483930.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32api.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000410857.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_multiprocessing.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999917325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2001074257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewin32trace.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2009890295.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepywintypes310.dll0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_win32sysloader.pyd0 vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2010096133.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000625614.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000090134.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2007379344.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2007629779.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython3.dll. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000725378.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999757647.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000244257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999439755.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999175950.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.1999017144.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2007062794.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2000537649.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_overlapped.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exeBinary or memory string: OriginalFilename vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3107779608.00007FFE11BDD000.00000002.00000001.01000000.00000037.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3107390931.00007FFE00332000.00000002.00000001.01000000.00000039.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 231210-10-Creal-33652f.exe
            Source: 231210-10-Creal-33652f.exe, 0000000B.00000002.3106924184.00007FFDFFCE6000.00000002.00000001.01000000.0000003C.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs 231210-10-Creal-33652f.exe
            Source: classification engineClassification label: mal100.troj.adwa.spyw.winEXE@21/199@7/5
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780468510 GetLastError,FormatMessageW,WideCharToMultiByte,1_2_00007FF780468510
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522Jump to behavior
            Source: 231210-10-Creal-33652f.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT action_url, username_value, password_value FROM logins;
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: 231210-10-Creal-33652f.exeBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: 231210-10-Creal-33652f.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile read: C:\Users\user\Desktop\231210-10-Creal-33652f.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\231210-10-Creal-33652f.exe "C:\Users\user\Desktop\231210-10-Creal-33652f.exe"
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Users\user\Desktop\231210-10-Creal-33652f.exe "C:\Users\user\Desktop\231210-10-Creal-33652f.exe"
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Users\user\Desktop\231210-10-Creal-33652f.exe "C:\Users\user\Desktop\231210-10-Creal-33652f.exe"Jump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: libffi-7.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: libcrypto-1_1.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: libssl-1_1.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: libffi-7.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: vcruntime140_1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: libcrypto-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: libssl-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
            Source: 231210-10-Creal-33652f.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 231210-10-Creal-33652f.exeStatic file information: File size 17812549 > 1048576
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 231210-10-Creal-33652f.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: 231210-10-Creal-33652f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094480819.00007FFDFF3AC000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmp
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1837579633.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3105827665.00007FFE11072000.00000002.00000001.01000000.0000001C.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001269368.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: 231210-10-Creal-33652f.exe, 00000002.00000002.3094480819.00007FFDFF3AC000.00000002.00000001.01000000.00000012.sdmp
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB22E000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python3.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1847460005.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085152643.000001CD61160000.00000002.00000001.01000000.00000007.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2007629779.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834079339.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3108203122.00007FFE13311000.00000002.00000001.01000000.00000006.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999017144.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107187638.00007FFE126F0000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834079339.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3108203122.00007FFE13311000.00000002.00000001.01000000.00000006.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999017144.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836375943.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107689378.00007FFE130C3000.00000002.00000001.01000000.0000000F.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000625614.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106489836.00007FFDFFCD3000.00000002.00000001.01000000.0000003E.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3102786848.00007FFE0EB2C000.00000002.00000001.01000000.00000019.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836180921.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106654341.00007FFE120C5000.00000002.00000001.01000000.00000018.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000537649.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3093745689.00007FFDFB674000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103304948.00007FFE0EB50000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834288865.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107494140.00007FFE12E15000.00000002.00000001.01000000.00000011.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999175950.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106339246.00007FFE1151C000.00000002.00000001.01000000.0000000B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000244257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106226098.00007FFDFF6DC000.00000002.00000001.01000000.0000003A.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834436600.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3103871386.00007FFE101D7000.00000002.00000001.01000000.00000017.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999307273.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835667756.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106339246.00007FFE1151C000.00000002.00000001.01000000.0000000B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000244257.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3106226098.00007FFDFF6DC000.00000002.00000001.01000000.0000003A.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835977889.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000410857.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101827149.00007FFE0E173000.00000002.00000001.01000000.00000013.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3103316403.00007FFDFF193000.00000002.00000001.01000000.00000042.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3107919344.00007FFE13243000.00000002.00000001.01000000.0000000D.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2010096133.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2014998039.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3101827149.00007FFE0E173000.00000002.00000001.01000000.00000013.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3103316403.00007FFDFF193000.00000002.00000001.01000000.00000042.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1836493645.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3105506912.00007FFE10308000.00000002.00000001.01000000.0000000C.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000725378.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3100480589.00007FFE0E13D000.00000002.00000001.01000000.00000014.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: 231210-10-Creal-33652f.exe, 00000002.00000002.3103304948.00007FFE0EB50000.00000002.00000001.01000000.00000010.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015317190.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: 231210-10-Creal-33652f.exe, 0000000A.00000003.2015648825.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834637696.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106970433.00007FFE126CD000.00000002.00000001.01000000.0000000A.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999439755.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB22E000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 231210-10-Creal-33652f.exe, 00000001.00000003.1834288865.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3107494140.00007FFE12E15000.00000002.00000001.01000000.00000011.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.1999175950.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: 231210-10-Creal-33652f.exe, 00000001.00000003.1835504040.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3106122302.00007FFE110F6000.00000002.00000001.01000000.0000001B.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2000090134.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3092953365.00007FFDFB2B0000.00000002.00000001.01000000.00000015.sdmp
            Source: Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: 231210-10-Creal-33652f.exe, 00000002.00000002.3105067023.00007FFE10252000.00000002.00000001.01000000.0000000E.sdmp
            Source: 231210-10-Creal-33652f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 231210-10-Creal-33652f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 231210-10-Creal-33652f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 231210-10-Creal-33652f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 231210-10-Creal-33652f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: VCRUNTIME140.dll.1.drStatic PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]
            Source: 231210-10-Creal-33652f.exeStatic PE information: section name: _RDATA
            Source: mfc140u.dll.1.drStatic PE information: section name: .didat
            Source: VCRUNTIME140.dll.1.drStatic PE information: section name: _RDATA
            Source: libcrypto-1_1.dll.1.drStatic PE information: section name: .00cfg
            Source: libssl-1_1.dll.1.drStatic PE information: section name: .00cfg
            Source: python310.dll.1.drStatic PE information: section name: PyRuntim
            Source: 231210-10-Creal-33652f.exe.2.drStatic PE information: section name: _RDATA
            Source: mfc140u.dll.10.drStatic PE information: section name: .didat
            Source: VCRUNTIME140.dll.10.drStatic PE information: section name: _RDATA
            Source: libcrypto-1_1.dll.10.drStatic PE information: section name: .00cfg
            Source: libssl-1_1.dll.10.drStatic PE information: section name: .00cfg
            Source: python310.dll.10.drStatic PE information: section name: PyRuntim
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\python310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\python3.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\python310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_uuid.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_bz2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\mfc140u.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\win32com\shell\shell.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\libssl-1_1.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pywintypes310.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_asyncio.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\select.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\libffi-7.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\unicodedata.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32trace.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_overlapped.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\sqlite3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\libssl-1_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\libcrypto-1_1.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\win32ui.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pywintypes310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\VCRUNTIME140.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_hashlib.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140_1.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\libcrypto-1_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_queue.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\_win32sysloader.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\select.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32trace.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_cffi_backend.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\python3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\libffi-7.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_decimal.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_asyncio.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_cffi_backend.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pythoncom310.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_uuid.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\mfc140u.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\_win32sysloader.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\win32ui.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pythoncom310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70522\win32com\shell\shell.pydJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780465190 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00007FF780465190
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\python310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\python3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\python310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_uuid.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_queue.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_bz2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\mfc140u.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\win32com\shell\shell.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_bz2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pywintypes310.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_asyncio.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_chacha20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA224.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\select.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_strxor.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_ctypes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_socket.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_lzma.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA384.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\pyexpat.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\unicodedata.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA256.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32trace.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_overlapped.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_decimal.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_Salsa20.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA512.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cast.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_ssl.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_x25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pywintypes310.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ec_ws.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_keccak.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\win32ui.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32api.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_ctypes.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_multiprocessing.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed448.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_hashlib.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Math\_modexp.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_cpuid_c.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_queue.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_clmul.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\_win32sysloader.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA1.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\select.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md__mypyc.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_ARC4.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD5.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32trace.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\unicodedata.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_cffi_backend.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\python3.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed25519.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_decimal.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Protocol\_scrypt.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_ssl.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_portable.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_asyncio.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_cffi_backend.cp310-win_amd64.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des3.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_overlapped.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pythoncom310.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_hashlib.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_uuid.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ocb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aes.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ofb.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\mfc140u.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\win32\_win32sysloader.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\_sqlite3.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\win32ui.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_poly1305.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pythoncom310.dllJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\win32com\shell\shell.pydJump to dropped file
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70522\_socket.pydJump to dropped file
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-16326
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeAPI coverage: 3.5 %
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeAPI coverage: 0.6 %
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780481D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF780481D94
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780477CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF780477CFC
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780468880 FindFirstFileExW,FindClose,1_2_00007FF780468880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F528880 FindFirstFileExW,FindClose,10_2_00007FF60F528880
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F541D94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00007FF60F541D94
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F537CFC _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,10_2_00007FF60F537CFC
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F3229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,11_2_00007FFDFA4F3229
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFADCF820 GetSystemInfo,2_2_00007FFDFADCF820
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: 231210-10-Creal-33652f.exe, 00000001.00000003.1838078906.0000029146807000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2001852194.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
            Source: 231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWted %SystemRoot%\system32\mswsock.dllused to figure out the number of
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047AA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF78047AA88
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF7804839A0 GetProcessHeap,1_2_00007FF7804839A0
            Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78047AA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF78047AA88
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78046BC90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF78046BC90
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78046C52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF78046C52C
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78046C710 SetUnhandledExceptionFilter,1_2_00007FF78046C710
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFACA3048 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFDFACA3048
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFACA2A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFDFACA2A80
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAEE64B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFDFAEE64B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 2_2_00007FFDFAF32009 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFDFAF32009
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F52C710 SetUnhandledExceptionFilter,10_2_00007FF60F52C710
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F52BC90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF60F52BC90
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F52C52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF60F52C52C
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 10_2_00007FF60F53AA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF60F53AA88
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA141390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA141390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA141960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA141960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA151390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA151390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA151960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA151960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA161390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA161390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA161960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA161960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA171390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA171390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA171960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA171960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA181390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA181390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA181960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA181960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA191390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA191390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA191960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA191960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1A1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1A1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1A1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1A1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1B1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1B1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1C1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1C1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1D1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1D1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1E1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1E1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA1F1390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA1F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA1F1960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA201390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA201390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA201960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA201960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA211390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA211390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA211960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA211960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA221390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA221390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA221960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA221960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA231390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA231390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA231960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA231960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA241390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA241390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA241960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA241960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA251390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA251390
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA251960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA251960
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA262A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA262A80
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA263048 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00007FFDFA263048
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4A64B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FFDFA4A64B0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Users\user\Desktop\231210-10-Creal-33652f.exe "C:\Users\user\Desktop\231210-10-Creal-33652f.exe"Jump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780489CF0 cpuid 1_2_00007FF780489CF0
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_ctypes.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_bz2.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_lzma.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\libcrypto-1_1.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_socket.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\select.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pyexpat.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_queue.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pywintypes310.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pythoncom310.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32api.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32com VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32com VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32com VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\win32 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_ssl.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522\_asyncio.pyd VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\Desktop\231210-10-Creal-33652f.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70522 VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\certifi VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF78046C410 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FF78046C410
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeCode function: 1_2_00007FF780486220 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,1_2_00007FF780486220
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Creal Stealer
            Source: Yara matchFile source: 0000000B.00000002.3089238430.000001AFC16C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3088138594.000001AFC0E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 231210-10-Creal-33652f.exe PID: 6292, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Tries to steal communication platform credentials (via file / registry access)
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
            Source: C:\Users\user\Desktop\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopmentJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopmentJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Creal Stealer
            Source: Yara matchFile source: 0000000B.00000002.3089238430.000001AFC16C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3088138594.000001AFC0E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 231210-10-Creal-33652f.exe PID: 6292, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exeCode function: 11_2_00007FFDFA4F2B5D bind,WSAGetLastError,11_2_00007FFDFA4F2B5D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		12
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Email Collection            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		12
            Registry Run Keys / Startup Folder            		11
            Process Injection            		LSASS Memory21
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares2
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials25
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480029 Sample: 231210-10-Creal-33652f.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 60 geolocation-db.com 2->60 62 198.187.3.20.in-addr.arpa 2->62 64 2 other IPs or domains 2->64 82 Found malware configuration 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for submitted file 2->86 90 3 other signatures 2->90 9 231210-10-Creal-33652f.exe 117 2->9         started        13 231210-10-Creal-33652f.exe 117 2->13         started        signatures3 88 Tries to detect the country of the analysis system (by using the IP) 60->88 process4 file5 44 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 9->44 dropped 46 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 9->46 dropped 48 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 9->48 dropped 56 74 other files (none is malicious) 9->56 dropped 92 Drops PE files to the startup folder 9->92 15 231210-10-Creal-33652f.exe 9 9->15         started        50 C:\Users\user\AppData\Local\...\shell.pyd, PE32+ 13->50 dropped 52 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 13->52 dropped 54 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 13->54 dropped 58 74 other files (none is malicious) 13->58 dropped 20 231210-10-Creal-33652f.exe 6 13->20         started        signatures6 process7 dnsIp8 66 geolocation-db.com 159.89.102.253, 443, 49748, 49750 DIGITALOCEAN-ASNUS United States 15->66 68 api.gofile.io 51.91.7.6, 443, 49746 OVHFR France 15->68 70 api.ipify.org 104.26.12.205, 443, 49747, 49749 CLOUDFLARENETUS United States 15->70 42 C:\Users\user\...\231210-10-Creal-33652f.exe, PE32+ 15->42 dropped 76 Tries to steal communication platform credentials (via file / registry access) 15->76 78 Tries to steal Crypto Currency Wallets 15->78 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        72 172.67.74.152, 443, 58847, 58849 CLOUDFLARENETUS United States 20->72 74 45.112.123.126, 443, 58848 AMAZON-02US Singapore 20->74 80 Tries to harvest and steal browser information (history, passwords, etc) 20->80 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        file9 signatures10 process11 process12 30 conhost.exe 22->30         started        32 tasklist.exe 1 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 tasklist.exe 1 26->38         started        40 conhost.exe 28->40         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            231210-10-Creal-33652f.exe42%ReversingLabsWin64.Trojan.CrealStealer
            231210-10-Creal-33652f.exe100%AviraTR/PSW.Agent.nqwzf
            231210-10-Creal-33652f.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD4.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD5.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA1.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA224.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA256.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA384.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA512.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_clmul.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_portable.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_keccak.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_poly1305.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Math\_modexp.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Protocol\_scrypt.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ec_ws.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed25519.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed448.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_x25519.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_cpuid_c.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_strxor.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\mfc140u.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\win32ui.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_asyncio.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_bz2.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_cffi_backend.cp310-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_ctypes.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_decimal.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_hashlib.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_lzma.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_multiprocessing.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_overlapped.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_queue.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_socket.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_sqlite3.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_ssl.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\_uuid.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md.cp310-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography\hazmat\bindings\_rust.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\libcrypto-1_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\libffi-7.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\libssl-1_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\pyexpat.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\python3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\python310.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pythoncom310.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pywintypes310.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\select.pyd0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\_MEI54762\sqlite3.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://repository.swisssign.com/00%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            https://www.apache.org/licenses/0%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt00%URL Reputationsafe
            http://www.accv.es000%URL Reputationsafe
            http://www.firmaprofesional.com/cps00%URL Reputationsafe
            http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
            http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
            http://www.quovadisglobal.com/cps00%URL Reputationsafe
            https://api.ipify.org/0%URL Reputationsafe
            http://www.dabeaz.com/ply)F0%Avira URL Cloudsafe
            https://tiktok.com)0%Avira URL Cloudsafe
            https://ebay.com)z$0%Avira URL Cloudsafe
            https://img.shields.io/pypi/pyversions/setuptools.svg0%Avira URL Cloudsafe
            https://img.shields.io/pypi/v/setuptools.svg0%Avira URL Cloudsafe
            https://discord.com)z0%Avira URL Cloudsafe
            http://crl.dhimyotis.com/certignarootca.crl00%Avira URL Cloudsafe
            http://repository.swisssign.com/C0%Avira URL Cloudsafe
            https://coinbase.com)0%Avira URL Cloudsafe
            http://docs.python.org/library/unittest.html0%Avira URL Cloudsafe
            https://discord.com)0%Avira URL Cloudsafe
            https://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
            https://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
            https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
            https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white0%Avira URL Cloudsafe
            https://refspecs.linuxfoundation.org/elf/gabi40%Avira URL Cloudsafe
            https://github.com/pypa/setuptools/workflows/tests/badge.svg0%Avira URL Cloudsafe
            https://paypal.com)0%Avira URL Cloudsafe
            https://github.com/pypa/packaging0%Avira URL Cloudsafe
            https://pypi.org/project/setuptools0%Avira URL Cloudsafe
            https://xbox.com)0%Avira URL Cloudsafe
            https://youtube.com)0%Avira URL Cloudsafe
            https://twitch.com)z0%Avira URL Cloudsafe
            https://blog.jaraco.com/skeleton0%Avira URL Cloudsafe
            http://curl.haxx.se/rfc/cookie_spec.html0%Avira URL Cloudsafe
            http://crl.dhimyotis.com/certignarootca.crl0%Avira URL Cloudsafe
            https://tools.ietf.org/html/rfc36100%Avira URL Cloudsafe
            http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode0%Avira URL Cloudsafe
            https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md0%Avira URL Cloudsafe
            https://crunchyroll.com)0%Avira URL Cloudsafe
            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%Avira URL Cloudsafe
            https://paypal.com)z0%Avira URL Cloudsafe
            https://gmail.com)z0%Avira URL Cloudsafe
            https://coinbase.com)z0%Avira URL Cloudsafe
            https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
            https://discord.com/api/webhooks/1181954406556643419/PdEX76ogNfGmtUmoAaCRcao4ZsPmjMQdocVt9Gw6WKQiJiH0%Avira URL Cloudsafe
            https://ebay.com)0%Avira URL Cloudsafe
            https://binance.com)z0%Avira URL Cloudsafe
            https://httpbin.org/0%Avira URL Cloudsafe
            https://hbo.com)z0%Avira URL Cloudsafe
            https://roblox.com)z0%Avira URL Cloudsafe
            https://playstation.com)0%Avira URL Cloudsafe
            https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main0%Avira URL Cloudsafe
            http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%Avira URL Cloudsafe
            https://cryptography.io/en/latest/installation/0%Avira URL Cloudsafe
            https://sellix.io)0%Avira URL Cloudsafe
            https://github.com/pypa/setuptools/issues/417#issuecomment-3922984010%Avira URL Cloudsafe
            https://wiki.debian.org/XDGBaseDirectorySpecification#state0%Avira URL Cloudsafe
            http://tools.ietf.org/html/rfc6125#section-6.4.30%Avira URL Cloudsafe
            https://telegram.com)z0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgz#https://cdn.discordapp.com/a0%Avira URL Cloudsafe
            https://github.com/jaraco/jaraco.functools/issues/50%Avira URL Cloudsafe
            http://www.cert.fnmt.es/dpcs/0%Avira URL Cloudsafe
            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings)0%Avira URL Cloudsafe
            https://google.com/mail0%Avira URL Cloudsafe
            https://pornhub.com)z0%Avira URL Cloudsafe
            http://www.rfc-editor.org/info/rfc72530%Avira URL Cloudsafe
            https://github.com/pyca/cryptography/issues0%Avira URL Cloudsafe
            https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.0%Avira URL Cloudsafe
            https://mahler:8092/site-updates.py0%Avira URL Cloudsafe
            https://packaging.python.org/installing/0%Avira URL Cloudsafe
            https://docs.python.org/3/library/re.html#re.sub0%Avira URL Cloudsafe
            https://netflix.com)0%Avira URL Cloudsafe
            https://cryptography.io/0%Avira URL Cloudsafe
            https://api.gofile.io/getServerr0%Avira URL Cloudsafe
            https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral0%Avira URL Cloudsafe
            https://github.com/urllib3/urllib3/issues/29200%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg0%Avira URL Cloudsafe
            https://outlook.com)0%Avira URL Cloudsafe
            https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-20%Avira URL Cloudsafe
            https://binance.com)0%Avira URL Cloudsafe
            https://epicgames.com)z0%Avira URL Cloudsafe
            https://github.com/pyparsing/pyparsing/wiki0%Avira URL Cloudsafe
            https://cryptography.io/en/latest/changelog/0%Avira URL Cloudsafe
            https://img.shields.io/badge/code%20style-black-000000.svg0%Avira URL Cloudsafe
            https://youtube.com)z0%Avira URL Cloudsafe
            https://spotify.com)0%Avira URL Cloudsafe
            https://spotify.com)z0%Avira URL Cloudsafe
            https://mail.python.org/mailman/listinfo/cryptography-dev0%Avira URL Cloudsafe
            https://setuptools.pypa.io/en/stable/history.html0%Avira URL Cloudsafe
            http://ocsp.accv.esH0%Avira URL Cloudsafe
            https://yahoo.com)z0%Avira URL Cloudsafe
            https://discord.com/api/users/0%Avira URL Cloudsafe
            http://docs.python.org/library/itertools.html#recipes0%Avira URL Cloudsafe
            https://steam.com)0%Avira URL Cloudsafe
            https://api.gofile.io/getServer0%Avira URL Cloudsafe
            https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org
            		104.26.12.205
            		truefalse
              		unknown
              geolocation-db.com
              		159.89.102.253
              		truetrue
                		unknown
                api.gofile.io
                		51.91.7.6
                		truefalse
                  		unknown
                  fp2e7a.wpc.phicdn.net
                  		192.229.221.95
                  		truefalse
                    		unknown
                    198.187.3.20.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.dabeaz.com/ply)F231210-10-Creal-33652f.exe, 0000000B.00000003.2039786013.000001AFC0EAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://repository.swisssign.com/C231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.dhimyotis.com/certignarootca.crl0231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://coinbase.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://img.shields.io/pypi/pyversions/setuptools.svg231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://discord.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://img.shields.io/pypi/v/setuptools.svg231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tiktok.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://repository.swisssign.com/0231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ebay.com)z$231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.python.org/library/unittest.html231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD623B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2033725198.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC04E5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://discord.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://python.org/dev/peps/pep-0263/231210-10-Creal-33652f.exe, 00000002.00000002.3093745689.00007FFDFB674000.00000002.00000001.01000000.00000005.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#231210-10-Creal-33652f.exe, 00000002.00000003.1855698972.000001CD5F841000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.apache.org/licenses/LICENSE-2.0231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146816000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839121269.0000029146816000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839288756.0000029146817000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146808000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BEA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002871800.0000013616BF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BF7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://paypal.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/pypa/packaging231210-10-Creal-33652f.exe, 00000002.00000003.1861305699.000001CD61BF8000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1860115685.000001CD61C1F000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085426778.000001AFBFA25000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://refspecs.linuxfoundation.org/elf/gabi4231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://pypi.org/project/setuptools231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/pypa/setuptools/workflows/tests/badge.svg231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://xbox.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        https://youtube.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://blog.jaraco.com/skeleton231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://twitch.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://tools.ietf.org/html/rfc3610231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C78000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898462781.000001CD62C75000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.dhimyotis.com/certignarootca.crl231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088890789.000001CD62DFD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1895881441.000001CD62E13000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://curl.haxx.se/rfc/cookie_spec.html231210-10-Creal-33652f.exe, 00000002.00000002.3089641413.000001CD63878000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089534854.000001AFC1A38000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://crunchyroll.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://gmail.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://paypal.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://coinbase.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://wwww.certigna.fr/autorites/0m231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088235595.000001CD62C20000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088890789.000001CD62DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://discord.com/api/webhooks/1181954406556643419/PdEX76ogNfGmtUmoAaCRcao4ZsPmjMQdocVt9Gw6WKQiJiH231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader231210-10-Creal-33652f.exe, 00000002.00000003.1855698972.000001CD5F841000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2018626905.000001AFBD905000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ebay.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://httpbin.org/231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.apache.org/licenses/231210-10-Creal-33652f.exe, 00000001.00000003.1839028275.0000029146808000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002793842.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://roblox.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://hbo.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://binance.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://playstation.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cryptography.io/en/latest/installation/231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://sellix.io)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/pypa/setuptools/issues/417#issuecomment-392298401231210-10-Creal-33652f.exe, 00000002.00000002.3085684455.000001CD61A50000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://wiki.debian.org/XDGBaseDirectorySpecification#state231210-10-Creal-33652f.exe, 00000002.00000002.3084657219.000001CD5F7F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.securetrust.com/STCA.crl231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tools.ietf.org/html/rfc6125#section-6.4.3231210-10-Creal-33652f.exe, 00000002.00000002.3089641413.000001CD63878000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089534854.000001AFC1A38000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgz#https://cdn.discordapp.com/a231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://telegram.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.cert.fnmt.es/dpcs/231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898211795.000001CD62DF7000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898292468.000001CD62DFF000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3085426778.000001AFBFA25000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings)231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://google.com/mail231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD620C2000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62377000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC01C0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/jaraco/jaraco.functools/issues/5231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://pornhub.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.accv.es00231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DE4000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1899002674.000001CD62DDD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1898892608.000001CD6246A000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD6245D000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.rfc-editor.org/info/rfc7253231210-10-Creal-33652f.exe, 00000002.00000002.3085771881.000001CD61B70000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3088647877.000001AFC108F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/pyca/cryptography/issues231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.231210-10-Creal-33652f.exe, 00000002.00000003.1897642549.000001CD61CFD000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3085957069.000001CD61CFF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://packaging.python.org/installing/231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mahler:8092/site-updates.py231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.gofile.io/getServerr231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cryptography.io/231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.firmaprofesional.com/cps0231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docs.python.org/3/library/re.html#re.sub231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62193000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD62359000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1859489594.000001CD62153000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3087358680.000001CD62580000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1863214716.000001CD622FA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000003.2035198256.000001AFC03F1000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3087435465.000001AFC07C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://netflix.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/urllib3/urllib3/issues/2920231210-10-Creal-33652f.exe, 00000002.00000002.3089434586.000001CD635C0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089335853.000001AFC17C0000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://gmail.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://crl.securetrust.com/SGCA.crl0231210-10-Creal-33652f.exe, 00000002.00000002.3085374691.000001CD618B0000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg231210-10-Creal-33652f.exe, 00000002.00000002.3089234366.000001CD633B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3089135544.000001AFC15C0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://outlook.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.thawte.com/ThawteTimestampingCA.crl0231210-10-Creal-33652f.exe, 00000001.00000003.1846172156.0000029146809000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2006862452.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.quovadisglobal.com/cps0231210-10-Creal-33652f.exe, 00000002.00000002.3086477228.000001CD62256000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://binance.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/pyparsing/pyparsing/wiki231210-10-Creal-33652f.exe, 0000000B.00000002.3086390224.000001AFC0363000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://epicgames.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cryptography.io/en/latest/changelog/231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://youtube.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://spotify.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://img.shields.io/badge/code%20style-black-000000.svg231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://spotify.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://setuptools.pypa.io/en/stable/history.html231210-10-Creal-33652f.exe, 0000000A.00000003.2011335325.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://mail.python.org/mailman/listinfo/cryptography-dev231210-10-Creal-33652f.exe, 00000001.00000003.1839306790.000002914680B000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000A.00000003.2002971437.0000013616BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.python.org/library/itertools.html#recipes231210-10-Creal-33652f.exe, 00000002.00000002.3087546457.000001CD626B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086183664.000001CD61E60000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1865445286.000001CD621BE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.accv.esH231210-10-Creal-33652f.exe, 00000002.00000003.1896889890.000001CD62DCA000.00000004.00000020.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000003.1896636244.000001CD62DB5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://yahoo.com)z231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://discord.com/api/users/231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.gofile.io/getServer231210-10-Creal-33652f.exe, 00000002.00000002.3090204077.000001CD63C8C000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 0000000B.00000002.3090091504.000001AFC1DD8000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steam.com)231210-10-Creal-33652f.exe, 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca231210-10-Creal-33652f.exe, 00000002.00000002.3087647567.000001CD627B0000.00000004.00001000.00020000.00000000.sdmp, 231210-10-Creal-33652f.exe, 00000002.00000002.3086072974.000001CD61D50000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.26.12.205
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse
                          51.91.7.6
                          		api.gofile.ioFrance
                          		16276OVHFRfalse
                          45.112.123.126
                          		unknownSingapore
                          		16509AMAZON-02USfalse
                          159.89.102.253
                          		geolocation-db.comUnited States
                          		14061DIGITALOCEAN-ASNUStrue
                          172.67.74.152
                          		unknownUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1480029
                          Start date and time:2024-07-24 14:15:02 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 11m 56s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:18
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:231210-10-Creal-33652f.exe
                          Detection:MAL
                          Classification:mal100.troj.adwa.spyw.winEXE@21/199@7/5
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 82%
                          • Number of executed functions: 60
                          • Number of non-executed functions: 232
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 40.126.32.138, 40.126.32.134, 20.190.160.22, 40.126.32.74, 40.126.32.133, 20.190.160.17, 40.126.32.136, 40.126.32.76, 88.221.110.91, 2.16.100.168, 104.208.16.94
                          • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                          • VT rate limit hit for: 231210-10-Creal-33652f.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:16:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.26.12.205SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                          • api.ipify.org/
                          vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                          • api.ipify.org/
                          6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                          • api.ipify.org/
                          SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                          • api.ipify.org/
                          482730621.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          482730621.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          Sky-Beta.exeGet hashmaliciousStealitBrowse
                          • api.ipify.org/?format=json
                          SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                          • api.ipify.org/
                          lods.cmdGet hashmaliciousRemcosBrowse
                          • api.ipify.org/
                          159.89.102.253GE AEROSPACE USA - WIRE REMITTANCE_.xlsxGet hashmaliciousHTMLPhisherBrowse
                            AWB#803790 .htmGet hashmaliciousUnknownBrowse
                              http://newsletter.haleymarketing.comGet hashmaliciousUnknownBrowse
                                msupdate.exeGet hashmaliciousUnknownBrowse
                                  msupdate.exeGet hashmaliciousUnknownBrowse
                                    23eb97f4-980c-745d-c5e2-6fdb70189e48.emlGet hashmaliciousHTMLPhisherBrowse
                                      http://texadasoftware.comGet hashmaliciousUnknownBrowse
                                        KEMPER NORTH AMERICA WIRE REMITTANCE .xlsxGet hashmaliciousHTMLPhisherBrowse
                                          KEMPER NORTH AMERICA WIRE REMITTANCE .xlsxGet hashmaliciousHTMLPhisherBrowse
                                            https://sorjon.comGet hashmaliciousUnknownBrowse
                                              172.67.74.152golang-modules.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                              • api.ipify.org/?format=wef
                                              K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              stub.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              stub.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/
                                              Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                              • api.ipify.org/?format=json
                                              Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/?format=json
                                              Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                              • api.ipify.org/?format=json
                                              Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                              • api.ipify.org/?format=json

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              api.ipify.orgUHXVupzN3tv2QqA.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              SKM_C335019110710XX620.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.74.152
                                              uailDN14HrnHUF8.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              Cheque.jsGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152
                                              M6hS9qGbFx.rtfGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              [SUSPECTED SPAM] Your Delivery Has Been Delayed Due to an Address Issue.emlGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              http://pub-c098a9df86b743fa91e4681b997ad763.r2.dev/doc_start.html?folder=oquwappyolbhdrb75vnt&ledgeGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 104.26.12.205
                                              https://www.canva.com/design/DAGLxVDGbAs/6LEiPEltnSt5T8iX0Pb0Mg/edit?utm_content=DAGLxVDGbAs&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              https://pub-e6364718717442f18239820ae4d51f1e.r2.dev/dse_sign.html?folder=izm3brmcllrvhe6zlnob&ledgeGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                              • 104.26.13.205
                                              https://www.canva.com/design/DAGLxvJi_b4/I2I9hVBC94poYJRY8neUTg/view?utm_content=DAGLxvJi_b4&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                              • 104.26.13.205
                                              api.gofile.ioDead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                              • 51.178.66.33
                                              Dead By Daylight.exeGet hashmaliciousNovaSentinelBrowse
                                              • 51.38.43.18
                                              SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                                              • 51.38.43.18
                                              SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousUnknownBrowse
                                              • 151.80.29.83
                                              Exter.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                              • 51.38.43.18
                                              node.js.exeGet hashmaliciousUnknownBrowse
                                              • 151.80.29.83
                                              node.js.exeGet hashmaliciousUnknownBrowse
                                              • 151.80.29.83
                                              msupdate.exeGet hashmaliciousUnknownBrowse
                                              • 51.178.66.33
                                              msupdate.exeGet hashmaliciousUnknownBrowse
                                              • 151.80.29.83
                                              SecuriteInfo.com.Trojan.AutoIt.1410.29083.29061.exeGet hashmaliciousStealeriumBrowse
                                              • 51.38.43.18
                                              fp2e7a.wpc.phicdn.nethttps://presentationprojectconvini.dorik.io/Get hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              https://securepubads.g.doubleclick.net/pcs/view?adurl=https://vefzrlhbb.cc.rs6.net/tn.jsp?f=001vXBf4j0AOa0SyR61aoskl_kad2s3858SYUG04aj8L2kKTSpWcYbZEk2UMvbh0XebT2eWfL1GAJ0EZ6QeagXutmieHF2Fb3P4PPVJvp3UegO_mBnTOYzTw6oPPzwS7g9CVUPGu1cUXuOvLv7yoqcYQ9mI3dPTVj8oNFvg7X-EdC_OlekTnk5rmk543EGhrzmRJvugLF6hiB7mYWarSmDTz_CXnZiGPCogPIPB3pv-YynKZ9dppazt1UsAqxMOiLFo1N7tH4SrQ3Vio_ouLFK7q7WcIyM95p4-nt6YQDZuP_sNzSUF6di8p-PRJIoHXQb_vMZ3b5t1jqbCnXkcyXpTNrZLcmdU7kOz5cQ7jssGeYRD71eDi5kDkqAikjUSnoxWIlv3zJrKULQQC3SOHdC-A1ERuI0uCK6YtsPx5ywLHc2HKJc9llBKoVLjNsb5Vv5ZDMiyiOiMhS6lEpfNPX4-R-LNRX_pl-bEqqKNM338vrX-5cUKCGVFT9mhH8cUNHx_nSTlNlOOcNWmiMTdubvIy2joYxTP3X2W5r8JBfeKzz3IBjse-QDrA2oPrPvb0FMMmRZCJ4uhSJDtg3hcYx-YqvvmOawj6hLMQEP4E_kFHItvwrl4Nizos7bPsSUAenzH&c=&ch=Get hashmaliciousHTMLPhisherBrowse
                                              • 192.229.221.95
                                              https://flowto.it/agLzYsh4bGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 192.229.221.95
                                              https://valid-check-tl-3.azurewebsites.netGet hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              https://pub-497a80e8d2fd4e6d89056d4d5bf5c56d.r2.dev/hefty%2Fheavy.html?folder=DM0aNq7&snclavalin#hannah.brown@snclavalin.ukGet hashmaliciousHTMLPhisherBrowse
                                              • 192.229.221.95
                                              https://s3.amazonaws.com/eh9egergergz15/red.html#cl/896378_smd/140/445528/5322/1368/1801865Get hashmaliciousPhisherBrowse
                                              • 192.229.221.95
                                              TCD9F5A txt.ps1Get hashmaliciousUnknownBrowse
                                              • 192.229.221.95
                                              ContractInvoice&Specification072424.exeGet hashmaliciousRedLineBrowse
                                              • 192.229.221.95
                                              REQUEST FOR QUOTATION (RFQ)-124425.scr.gz.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 192.229.221.95
                                              geolocation-db.comGE AEROSPACE USA - WIRE REMITTANCE_.xlsxGet hashmaliciousHTMLPhisherBrowse
                                              • 159.89.102.253
                                              AWB#803790 .htmGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253
                                              http://newsletter.haleymarketing.comGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253
                                              msupdate.exeGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253
                                              msupdate.exeGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253
                                              23eb97f4-980c-745d-c5e2-6fdb70189e48.emlGet hashmaliciousHTMLPhisherBrowse
                                              • 159.89.102.253
                                              http://texadasoftware.comGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253
                                              KEMPER NORTH AMERICA WIRE REMITTANCE .xlsxGet hashmaliciousHTMLPhisherBrowse
                                              • 159.89.102.253
                                              KEMPER NORTH AMERICA WIRE REMITTANCE .xlsxGet hashmaliciousHTMLPhisherBrowse
                                              • 159.89.102.253
                                              https://sorjon.comGet hashmaliciousUnknownBrowse
                                              • 159.89.102.253

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUShttp://www.agrimarkeurope.com/feed-commodities.Get hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              231210-04-AgentTesla-38a0d6.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.159.137.232
                                              NgddPMMewg.exeGet hashmaliciousCobaltStrikeBrowse
                                              • 188.114.97.3
                                              fLnj4EeH6V.rtfGet hashmaliciousUnknownBrowse
                                              • 188.114.97.3
                                              https://presentationprojectconvini.dorik.io/Get hashmaliciousUnknownBrowse
                                              • 172.67.72.224
                                              1f4ef767f0144f8b485bc6ef31247f6b95f68df95a649d9902f885e79408e114.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                              • 188.114.97.3
                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              1887D44BD913B81D9943F4B5637E01B057D20D757B23CD6EA3DA239827A9CD95.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                              • 188.114.96.3
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 172.64.41.3
                                              17C1844F37315D9081EFA1C39ABCDB3612C531DCF01C303425346DD352A3B117.exeGet hashmaliciousBabuk, Bdaejec, DjvuBrowse
                                              • 188.114.96.3
                                              DIGITALOCEAN-ASNUShttps://jf8nnsk.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=drarclimatizacao.com.br/dayo/tp5ri/VmFuZGVuYnVsY2tlLkFsZXhpc0BkZW1lLWdyb3VwLmNvbQ==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                              • 167.71.38.96
                                              4azjP1pzssf79mP.exeGet hashmaliciousFormBookBrowse
                                              • 138.197.99.221
                                              GE AEROSPACE USA - WIRE REMITTANCE_.xlsxGet hashmaliciousHTMLPhisherBrowse
                                              • 159.89.102.253
                                              https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/securpass.htmlGet hashmaliciousUnknownBrowse
                                              • 198.199.109.95
                                              https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/cc.htmlGet hashmaliciousUnknownBrowse
                                              • 198.199.109.95
                                              https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/password.htmlGet hashmaliciousUnknownBrowse
                                              • 198.199.109.95
                                              https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/infos.htmlGet hashmaliciousUnknownBrowse
                                              • 198.199.109.95
                                              https://app-min-bankid-no.codeanyapp.com/well-known/AHDY/populaire/Get hashmaliciousUnknownBrowse
                                              • 198.199.109.95
                                              https://www.giveway-dana10jt.danaviz.biz.id/Get hashmaliciousUnknownBrowse
                                              • 64.227.124.177
                                              http://ourtime.profiles-male.workers.dev/v3/signupGet hashmaliciousHTMLPhisherBrowse
                                              • 138.197.235.123
                                              OVHFRPurchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 167.114.222.56
                                              REQUEST FOR QUOTATION (RFQ)-124425.scr.gz.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 167.114.222.56
                                              RPHbzz3JqY.exeGet hashmaliciousScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRATBrowse
                                              • 146.59.154.106
                                              UHXVupzN3tv2QqA.exeGet hashmaliciousAgentTeslaBrowse
                                              • 51.77.72.165
                                              uailDN14HrnHUF8.exeGet hashmaliciousAgentTeslaBrowse
                                              • 51.77.72.165
                                              getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              TxCOT6OBFk.exeGet hashmaliciousUnknownBrowse
                                              • 149.56.19.201
                                              https://shelled-childlike-trouble.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                                              • 54.36.150.184
                                              https://flame-halved-fight.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                                              • 54.36.150.183
                                              http://messagerie-secyr02.cloudns.be/Get hashmaliciousUnknownBrowse
                                              • 54.36.150.183
                                              AMAZON-02UShttps://presentationprojectconvini.dorik.io/Get hashmaliciousUnknownBrowse
                                              • 3.131.225.83
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 143.204.215.115
                                              https://flowto.it/agLzYsh4bGet hashmaliciousUnknownBrowse
                                              • 13.224.245.42
                                              11D70988C6BB7174DD4050DB008C278920F14CBFA54920655AD1BDBAEE082700.exeGet hashmaliciousBdaejecBrowse
                                              • 44.239.8.72
                                              0F8D2648166184BDE6562F33B7E4B620313FE7A21746720D37594213FBA7A604.exeGet hashmaliciousBdaejecBrowse
                                              • 44.239.8.72
                                              Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                              • 185.166.143.48
                                              file.exeGet hashmaliciousBabadedaBrowse
                                              • 3.164.68.65
                                              file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                              • 143.204.215.105
                                              https://s3.amazonaws.com/eh9egergergz15/red.html#cl/896378_smd/140/445528/5322/1368/1801865Get hashmaliciousPhisherBrowse
                                              • 52.217.122.24
                                              FAMIGLIE E BONUS NATALIT pdf lnk.lnkGet hashmaliciousCoinhive, XmrigBrowse
                                              • 35.152.40.99

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_Salsa20.pydSecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                                                SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousUnknownBrowse
                                                  SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                                    SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                                      dll.dll.0.dllGet hashmaliciousUnknownBrowse
                                                        dll.dll.0.dllGet hashmaliciousUnknownBrowse
                                                          explorer.exe.0.exeGet hashmaliciousUnknownBrowse
                                                            00#U2800.exeGet hashmaliciousUnknownBrowse
                                                              prank.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                SecuriteInfo.com.FileRepMalware.5539.23420.exeGet hashmaliciousUnknownBrowse
                                                                  C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_ARC4.pydSecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                                                    SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                                                      dll.dll.0.dllGet hashmaliciousUnknownBrowse
                                                                        dll.dll.0.dllGet hashmaliciousUnknownBrowse
                                                                          explorer.exe.0.exeGet hashmaliciousUnknownBrowse
                                                                            00#U2800.exeGet hashmaliciousUnknownBrowse
                                                                              prank.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                SecuriteInfo.com.FileRepMalware.5539.23420.exeGet hashmaliciousUnknownBrowse
                                                                                  SecuriteInfo.com.FileRepMalware.5539.23420.exeGet hashmaliciousUnknownBrowse
                                                                                    SecuriteInfo.com.MacOS.ReverseShell-C.30585.8425.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_ARC4.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11264
                                                                                      Entropy (8bit):4.6989965032233245
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
                                                                                      MD5:56976443600793FF2302EE7634E496B3
                                                                                      SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
                                                                                      SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
                                                                                      SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                                                      • Filename: dll.dll.0.dll, Detection: malicious, Browse
                                                                                      • Filename: dll.dll.0.dll, Detection: malicious, Browse
                                                                                      • Filename: explorer.exe.0.exe, Detection: malicious, Browse
                                                                                      • Filename: 00#U2800.exe, Detection: malicious, Browse
                                                                                      • Filename: prank.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.FileRepMalware.5539.23420.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.FileRepMalware.5539.23420.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.MacOS.ReverseShell-C.30585.8425.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_Salsa20.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.047528837102683
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
                                                                                      MD5:30F13366926DDC878B6D761BEC41879E
                                                                                      SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
                                                                                      SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
                                                                                      SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                                                      • Filename: dll.dll.0.dll, Detection: malicious, Browse
                                                                                      • Filename: dll.dll.0.dll, Detection: malicious, Browse
                                                                                      • Filename: explorer.exe.0.exe, Detection: malicious, Browse
                                                                                      • Filename: 00#U2800.exe, Detection: malicious, Browse
                                                                                      • Filename: prank.exe, Detection: malicious, Browse
                                                                                      • Filename: SecuriteInfo.com.FileRepMalware.5539.23420.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_chacha20.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13312
                                                                                      Entropy (8bit):5.0513840905718395
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
                                                                                      MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
                                                                                      SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
                                                                                      SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
                                                                                      SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12800
                                                                                      Entropy (8bit):5.1050594710160535
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
                                                                                      MD5:7918BFE07DCB7AD21822DBAAA777566D
                                                                                      SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
                                                                                      SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
                                                                                      SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aes.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):36352
                                                                                      Entropy (8bit):6.55587798283519
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
                                                                                      MD5:4B032DA3C65EA0CFBDEB8610C4298C51
                                                                                      SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
                                                                                      SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
                                                                                      SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_aesni.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15872
                                                                                      Entropy (8bit):5.2919328525651945
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
                                                                                      MD5:57E4DF965E41B1F385B02F00EA08AE20
                                                                                      SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
                                                                                      SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
                                                                                      SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_arc2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):16384
                                                                                      Entropy (8bit):5.565187477275172
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
                                                                                      MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
                                                                                      SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
                                                                                      SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
                                                                                      SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_blowfish.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):20992
                                                                                      Entropy (8bit):6.058843128972375
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
                                                                                      MD5:E4969D864420FEB94F54CEF173D0AD4D
                                                                                      SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
                                                                                      SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
                                                                                      SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cast.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):25088
                                                                                      Entropy (8bit):6.458942954966616
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
                                                                                      MD5:CD4B96612DEFDAAC5CF923A3960F15B6
                                                                                      SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
                                                                                      SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
                                                                                      SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cbc.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.833693880012467
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
                                                                                      MD5:0C46D7B7CD00B3D474417DE5D6229C41
                                                                                      SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
                                                                                      SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
                                                                                      SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_cfb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):4.900216636767426
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
                                                                                      MD5:3142C93A6D9393F071AB489478E16B86
                                                                                      SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
                                                                                      SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
                                                                                      SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ctr.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.302400096950382
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
                                                                                      MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
                                                                                      SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
                                                                                      SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
                                                                                      SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):57856
                                                                                      Entropy (8bit):4.25844209931351
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
                                                                                      MD5:007BE822C3657687A84A7596531D79B7
                                                                                      SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
                                                                                      SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
                                                                                      SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_des3.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):58368
                                                                                      Entropy (8bit):4.274890605099198
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
                                                                                      MD5:A883798D95F76DA8513DA6B87D470A2A
                                                                                      SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
                                                                                      SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
                                                                                      SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ecb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.5811635662773185
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
                                                                                      MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
                                                                                      SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
                                                                                      SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
                                                                                      SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):22016
                                                                                      Entropy (8bit):6.1405490084747445
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
                                                                                      MD5:914EA1707EBA03E4BE45D3662BF2466E
                                                                                      SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
                                                                                      SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
                                                                                      SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ocb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):17920
                                                                                      Entropy (8bit):5.350740516564008
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
                                                                                      MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
                                                                                      SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
                                                                                      SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
                                                                                      SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Cipher\_raw_ofb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.737329240938157
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
                                                                                      MD5:A13584F663393F382C6D8D5C0023BC80
                                                                                      SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
                                                                                      SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
                                                                                      SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2b.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.2072665819239585
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
                                                                                      MD5:104B480CB83BFF78101CF6940588D570
                                                                                      SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
                                                                                      SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
                                                                                      SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_BLAKE2s.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14336
                                                                                      Entropy (8bit):5.177411248432731
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
                                                                                      MD5:06D3E941860BB0ABEDF1BAF1385D9445
                                                                                      SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
                                                                                      SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
                                                                                      SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14336
                                                                                      Entropy (8bit):5.137579183601755
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
                                                                                      MD5:F938A89AEC5F535AF25BD92221BBC141
                                                                                      SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
                                                                                      SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
                                                                                      SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD4.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.158343521612926
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
                                                                                      MD5:173EED515A1ADDD1DA0179DD2621F137
                                                                                      SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
                                                                                      SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
                                                                                      SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_MD5.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15360
                                                                                      Entropy (8bit):5.469810464531962
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
                                                                                      MD5:39B06A1707FF5FDC5B3170EB744D596D
                                                                                      SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
                                                                                      SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
                                                                                      SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_RIPEMD160.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.137646874307781
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
                                                                                      MD5:1DFC771325DD625DE5A72E0949D90E5F
                                                                                      SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
                                                                                      SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
                                                                                      SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA1.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):17920
                                                                                      Entropy (8bit):5.687377356938656
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
                                                                                      MD5:9D15862569E033C5AA702F9E4041C928
                                                                                      SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
                                                                                      SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
                                                                                      SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA224.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):21504
                                                                                      Entropy (8bit):5.9200472722347675
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
                                                                                      MD5:7398EFD589FBE4FEFADE15B52632CD5C
                                                                                      SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
                                                                                      SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
                                                                                      SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA256.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):21504
                                                                                      Entropy (8bit):5.922439979230845
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
                                                                                      MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
                                                                                      SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
                                                                                      SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
                                                                                      SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA384.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):26624
                                                                                      Entropy (8bit):5.879121462749493
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
                                                                                      MD5:3C47F387A68629C11C871514962342C1
                                                                                      SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
                                                                                      SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
                                                                                      SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_SHA512.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):26624
                                                                                      Entropy (8bit):5.937696428849242
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
                                                                                      MD5:2F44F1B760EE24C89C13D9E8A06EA124
                                                                                      SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
                                                                                      SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
                                                                                      SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_clmul.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12800
                                                                                      Entropy (8bit):5.027823764756571
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
                                                                                      MD5:64604EE3AEBEE62168F837A41BA61DB1
                                                                                      SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
                                                                                      SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
                                                                                      SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_ghash_portable.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13312
                                                                                      Entropy (8bit):5.020783935465456
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
                                                                                      MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
                                                                                      SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
                                                                                      SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
                                                                                      SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_keccak.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15872
                                                                                      Entropy (8bit):5.2616188776014665
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
                                                                                      MD5:1708C4D1B28C303DA19480AF3C6D04FF
                                                                                      SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
                                                                                      SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
                                                                                      SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Hash\_poly1305.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15360
                                                                                      Entropy (8bit):5.130670522779765
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
                                                                                      MD5:E08355F3952A748BADCA2DC2E82AA926
                                                                                      SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
                                                                                      SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
                                                                                      SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Math\_modexp.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):34816
                                                                                      Entropy (8bit):5.935249615462395
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
                                                                                      MD5:DB56C985DBC562A60325D5D68D2E5C5B
                                                                                      SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
                                                                                      SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
                                                                                      SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Protocol\_scrypt.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.799861986912974
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
                                                                                      MD5:6229A84562A9B1FBB0C3CF891813AADD
                                                                                      SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
                                                                                      SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
                                                                                      SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ec_ws.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):754176
                                                                                      Entropy (8bit):7.628627007698131
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
                                                                                      MD5:BBB83671232E0BE361E812369A463E03
                                                                                      SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
                                                                                      SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
                                                                                      SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed25519.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):27648
                                                                                      Entropy (8bit):5.799740467345125
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
                                                                                      MD5:7F2C691DEB4FF86F2F3B19F26C55115C
                                                                                      SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
                                                                                      SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
                                                                                      SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_ed448.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):67072
                                                                                      Entropy (8bit):6.060804942512998
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
                                                                                      MD5:AF46798028AB3ED0E56889DFB593999B
                                                                                      SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
                                                                                      SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
                                                                                      SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\PublicKey\_x25519.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.488129745837651
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
                                                                                      MD5:F4B7324A8F7908C3655BE4C75EAC36E7
                                                                                      SHA1:11A30562A85A444F580213417483BE8D4D9264AD
                                                                                      SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
                                                                                      SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_cpuid_c.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10240
                                                                                      Entropy (8bit):4.733990521299615
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
                                                                                      MD5:3D566506052018F0556ADF9D499D4336
                                                                                      SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
                                                                                      SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
                                                                                      SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Crypto\Util\_strxor.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10240
                                                                                      Entropy (8bit):4.689063511060661
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
                                                                                      MD5:FAE081B2C91072288C1C8BF66AD1ABA5
                                                                                      SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
                                                                                      SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
                                                                                      SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\mfc140u.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):5653424
                                                                                      Entropy (8bit):6.729277267882055
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
                                                                                      MD5:03A161718F1D5E41897236D48C91AE3C
                                                                                      SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
                                                                                      SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
                                                                                      SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\Pythonwin\win32ui.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1142272
                                                                                      Entropy (8bit):6.040548449175261
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
                                                                                      MD5:B505E88EB8995C2EC46129FB4B389E6C
                                                                                      SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
                                                                                      SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
                                                                                      SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):109392
                                                                                      Entropy (8bit):6.643764685776923
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                      MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                      SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                      SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                      SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\VCRUNTIME140_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):49488
                                                                                      Entropy (8bit):6.652691609629867
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:8EgYXUcHJcUJSDW/tfxL1qBS3hO6nb/TEHEXi9zufUKQXi9zug:8vGS8fZ1eUpreA+zuTc+zug
                                                                                      MD5:BBA9680BC310D8D25E97B12463196C92
                                                                                      SHA1:9A480C0CF9D377A4CAEDD4EA60E90FA79001F03A
                                                                                      SHA-256:E0B66601CC28ECB171C3D4B7AC690C667F47DA6B6183BFF80604C84C00D265AB
                                                                                      SHA-512:1575C786AC3324B17057255488DA5F0BC13AD943AC9383656BAF98DB64D4EC6E453230DE4CD26B535CE7E8B7D41A9F2D3F569A0EFF5A84AEB1C2F9D6E3429739
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d...%CU..........." ...".<...8.......A...............................................@....`A........................................0m.......m..x....................r..PO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_asyncio.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):64384
                                                                                      Entropy (8bit):6.115753860836585
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:aW3/DZG0409EevNR4aimAWAs+FI75nED7SynRPx:aW39GlANR4aim6hFI75nUJVx
                                                                                      MD5:4543813A21958D0764975032B09DED7B
                                                                                      SHA1:C571DEA89AB89B6AAB6DA9B88AFE78ACE90DD882
                                                                                      SHA-256:45C229C3988F30580C79B38FC0C19C81E6F7D5778E64CEF6CE04DD188A9CCAB5
                                                                                      SHA-512:3B007AB252CCCDA210B473CA6E2D4B7FE92C211FB81ADE41A5A69C67ADDE703A9B0BC97990F31DCBE049794C62BA2B70DADF699E83764893A979E95FD6E89D8F
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TF.q.F.q.F.q.O...D.q...p.D.q...t.J.q...u.N.q...r.E.q...p.E.q...p.D.q.F.p...q...|.G.q...q.G.q....G.q...s.G.q.RichF.q.................PE..d...$..c.........." ...".T..........`................................................+....`............................................P...0...d........................)..........pw..T...........................0v..@............p...............................text...uR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_bz2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):83320
                                                                                      Entropy (8bit):6.534931868118148
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:V/Uez7qlsjcaNXZIzNYM4B0NDX8rjE2tI7tVj7SyxPx9:eezGiXMjdMrjPtI7tVjLx9
                                                                                      MD5:BBE89CF70B64F38C67B7BF23C0EA8A48
                                                                                      SHA1:44577016E9C7B463A79B966B67C3ECC868957470
                                                                                      SHA-256:775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723
                                                                                      SHA-512:3EE72BA60541116BBCA1A62DB64074276D40AD8ED7D0CA199A9C51D65C3F0762A8EF6D0E1E9EBF04BF4EFE1347F120E4BC3D502DD288339B4DF646A59AAD0EC1
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ...".....^..............................................P............`.........................................p...H............0....... .. .......x)...@..........T...........................p...@............................................text...g........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_cffi_backend.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):181248
                                                                                      Entropy (8bit):6.188683787528254
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
                                                                                      MD5:EBB660902937073EC9695CE08900B13D
                                                                                      SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
                                                                                      SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
                                                                                      SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_ctypes.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):122232
                                                                                      Entropy (8bit):6.015707129535061
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:YjjHoXs01LUZJNUoNZf4adhfrI70s3nRI7QPY2xB:Y3HUJ6f5dhfrIHX1
                                                                                      MD5:CA4CEF051737B0E4E56B7D597238DF94
                                                                                      SHA1:583DF3F7ECADE0252FDFF608EB969439956F5C4A
                                                                                      SHA-256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
                                                                                      SHA-512:17103D6B5FA84156055E60F9E5756FFC31584CDB6274C686A136291C58BA0BE00238D501F8ACC1F1CA7E1A1FADCB0C7FEFDDCB98CEDB9DD04325314F7E905DF3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ..."............PZ....................................................`.........................................0P.......P..................,.......x).......... ...T...............................@...............H............................text............................... ..`.rdata..6k.......l..................@..@.data...D>...p...8...\..............@....pdata..,...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_decimal.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):248704
                                                                                      Entropy (8bit):6.54473795039927
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:LbdyrWOay+msmOE8qQRiJpCWi9qWMa3pLW1AUg42G:6zsmsmGNRm1omZ2G
                                                                                      MD5:6339FA92584252C3B24E4CCE9D73EF50
                                                                                      SHA1:DCCDA9B641125B16E56C5B1530F3D04E302325CD
                                                                                      SHA-256:4AE6F6FB3992BB878416211221B3D62515E994D78F72EAB51E0126CA26D0EE96
                                                                                      SHA-512:428B62591D4EBA3A4E12F7088C990C48E30B6423019BEBF8EDE3636F6708E1F4151F46D442516D2F96453694EBEEF78618C0C8A72E234F679C6E4D52BEBC1B84
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".j...:......<................................................2....`.........................................@E..P....E...................'.......)......@...p...T...........................0...@............................................text....h.......j.................. ..`.rdata..l............n..............@..@.data....)...`...$...F..............@....pdata...'.......(...j..............@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_hashlib.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):61824
                                                                                      Entropy (8bit):6.21086555394527
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:aIpTlJFWaIDPZbdqzOgB1fFI75IJ7SyXPxMVt:rT36bZbdqzXfFI75IJRxMV
                                                                                      MD5:D856A545A960BF2DCA1E2D9BE32E5369
                                                                                      SHA1:67A15ECF763CDC2C2AA458A521DB8A48D816D91E
                                                                                      SHA-256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
                                                                                      SHA-512:34A074025C8B28F54C01A7FD44700FDEDB391F55BE39D578A003EDB90732DEC793C2B0D16DA3DA5CDBD8ADBAA7B3B83FC8887872E284800E7A8389345A30A6A4
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P...z.......<...............................................;....`............................................P...@............................)......X....l..T............................k..@............`..(............................text....N.......P.................. ..`.rdata..VM...`...N...T..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_lzma.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):157560
                                                                                      Entropy (8bit):6.834360512510993
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:PBKvRNVdG9LqSS2IAiznfI9mNoBkD9ZRqtI7e1Pvxs:PBKvRts82awYOBkvRqM
                                                                                      MD5:0A94C9F3D7728CF96326DB3AB3646D40
                                                                                      SHA1:8081DF1DCA4A8520604E134672C4BE79EB202D14
                                                                                      SHA-256:0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31
                                                                                      SHA-512:6F047F3BDAEAD121018623F52A35F7E8B38C58D3A9CB672E8056A5274D02395188975DE08CABAE948E2CC2C1CA01C74CA7BC1B82E2C23D652E952F3745491087
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...".b...........5..............................................ab....`.........................................0%..L...|%..x....p.......P.......>..x)......H.......T...........................`...@............................................text....`.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..H............<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_multiprocessing.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):33152
                                                                                      Entropy (8bit):6.323290452921724
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:G9HI6RwgJ5xeKg2edhnJ81I7Rtt/YiSyvPPxWEa5Z:aIoJ5UKg2edhJ81I7Rtt/7SynPxeZ
                                                                                      MD5:62733CE8AE95241BF9CA69F38C977923
                                                                                      SHA1:E5C3F4809E85B331CC8C5BA0AE76979F2DFDDF85
                                                                                      SHA-256:AF84076B03A0EADEC2B75D01F06BB3765B35D6F0639FB7C14378736D64E1ACAA
                                                                                      SHA-512:FDFBF5D74374F25ED5269CDBCDF8E643B31FAA9C8205EAC4C22671AA5DEBDCE4052F1878F38E7FAB43B85A44CB5665E750EDCE786CABA172A2861A5EABFD8D49
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Z*.E4y.E4y.E4y.=.y.E4y.95x.E4y.91x.E4y.90x.E4y.97x.E4yS95x.E4y.E5y.E4y?75x.E4yS99x.E4yS94x.E4yS9.y.E4yS96x.E4yRich.E4y........................PE..d...+..c.........." ...".....<......0................................................y....`.........................................0D..`....D..x....p.......`.......X...)...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_overlapped.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):48512
                                                                                      Entropy (8bit):6.325592382122715
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:zy4KxRzXINGAQSKant/QKhl6XoTZfWJhSVAWiUOJI7stsYiSyvxPxWEa:XKxqztLTQSVAkOJI7sts7SypPx
                                                                                      MD5:02C0F2EFF280B9A92003786FDED7C440
                                                                                      SHA1:5A7FE7ED605FF1C49036D001AE60305E309C5509
                                                                                      SHA-256:F16E595B0A87C32D9ABD2035F8EA97B39339548E7C518DF16A6CC27BA7733973
                                                                                      SHA-512:2B05DDF7BC57E8472E5795E68660D52E843271FD08F2E8002376B056A8C20200D31FFD5E194CE486F8A0928A8486951FDB5670246F1C909F82CF4B0929EFEDAC
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........({..F(..F(..F(...(..F(..G)..F(..C)..F(..B)..F(..E)..F(..G)..F(..G(..F(c.G)..F(c.B)..F(..K)..F(..F)..F(...(..F(..D)..F(Rich..F(................PE..d...-..c.........." ...".>...X...... .....................................................`..........................................w..X...(x...........................)...... ....V..T............................U..@............P...............................text....<.......>.................. ..`.rdata...4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_queue.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):30592
                                                                                      Entropy (8bit):6.413040228053335
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:yez/DF36r3CkrAIeRI77UNYiSyvlfUvPxWEl:yeDM3CkrAIeRI77UN7SyOvPx
                                                                                      MD5:52D0A6009D3DE40F4FA6EC61DB98C45C
                                                                                      SHA1:5083A2AFF5BCCE07C80409646347C63D2A87BD25
                                                                                      SHA-256:007BCF19D9B036A7E73F5EF31F39BFB1910F72C9C10E4A1B0658352CFE7A8B75
                                                                                      SHA-512:CD552A38EFAA8720A342B60318F62320CE20C03871D2E50D3FA3A9A730B84DACDBB8EB4D0AB7A1C8A97215B537826C8DC532C9A55213BCD0C1D13D7D8A9AD824
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".....8......................................................B.....`..........................................C..L....C..d....p.......`.......N...)..........`4..T........................... 3..@............0..(............................text............................... ..`.rdata..2....0......................@..@.data...x....P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_socket.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):77696
                                                                                      Entropy (8bit):6.248960816871735
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:c67eU/Bgujs9/s+S+py8k/DDjaRI7Qw27Syj/Px:c673/aujs9/sT+pPk/XmRI7Qw2xx
                                                                                      MD5:0F5E64E33F4D328EF11357635707D154
                                                                                      SHA1:8B6DCB4B9952B362F739A3F16AE96C44BEA94A0E
                                                                                      SHA-256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
                                                                                      SHA-512:4BE9FEBB583364DA75B6FB3A43A8B50EE29CA8FC1DDA35B96C0FCC493342372F69B4F27F2604888BCA099C8D00F38A16F4C9463C16EFF098227D812C29563643
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".l.......... &.......................................P............`.............................................P...P........0....... ..l........)...@.........T...............................@............................................text...Rj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..l.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_sqlite3.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):97664
                                                                                      Entropy (8bit):6.170877221164934
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:QzgM+YDOyvuPwYXGqijQa4rlIain9NbT19c4LOyZkyDFI75Qx87SyDPx:vtYCDPSQa4rlIXDbPc23ZkyDFI75Qx8H
                                                                                      MD5:9F38F603BD8F7559609C4FFA47F23C86
                                                                                      SHA1:8B0136FC2506C1CCEF2009DB663E4E7006E23C92
                                                                                      SHA-256:28090432A18B59EB8CBE8FDCF11A277420B404007F31CA571321488A43B96319
                                                                                      SHA-512:273A19F2F609BEDE9634DAE7C47D7B28D369C88420B2B62D42858B1268D6C19B450D83877D2DBA241E52755A3F67A87F63FEA8E5754831C86D16E2A8F214AD72
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...|..........u......}....|.}......}...Rich|...........PE..d...[..c.........." ..."..................................................................`.............................................P....................`.......T...)..............T...............................@...............`............................text...n........................... ..`.rdata...p.......r..................@..@.data...,....@......................@....pdata.......`.......2..............@..@.rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_ssl.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):159096
                                                                                      Entropy (8bit):6.001271339711538
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:xOoLGtbSpE3z/J/PUE1ueW5J2oEPwu3rE923+nuI5Piev9mutI7t7L+xu:xOoitbSpE3zhH7ueAE8nuaF9muy
                                                                                      MD5:9DDB64354EF0B91C6999A4B244A0A011
                                                                                      SHA1:86A9DC5EA931638699EB6D8D03355AD7992D2FEE
                                                                                      SHA-256:E33B7A4AA5CDD5462EE66830636FDD38048575A43D06EB7E2F688358525DDEAB
                                                                                      SHA-512:4C86478861FA4220680A94699E7D55FBDC90D2785CAEE10619CECB058F833292EE7C3D6AC2ED1EF34B38FBFF628B79D672194A337701727A54BB6BBC5BF9AECA
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............l*.............................................._M....`............................................d...4........`.......P.......D..x)...p..<.......T...............................@............................................text...x........................... ..`.rdata..J...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..<....p.......6..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\_uuid.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):23936
                                                                                      Entropy (8bit):6.532904843385081
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:JfwFpEW96TfQtI7ewyIIYiSy1pCQDMaPxh8E9VF0Nyvzo:JqpEnjQtI7ewAYiSyvfPxWEx
                                                                                      MD5:041556420BDB334A71765D33229E9945
                                                                                      SHA1:0122316E74EE4ADA1CE1E0310B8DCA1131972CE1
                                                                                      SHA-256:8B3D4767057C18C1C496E138D4843F25E5C98DDFC6A8D1B0ED46FD938EDE5BB6
                                                                                      SHA-512:18DA574B362726EDE927D4231CC7F2AEBAFBAAAB47DF1E31B233F7EDA798253AEF4C142BED1A80164464BD629015D387AE97BA36FCD3CEDCFE54A5A1E5C5CAA3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;$p^ZJ#^ZJ#^ZJ#W".#\ZJ#.&K"\ZJ#.&O"RZJ#.&N"VZJ#.&I"]ZJ#.&K"\ZJ#.(K"[ZJ#^ZK#tZJ#.&B"_ZJ#.&J"_ZJ#.&.#_ZJ#.&H"_ZJ#Rich^ZJ#................PE..d...+..c.........." ...".....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4...)...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\base_library.zip

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                      Category:dropped
                                                                                      Size (bytes):880537
                                                                                      Entropy (8bit):5.683035771422093
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2Y42dOVwx/fpEWertSLMNM:lgYJiVBFLa21nVwx/fpEWe+MNM
                                                                                      MD5:22FEE1506D933ABB3335FFB4A1E1D230
                                                                                      SHA1:18331CBA91F33FB6B11C6FDEFA031706AE6D43A0
                                                                                      SHA-256:03F6A37FC2E166E99CE0AD8916DFB8A70945E089F9FC09B88E60A1649441AB6E
                                                                                      SHA-512:3F764337A3FD4F8271CBA9602AEF0663D6B7C37A021389395A00D39BD305D2B927A150C2627B1C629FDBD41C044AF0F7BC9897F84C348C2BCCC085DF911EEE02
                                                                                      Malicious:false
                                                                                      Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\certifi\cacert.pem

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):290282
                                                                                      Entropy (8bit):6.048183244201235
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
                                                                                      MD5:302B49C5F476C0AE35571430BB2E4AA0
                                                                                      SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
                                                                                      SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
                                                                                      SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
                                                                                      Malicious:false
                                                                                      Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.675182011095312
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
                                                                                      MD5:F33CA57D413E6B5313272FA54DBC8BAA
                                                                                      SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
                                                                                      SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
                                                                                      SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):120320
                                                                                      Entropy (8bit):5.879886869577473
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
                                                                                      MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
                                                                                      SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
                                                                                      SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
                                                                                      SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\INSTALLER

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):1.5
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Mn:M
                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                      Malicious:false
                                                                                      Preview:pip.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\LICENSE

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):197
                                                                                      Entropy (8bit):4.61968998873571
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                      MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                      SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                      SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                      SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                      Malicious:false
                                                                                      Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\LICENSE.APACHE

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):11360
                                                                                      Entropy (8bit):4.426756947907149
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                      MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                      SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                      SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                      SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                      Malicious:false
                                                                                      Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\LICENSE.BSD

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1532
                                                                                      Entropy (8bit):5.058591167088024
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                      MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                      SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                      SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                      SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                      Malicious:false
                                                                                      Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\METADATA

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5292
                                                                                      Entropy (8bit):5.115440205505611
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
                                                                                      MD5:137D13F917D94C83137A0FA5AE12B467
                                                                                      SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
                                                                                      SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
                                                                                      SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
                                                                                      Malicious:false
                                                                                      Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\RECORD

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):15334
                                                                                      Entropy (8bit):5.555125785454221
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
                                                                                      MD5:4ED1DF753C330417D290331FD1E18219
                                                                                      SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
                                                                                      SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
                                                                                      SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
                                                                                      Malicious:false
                                                                                      Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\WHEEL

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):100
                                                                                      Entropy (8bit):5.0203365408149025
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
                                                                                      MD5:4B432A99682DE414B29A683A3546B69F
                                                                                      SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
                                                                                      SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
                                                                                      SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
                                                                                      Malicious:false
                                                                                      Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography-41.0.7.dist-info\top_level.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):13
                                                                                      Entropy (8bit):3.2389012566026314
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:cOv:Nv
                                                                                      MD5:E7274BD06FF93210298E7117D11EA631
                                                                                      SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                      SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                      SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                      Malicious:false
                                                                                      Preview:cryptography.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\cryptography\hazmat\bindings\_rust.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):6673920
                                                                                      Entropy (8bit):6.582002531606852
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
                                                                                      MD5:486085AAC7BB246A173CEEA0879230AF
                                                                                      SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
                                                                                      SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
                                                                                      SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\libcrypto-1_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):3441504
                                                                                      Entropy (8bit):6.097985120800337
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                      MD5:6F4B8EB45A965372156086201207C81F
                                                                                      SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                      SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                      SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\libffi-7.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):32792
                                                                                      Entropy (8bit):6.3566777719925565
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
                                                                                      MD5:EEF7981412BE8EA459064D3090F4B3AA
                                                                                      SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
                                                                                      SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
                                                                                      SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\libssl-1_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):702816
                                                                                      Entropy (8bit):5.547832370836076
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                      MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                      SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                      SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                      SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\pyexpat.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):198520
                                                                                      Entropy (8bit):6.365137514820493
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:nYSqakQm3pSouj2yVi00L+Drqk8avRoxtLR8C9ekJhgkFyRnObUpzGxvspVRI7QD:YwcPuj2yk+Drqk8/yMfJyvt
                                                                                      MD5:43E5A1470C298BA773AC9FCF5D99E8F9
                                                                                      SHA1:06DB03DAF3194C9E492B2F406B38ED33A8C87AB3
                                                                                      SHA-256:56984D43BE27422D31D8ECE87D0ABDA2C0662EA2FF22AF755E49E3462A5F8B65
                                                                                      SHA-512:A5A1EBB34091EA17C8F0E7748004558D13807FDC16529BC6F8F6C6A3A586EE997BF72333590DC451D78D9812EF8ADFA7DEABAB6C614FCE537F56FA38CE669CFC
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9h..}..}..}..tqu.q..2u....2u.p..2u.u..2u.~...u....{.~..}......u.y...u.|...u..|...u.|..Rich}..................PE..d...+..c.........." ..."............................................................U.....`.........................................`...P...............................x)..........@6..T............................5..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\python3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):64896
                                                                                      Entropy (8bit):6.101810529421494
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:Y88LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJq9:Y8wewnvtjnsfwERI7Q0L7SyCPx
                                                                                      MD5:C17B7A4B853827F538576F4C3521C653
                                                                                      SHA1:6115047D02FBBAD4FF32AFB4EBD439F5D529485A
                                                                                      SHA-256:D21E60F3DFBF2BAB0CC8A06656721FA3347F026DF10297674FC635EBF9559A68
                                                                                      SHA-512:8E08E702D69DF6840781D174C4565E14A28022B40F650FDA88D60172BE2D4FFD96A3E9426D20718C54072CA0DA27E0455CC0394C098B75E062A27559234A3DF7
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]{....e...e...e..fm...e..fe...e..f....e..fg...e.Rich..e.........................PE..d......c.........." ..."..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\python310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):4492664
                                                                                      Entropy (8bit):6.463653563183579
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:m/4rIQeEKdN4uxzx1njuYWxKLx5NFnb7d1G2F58rkx7qzMJYlf1GCJLvNyoInO3V:mS7q35VNFnlRqT84NAnYHAMDlPK0r
                                                                                      MD5:DEAF0C0CC3369363B800D2E8E756A402
                                                                                      SHA1:3085778735DD8BADAD4E39DF688139F4EED5F954
                                                                                      SHA-256:156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D
                                                                                      SHA-512:5CAC1D92AF7EE18425B5EE8E7CD4E941A9DDFFB4BC1C12BB8AEABEED09ACEC1FF0309ABC41A2E0C8DB101FEE40724F8BFB27A78898128F8746C8FE01C1631989
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ..."..#...!...............................................E.......D...`..........................................?=.......>.|.....E.......B......dD.x)....E..t.. @%.T............................>%.@.............#.8............................text...r.#.......#................. ..`.rdata..<e....#..f....#.............@..@.data........0>.......>.............@....pdata........B.. ....A.............@..@PyRuntim`.....D.......C.............@....rsrc.........E.......C.............@..@.reloc...t....E..v....C.............@..B........................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pythoncom310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):669184
                                                                                      Entropy (8bit):6.03765159448253
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
                                                                                      MD5:65DD753F51CD492211986E7B700983EF
                                                                                      SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
                                                                                      SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
                                                                                      SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\pywin32_system32\pywintypes310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):134656
                                                                                      Entropy (8bit):5.992653928086484
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
                                                                                      MD5:CEB06A956B276CEA73098D145FA64712
                                                                                      SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
                                                                                      SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
                                                                                      SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\select.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):29048
                                                                                      Entropy (8bit):6.478463870483955
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:zeS+FwhCWHqhmIRI77GwYiSyv87PxWEgC:zeS+ahVKhmIRI77Gw7SyGPxL
                                                                                      MD5:C119811A40667DCA93DFE6FAA418F47A
                                                                                      SHA1:113E792B7DCEC4366FC273E80B1FC404C309074C
                                                                                      SHA-256:8F27CD8C5071CB740A2191B3C599E99595B121F461988166F07D9F841E7116B7
                                                                                      SHA-512:107257DBD8CF2607E4A1C7BEF928A6F61EBDFC21BE1C4BDC3A649567E067E9BB7EA40C0AC8844D2CEDD08682447B963148B52F85ADB1837F243DF57AF94C04B3
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".....2............................................................`..........................................@..L....@..x....p.......`.......H..x)......L....3..T............................2..@............0...............................text............................... ..`.rdata..H....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\INSTALLER

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):1.5
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Mn:M
                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                      Malicious:false
                                                                                      Preview:pip.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\LICENSE

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1050
                                                                                      Entropy (8bit):5.072538194763298
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
                                                                                      MD5:7A7126E068206290F3FE9F8D6C713EA6
                                                                                      SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
                                                                                      SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
                                                                                      SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
                                                                                      Malicious:false
                                                                                      Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\METADATA

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):6301
                                                                                      Entropy (8bit):5.107162422517841
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
                                                                                      MD5:9E59BD13BB75B38EB7962BF64AC30D6F
                                                                                      SHA1:70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
                                                                                      SHA-256:80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
                                                                                      SHA-512:67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
                                                                                      Malicious:false
                                                                                      Preview:Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\RECORD

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):37694
                                                                                      Entropy (8bit):5.560695955910088
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:DDz9AkShgQUgq/kc2mIkpIVh498WjXYW1P5+Eu8X62aDoaQPKJfRQIbwA+hof2yf:Dn3OIyQgIAY8T/7T962lSsSGxt9Im
                                                                                      MD5:E30355B5F7466BEE1691929B05EED672
                                                                                      SHA1:B9F1275EF04F2D36DD1F801DE116AC12AA68722E
                                                                                      SHA-256:CEBD9639E6923A470E818350691053C3CC846A72426A9BFCB70F092868FA0D5B
                                                                                      SHA-512:C7A56FE3037A07035279FF063406F7999360D5B275D743C0EF88335EB98BE4CA539775CC1470BF121CE166AA53E3E55002BE7402350E62811EA2B4D0BBD6A617
                                                                                      Malicious:false
                                                                                      Preview:_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-310.pyc,,.._distutils_hack/__pycache__/override.cpython-310.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-310.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\WHEEL

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):92
                                                                                      Entropy (8bit):4.820827594031884
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
                                                                                      MD5:4D57030133E279CEB6A8236264823DFD
                                                                                      SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
                                                                                      SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
                                                                                      SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
                                                                                      Malicious:false
                                                                                      Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\entry_points.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):2740
                                                                                      Entropy (8bit):4.540737240939103
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
                                                                                      MD5:D3262B65DB35BFFAAC248075345A266C
                                                                                      SHA1:93AD6FE5A696252B9DEF334D182432CDA2237D1D
                                                                                      SHA-256:DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
                                                                                      SHA-512:1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
                                                                                      Malicious:false
                                                                                      Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\setuptools-65.5.0.dist-info\top_level.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):41
                                                                                      Entropy (8bit):3.9115956018096876
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
                                                                                      MD5:789A691C859DEA4BB010D18728BAD148
                                                                                      SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
                                                                                      SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
                                                                                      SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
                                                                                      Malicious:false
                                                                                      Preview:_distutils_hack.pkg_resources.setuptools.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\sqlite3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1473912
                                                                                      Entropy (8bit):6.572390758739341
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:7nFjRWofXcFcdEKl+89yJ30SQUhXF7TuR7MNdRIxsg8xqh:77X6K080J30nUhXF7TuR7rxV8Y
                                                                                      MD5:AAF9FD98BC2161AD7DFF996450173A3B
                                                                                      SHA1:AB634C09B60AA18EA165084A042D917B65D1FE85
                                                                                      SHA-256:F1E8B6C4D61AC6A320FA2566DA9391FBFD65A5AC34AC2E2013BC37C8B7B41592
                                                                                      SHA-512:597FFE3C2F0966AB94FBB7ECAC27160C691F4A07332311F6A9BAF8DEC8B16FB16EC64DF734C3BDBABF2C0328699E234D14F1B8BD5AC951782D35EA0C78899E5F
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".f..........lj..............................................Nw....`.............................................d"..$3.......................T..x).......... ...T...............................@...............(............................text...8e.......f.................. ..`.rdata...............j..............@..@.data....G...P...>...,..............@....pdata...............j..............@..@.rsrc................<..............@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\unicodedata.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1122176
                                                                                      Entropy (8bit):5.381221577408984
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:6DYYMmuZ63NIQCb5Pfhnzr0ql8L8kXM7IRG5eeme6VZyrIBHdQLhfFE+uAM:gYYuLZV0m8vMMREtV6Vo4uYAM
                                                                                      MD5:4C8AF8A30813E9380F5F54309325D6B8
                                                                                      SHA1:169A80D8923FB28F89BC26EBF89FFE37F8545C88
                                                                                      SHA-256:4B6E3BA734C15EC789B5D7469A5097BD082BDFD8E55E636DED0D097CF6511E05
                                                                                      SHA-512:EA127779901B10953A2BF9233E20A4FAB2FBA6F97D7BAF40C1B314B7CD03549E0F4D2FB9BAD0FBC23736E21EB391A418D79A51D64402245C1CD8899E4D765C5A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".B..........@*.......................................@......4.....`.............................................X............ ..........<........)...0...... b..T............................`..@............`..x............................text...gA.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..<...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\win32\_win32sysloader.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.112106937352672
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
                                                                                      MD5:F9C9445BE13026F8DB777E2BBC26651D
                                                                                      SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
                                                                                      SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
                                                                                      SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32api.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):133632
                                                                                      Entropy (8bit):5.849731189887005
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
                                                                                      MD5:00E5DA545C6A4979A6577F8F091E85E1
                                                                                      SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
                                                                                      SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
                                                                                      SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\win32\win32trace.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):23552
                                                                                      Entropy (8bit):5.279236779449316
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
                                                                                      MD5:B291ADAB2446DA62F93369A0DD662076
                                                                                      SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
                                                                                      SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
                                                                                      SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI54762\win32com\shell\shell.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):527872
                                                                                      Entropy (8bit):6.165923585421349
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
                                                                                      MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
                                                                                      SHA1:9682B6E966495F7B58255348563A86C63FBD488C
                                                                                      SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
                                                                                      SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_ARC4.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11264
                                                                                      Entropy (8bit):4.6989965032233245
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
                                                                                      MD5:56976443600793FF2302EE7634E496B3
                                                                                      SHA1:018CE9250732A1794BBD0BDB8164061022B067AA
                                                                                      SHA-256:10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
                                                                                      SHA-512:A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_Salsa20.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.047528837102683
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SF/1nb2eqCQtkluknuz4ceS4QDuEA7cqgYvEP:o2P6luLtn4QDHmgYvEP
                                                                                      MD5:30F13366926DDC878B6D761BEC41879E
                                                                                      SHA1:4B98075CCBF72A6CBF882B6C5CADEF8DC6EC91DB
                                                                                      SHA-256:19D5F8081552A8AAFE901601D1FF5C054869308CEF92D03BCBE7BD2BB1291F23
                                                                                      SHA-512:BDCEC85915AB6EC1D37C1D36B075AE2E69AA638B80CD08971D5FDFD9474B4D1CF442ABF8E93AA991F5A8DCF6DB9D79FB67A9FE7148581E6910D9C952A5E166B4
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..L............p..,....3...............................1..@............0...............................text...h........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_chacha20.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13312
                                                                                      Entropy (8bit):5.0513840905718395
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:7XF/1nb2eqCQtkXnFYIrWjz0YgWDbu5Do0vdvZt49lkVcqgYvEMN:L2P6XTr0zXgWDbui0vdvZt49MgYvEMN
                                                                                      MD5:CDF7D583B5C0150455BD3DAD43A6BF9B
                                                                                      SHA1:9EE9B033892BEB0E9641A67F456975A78122E4FA
                                                                                      SHA-256:4CA725A1CB10672EE5666ED2B18E926CAAE1A8D8722C14AB3BE2D84BABF646F6
                                                                                      SHA-512:96123559D21A61B144E2989F96F16786C4E94E5FA4DDA0C018EAA7FEFFA61DD6F0ADFA9815DF9D224CDEBE2E7849376D2A79D5A0F51A7F3327A2FAA0A444CE9C
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_pkcs1_decode.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12800
                                                                                      Entropy (8bit):5.1050594710160535
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:/PTF1siKeai1dqmJo0qVVLf/+NJSC6sc9kJ9oPobXXXP4IIYOxDmO8jcX6gRth2h:/LsiHfq5poUkJ97zIDmOucqgRvE
                                                                                      MD5:7918BFE07DCB7AD21822DBAAA777566D
                                                                                      SHA1:964F5B172759538C4E9E9131CE4BB39885D79842
                                                                                      SHA-256:C00840D02ADA7031D294B1AB94A5F630C813AAE6897F18DD66C731F56931868E
                                                                                      SHA-512:D4A05AB632D4F0EB0ED505D803F6A5C0DBE5117D12BA001CE820674903209F7249B690618555F9C061DB58BED1E03BE58AD5D5FE3BC35FC96DF27635639ABF25
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............l...l...l......l.q.m...l..m...l...m...l.q.i...l.q.h...l.q.o...l...d...l...l...l.......l...n...l.Rich..l.................PE..d....y.e.........." ...#............P.....................................................`.........................................P8..p....8..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aes.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):36352
                                                                                      Entropy (8bit):6.55587798283519
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:Of+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg4HPy:WqWB7YJlmLJ3oD/S4j990th9VTsC
                                                                                      MD5:4B032DA3C65EA0CFBDEB8610C4298C51
                                                                                      SHA1:541F9F8D428F4518F96D44BB1037BC348EAE54CF
                                                                                      SHA-256:4AEF77E1359439748E6D3DB1ADB531CF86F4E1A8E437CCD06E8414E83CA28900
                                                                                      SHA-512:2667BF25FD3BF81374750B43AFC5AEFF839EC1FF6DFC3FDD662F1D34A5924F69FC513EA3CD310991F85902A19ADA8B58DED9A9ED7B5D631563F62EA7F2624102
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_aesni.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15872
                                                                                      Entropy (8bit):5.2919328525651945
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:oJBjJPqZkEPYinXKccxrEWx4xLquhS3WQ67EIfD4A1ccqgwYUMvEW:6URwin7mrEYCLEGd7/fDnwgwYUMvE
                                                                                      MD5:57E4DF965E41B1F385B02F00EA08AE20
                                                                                      SHA1:583B08C3FC312C8943FECDDD67D6D0A5FC2FF98B
                                                                                      SHA-256:3F64DFFEC486DCF9A2E80CB9D96251B98F08795D5922D43FB69F0A5AC2340FC2
                                                                                      SHA-512:48C3F78AF4E35BFEF3B0023A8039CF83E6B2E496845A11B7A2C2FA8BB62C7CCDE52158D4D37755584716220C34BBF379ECE7F8E3439B009AD099B1890B42A3D9
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|X...................i.......................i.......i.......i.......................................Rich....................PE..d....y.e.........." ...#. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_arc2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):16384
                                                                                      Entropy (8bit):5.565187477275172
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:MeDd9Vk3yQ5f8vjVKChhXoJDkq6NS7oE2DDHlWw2XpmdcqgwNeecBU8:1k/5cj4shXED+o2Du8zgwNeO8
                                                                                      MD5:F9C93FA6CA17FDF4FF2F13176684FD6C
                                                                                      SHA1:6B6422B4CAF157147F7C0DD4B4BAB2374BE31502
                                                                                      SHA-256:E9AEBB6F17BA05603E0763DFF1A91CE9D175C61C1C2E80F0881A0DEE8CFFBE3A
                                                                                      SHA-512:09843E40E0D861A2DEE97320779C603550433BC9AB9402052EA284C6C74909E17CE0F6D3FDBA983F5EB6E120E2FE0C2B087420E138760BB0716D2999C10935C1
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_blowfish.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):20992
                                                                                      Entropy (8bit):6.058843128972375
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:fHU/5cJMOZA0nmwBD+XpJgLa0Mp8Qhg4P2llyM:QK1XBD+DgLa1qTi
                                                                                      MD5:E4969D864420FEB94F54CEF173D0AD4D
                                                                                      SHA1:7F8FE4225BB6FD37F84EBCE8E64DF7192BA50FB6
                                                                                      SHA-256:94D7D7B43E58170CAEA4520D7F741D743BC82B59BE50AA37D3D2FB7B8F1BB061
                                                                                      SHA-512:F02F02A7DE647DDA723A344DBB043B75DA54D0783AE13E5D25EEC83072EA3B2375F672B710D6348D9FC829E30F8313FA44D5C28B4D65FDA8BB863700CAE994B7
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cast.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):25088
                                                                                      Entropy (8bit):6.458942954966616
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:xVcaHLHm+kJ7ZXmrfXA+UA10ol31tuXyZQ7gLWi:8aHrm+kJNXmrXA+NNxWi28LWi
                                                                                      MD5:CD4B96612DEFDAAC5CF923A3960F15B6
                                                                                      SHA1:3F987086C05A4246D8CCA9A65E42523440C7FFEC
                                                                                      SHA-256:5C25283C95FFF9B0E81FCC76614626EB8048EA3B3FD1CD89FE7E2689130E0447
                                                                                      SHA-512:C650860A3ECC852A25839FF1E379526157EB79D4F158B361C90077875B757F5E7A4AA33FFE5F4F49B28DF5D60E3471370889FBE3BF4D9568474ECE511FF5E67D
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....".......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cbc.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.833693880012467
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:BF/1nb2eqCQtkrAUj8OxKbDbzecqgYvEkrK:t2P6EE8OsbD2gYvEmK
                                                                                      MD5:0C46D7B7CD00B3D474417DE5D6229C41
                                                                                      SHA1:825BDB1EA8BBFE7DE69487B76ABB36196B5FDAC0
                                                                                      SHA-256:9D0A5C9813AD6BA129CAFEF815741636336EB9426AC4204DE7BC0471F7B006E1
                                                                                      SHA-512:D81B17B100A052899D1FD4F8CEA1B1919F907DAA52F1BAD8DC8E3F5AFC230A5BCA465BBAC2E45960E7F8072E51FDD86C00416D06CF2A1F07DB5AD8A4E3930864
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_cfb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):4.900216636767426
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:YTI1RgPfqLlvIOP3bdS2hkPUDk9oCM/vPXcqgzQkvEmO:YTvYgAdDkUDDCWpgzQkvE
                                                                                      MD5:3142C93A6D9393F071AB489478E16B86
                                                                                      SHA1:4FE99C817ED3BCC7708A6631F100862EBDA2B33D
                                                                                      SHA-256:5EA310E0F85316C8981ED6293086A952FA91A6D12CA3F8AF9581521EE2B15586
                                                                                      SHA-512:DCAFEC54BD9F9F42042E6FA4AC5ED53FEB6CF8D56ADA6A1787CAFC3736AA72F14912BBD1B27D0AF87E79A6D406B0326602ECD1AD394ACDC6275AED4C41CDB9EF
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ctr.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.302400096950382
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SJ1gSPqgKkwv0i8NSixSK57NEEE/qexcEtDr+DjRcqgUF6+6vEX:6E1si8NSixS0CqebtD+rgUUjvE
                                                                                      MD5:A34F499EE5F1B69FC4FED692A5AFD3D6
                                                                                      SHA1:6A37A35D4F5F772DAB18E1C2A51BE756DF16319A
                                                                                      SHA-256:4F74BCF6CC81BAC37EA24CB1EF0B17F26B23EDB77F605531857EAA7B07D6C8B2
                                                                                      SHA-512:301F7C31DEE8FF65BB11196F255122E47F3F1B6B592C86B6EC51AB7D9AC8926FECFBE274679AD4F383199378E47482B2DB707E09D73692BEE5E4EC79C244E3A8
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,......,.q.-...,..-...,...-...,.q.)...,.q.(...,.q./...,...$...,...,...,.......,.......,.Rich..,.................PE..d....y.e.........." ...#..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):57856
                                                                                      Entropy (8bit):4.25844209931351
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:1UqVT1dZ/lHkJnYcZiGKdZHDLtiduprZAZB0JAIg+v:nHlHfJid3X
                                                                                      MD5:007BE822C3657687A84A7596531D79B7
                                                                                      SHA1:B24F74FDC6FA04EB7C4D1CD7C757C8F1C08D4674
                                                                                      SHA-256:6CF2B3969E44C88B34FB145166ACCCDE02B53B46949A9D5C37D83CA9C921B8C8
                                                                                      SHA-512:F9A8B070302BDFE39D0CD8D3E779BB16C9278AE207F5FADF5B27E1A69C088EEF272BFBCE6B977BA37F68183C8BBEAC7A31668662178EFE4DF8940E19FBCD9909
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_des3.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):58368
                                                                                      Entropy (8bit):4.274890605099198
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:4Uqho9weF5/dHkRnYcZiGKdZHDL7idErZBZYmGg:ECndH//iduz
                                                                                      MD5:A883798D95F76DA8513DA6B87D470A2A
                                                                                      SHA1:0507D920C1935CE71461CA1982CDB8077DDB3413
                                                                                      SHA-256:AED194DD10B1B68493481E7E89F0B088EF216AB5DB81959A94D14BB134643BFB
                                                                                      SHA-512:5C65221542B3849CDFBC719A54678BB414E71DE4320196D608E363EFF69F2448520E620B5AA8398592D5B58D7F7EC1CC4C72652AD621308C398D45F294D05C9B
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..n...n...n......n.q.o...n...o...n...o...n.q.k...n.q.j...n.q.m...n...f...n...n...n.......n...l...n.Rich..n.........PE..d....y.e.........." ...#.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ecb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.5811635662773185
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:PzWVddiTHThQTctEEI4qXDc1CkcqgbW6:PzWMdsc+EuXDc0YgbW
                                                                                      MD5:DEDAE3EFDA452BAB95F69CAE7AEBB409
                                                                                      SHA1:520F3D02693D7013EA60D51A605212EFED9CA46B
                                                                                      SHA-256:6248FDF98F949D87D52232DDF61FADA5EF02CD3E404BB222D7541A84A3B07B8A
                                                                                      SHA-512:8C1CAB8F34DE2623A42F0750F182B6B9A7E2AFFA2667912B3660AF620C7D9AD3BD5B46867B3C2D50C0CAE2A1BC03D03E20E4020B7BA0F313B6A599726F022C6C
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_eksblowfish.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):22016
                                                                                      Entropy (8bit):6.1405490084747445
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:WMU/5cRUtPMbNv37t6KjjNrDF6pJgLa0Mp8Qg0gYP2lcCM:WdKR8EbxwKflDFQgLa1AzP
                                                                                      MD5:914EA1707EBA03E4BE45D3662BF2466E
                                                                                      SHA1:3E110C9DBFE1D17E1B4BE69052E65C93DDC0BF26
                                                                                      SHA-256:4D4F22633D5DB0AF58EE260B5233D48B54A6F531FFD58EE98A5305E37A00D376
                                                                                      SHA-512:F6E6323655B351E5B7157231E04C352A488B0B49D7174855FC8594F119C87A26D31C602B3307C587A28AD408C2909A93B8BA8CB41166D0113BD5C6710C4162C3
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ocb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):17920
                                                                                      Entropy (8bit):5.350740516564008
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:GPHdP3Mj7Be/yB/MsB3yRcb+IqcOYoQViCBD88g6Vf4A:APcnB8KEsB3ocb+pcOYLMCBDu
                                                                                      MD5:52E481A15C3CE1B0DF8BA3B1B77DF9D0
                                                                                      SHA1:C1F06E1E956DFDE0F89C2E237ADFE42075AAE954
                                                                                      SHA-256:C85A6783557D96BFA6E49FE2F6EA4D2450CF110DA314C6B8DCEDD7590046879B
                                                                                      SHA-512:108FB1344347F0BC27B4D02D3F4E75A76E44DE26EF54323CB2737604DF8860A94FA37121623A627937F452B3B923C3D9671B13102D2E5F1005E4766E80A05A96
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Cipher\_raw_ofb.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.737329240938157
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:BF/1nb2eqCQtkgU7L9D0T70fcqgYvEJPb:t2P6L9DWAxgYvEJj
                                                                                      MD5:A13584F663393F382C6D8D5C0023BC80
                                                                                      SHA1:D324D5FBD7A5DBA27AA9B0BDB5C2AEBFF17B55B1
                                                                                      SHA-256:13C34A25D10C42C6A12D214B2D027E5DC4AE7253B83F21FD70A091FEDAC1E049
                                                                                      SHA-512:14E4A6F2959BD68F441AA02A4E374740B1657AB1308783A34D588717F637611724BC90A73C80FC6B47BC48DAFB15CF2399DC7020515848F51072F29E4A8B4451
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2b.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.2072665819239585
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:iF/1nb2eqCQtkhlgJ2ycxFzShJD9CAac2QDeJKcqgQx2XY:Y2PKr+2j8JDefJagQx2XY
                                                                                      MD5:104B480CB83BFF78101CF6940588D570
                                                                                      SHA1:6FC56B9CF380B508B01CAB342FCC939494D1F595
                                                                                      SHA-256:BA4F23BBDD1167B5724C04DB116A1305C687001FAC43304CD5119C44C3BA6588
                                                                                      SHA-512:60617865C67115AD070BD6462B346B89B69F834CAF2BFE0EF315FB4296B833E095CD03F3F4D6D9499245C5DA8785F2FBE1AC7427049BD48428EBF74529229040
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...~y.e.........." ...#..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_BLAKE2s.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14336
                                                                                      Entropy (8bit):5.177411248432731
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:mF/1nb2eqCQt7fSxp/CJPvADQZntxSOvbcqgEvcM+:c2PNKxZWPIDexVlgEvL
                                                                                      MD5:06D3E941860BB0ABEDF1BAF1385D9445
                                                                                      SHA1:E8C16C3E8956BA99A2D0DE860DCFC5021F1D7DE5
                                                                                      SHA-256:1C340D2625DAD4F07B88BB04A81D5002AABF429561C92399B0EB8F6A72432325
                                                                                      SHA-512:6F62ACFF39B77C1EC9F161A9BFA94F8E3B932D56E63DAEE0093C041543993B13422E12E29C8231D88BC85C0573AD9077C56AA7F7A307E27F269DA17FBA8EE5A3
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14336
                                                                                      Entropy (8bit):5.137579183601755
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:5siHfq5po0ZUp8XnUp8XjEQnlDtW26rcqgcx2:nqDZUp8XUp8AclDN69gcx2
                                                                                      MD5:F938A89AEC5F535AF25BD92221BBC141
                                                                                      SHA1:384E1E92EBF1A6BBE068AB1493A26B50EFE43A7E
                                                                                      SHA-256:774A39E65CC2D122F8D4EB314CED60848AFFF964FB5AD2627E32CB10EF28A6D0
                                                                                      SHA-512:ED0506B9EBCEC26868F484464F9CC38E28F8056D6E55C536ECD2FD98F58F29F2D1CE96C5E574876A9AA6FD22D3756A49BC3EB464A7845CB3F28A1F3D1C98B4D7
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD4.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.158343521612926
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:jsiHfq5pwUivkwXap8T0NchH73s47iDJxj2wcqgfvE:9qbi8wap8T0Ncp7n7iDbFgfvE
                                                                                      MD5:173EED515A1ADDD1DA0179DD2621F137
                                                                                      SHA1:D02F5E6EDA9FF08ABB4E88C8202BAD7DB926258F
                                                                                      SHA-256:9D9574A71EB0DE0D14570B5EDA06C15C17CC2E989A20D1E8A4821CB813290D5F
                                                                                      SHA-512:8926FBB78A00FD4DC67670670035D9E601AF27CDBE003DC45AD809E8DA1042DDECB997F44ED104BEC13391C8048051B0AAD0C10FDEEDFB7F858BA177E92FDC54
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...qy.e.........." ...#............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text............................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_MD5.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15360
                                                                                      Entropy (8bit):5.469810464531962
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:RZ9WfqP7M93g8UdsoS1hhiBvzcuiDSjeoGmDZNbRBP0rcqgjPrvE:sA0gHdzS1MwuiDSyoGmD/r89gjPrvE
                                                                                      MD5:39B06A1707FF5FDC5B3170EB744D596D
                                                                                      SHA1:37307B2826607EA8D5029293990EB1476AD6CC42
                                                                                      SHA-256:2E8BB88D768890B6B68D5B6BB86820766ADA22B82F99F31C659F4C11DEF211A1
                                                                                      SHA-512:98C3C45EB8089800EDF99ACEA0810820099BFD6D2C805B80E35D9239626CB67C7599F1D93D2A14D2F3847D435EAA065BF56DF726606BB5E8A96E527E1420633D
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...ry.e.........." ...#. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_RIPEMD160.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13824
                                                                                      Entropy (8bit):5.137646874307781
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:QF/1nb2eqCQtZl9k9VEmosHcBZTHGF31trDbu8oiZmtwcqgk+9TI:q2PXlG9VDos8BZA33rDbuNgk0gk+9U
                                                                                      MD5:1DFC771325DD625DE5A72E0949D90E5F
                                                                                      SHA1:8E1F39AAFD403EDA1E5CD39D5496B9FAA3387B52
                                                                                      SHA-256:13F9ADBBD60D7D80ACEE80D8FFB461D7665C5744F8FF917D06893AA6A4E25E3A
                                                                                      SHA-512:B678FB4AD6DF5F8465A80BFB9A2B0433CF6CFAD4C6A69EEBF951F3C4018FD09CB7F38B752BE5AB55C4BE6C88722F70521D22CBCBBB47F8C46DDB0B1ACBFD7D7E
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d...}y.e.........." ...#..... ......P.....................................................`..........................................9.......:..d....`.......P...............p..,....4..............................P3..@............0...............................text...X........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA1.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):17920
                                                                                      Entropy (8bit):5.687377356938656
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:bPHdP3MjeQTh+QAZUUw8lMF6D+1tgj+kf4:xPcKQT3iw8lfDUej+
                                                                                      MD5:9D15862569E033C5AA702F9E4041C928
                                                                                      SHA1:11376E8CB76AD2D9A7D48D11F4A74FB12B78BCF6
                                                                                      SHA-256:8970DF77D2F73350360DBE68F937E0523689FF3D7C0BE95EB7CA5820701F1493
                                                                                      SHA-512:322F0F4947C9D5D2800DEEBFD198EABE730D44209C1B61BB9FD0F7F9ED5F719AE49F8397F7920BDB368BB386A598E9B215502DC46FBE72F9340876CF40AFFC8A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...sy.e.........." ...#.*..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA224.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):21504
                                                                                      Entropy (8bit):5.9200472722347675
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:pljwGpJpvrp/LTaqvYHp5RYcARQOj4MSTjqgPmJDcOwwgjxo:Ljw4JbZYtswvqDc51j
                                                                                      MD5:7398EFD589FBE4FEFADE15B52632CD5C
                                                                                      SHA1:5EA575056718D3EC9F57D3CFF4DF87D77D410A4B
                                                                                      SHA-256:F1970DB1DA66EFB4CD8E065C40C888EED795685FF4E5A6FA58CA56A840FE5B80
                                                                                      SHA-512:C26F6FF693782C84460535EBCD35F23AA3C95FB8C0C8A608FB9A849B0EFD735EF45125397549C61248AE06BD068554D2DE05F9A3BA64F363438EDB92DA59481B
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...wy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA256.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):21504
                                                                                      Entropy (8bit):5.922439979230845
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:jljwGpJpvrp/LtaqvYHp5RYcARQOj4MSTjqgPmJDcbegjxo:hjw4JVZYtswvqDcb7j
                                                                                      MD5:352F56E35D58ABE96D6F5DBBD40D1FEA
                                                                                      SHA1:5F0C9596B84B8A54D855441C6253303D0C81AA1B
                                                                                      SHA-256:44EED167431151E53A8F119466036F1D60773DDEB8350AF972C82B3789D5D397
                                                                                      SHA-512:CB4862B62ABB780656F1A06DADD3F80AEA453E226C38EFAE4318812928A7B0B6A3A8A86FCC43F65354B84FC07C7235FF384B75C2244553052E00DC85699D422A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...uy.e.........." ...#.6... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..,............R..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA384.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):26624
                                                                                      Entropy (8bit):5.879121462749493
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:pDLZ9BjjBui0gel9soFdkO66MlPGXmXcnRDbRj:VBfu/FZ6nPxMRDtj
                                                                                      MD5:3C47F387A68629C11C871514962342C1
                                                                                      SHA1:EA3E508A8FB2D3816C80CD54CDD9C8254809DB00
                                                                                      SHA-256:EA8A361B060EB648C987ECAF453AE25034DBEA3D760DC0805B705AC9AA1C7DD9
                                                                                      SHA-512:5C824E4C0E2AB13923DC8330D920DCD890A9B33331D97996BC1C3B73973DF7324FFFB6E940FA5AA92D6B23A0E6971532F3DB4BF899A9DF33CC0DD6CB1AC959DD
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...zy.e.........." ...#.H..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...HG.......H.................. ..`.rdata..X....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_SHA512.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):26624
                                                                                      Entropy (8bit):5.937696428849242
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:VYL59Ugjaui0gel9soFdkO66MlPGXmXcXVDuSFAj:60xu/FZ6nPxMlD7Kj
                                                                                      MD5:2F44F1B760EE24C89C13D9E8A06EA124
                                                                                      SHA1:CF8E16D8324A7823B11474211BD7B95ADB321448
                                                                                      SHA-256:7C7B6F59DD250BD0F8CBC5AF5BB2DB9F9E1A2A56BE6442464576CD578F0B2AE0
                                                                                      SHA-512:2AACB2BB6A9EBA89549BF864DDA56A71F3B3FFEDB8F2B7EF3FC552AB3D42BC4B832F5FA0BA87C59F0F899EA9716872198680275A70F3C973D44CA7711DB44A14
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...|y.e.........." ...#.H..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..,............f..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_clmul.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12800
                                                                                      Entropy (8bit):5.027823764756571
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:/RF/1nb2eqCQtkbsAT2fixSrdYDt8ymjcqgQvEW:/d2P6bsK4H+DVwgQvEW
                                                                                      MD5:64604EE3AEBEE62168F837A41BA61DB1
                                                                                      SHA1:4D3FF7AC183BC28B89117240ED1F6D7A7D10AEF1
                                                                                      SHA-256:20C3CC2F50B51397ACDCD461EE24F0326982F2DC0E0A1A71F0FBB2CF973BBEB2
                                                                                      SHA-512:D03EEFF438AFB57E8B921CE080772DF485644DED1074F3D0AC12D3EBB1D6916BD6282E0E971408E89127FF1DAD1D0CB1D214D7B549D686193068DEA137A250CE
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_ghash_portable.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):13312
                                                                                      Entropy (8bit):5.020783935465456
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:+F/1nb2eqCQtks0iiNqdF4mtPjD0ZA5LPYcqgYvEL2x:02P6fFA/4GjDXcgYvEL2x
                                                                                      MD5:E0EEDBAE588EE4EA1B3B3A59D2ED715A
                                                                                      SHA1:4629B04E585899A7DCB4298138891A98C7F93D0B
                                                                                      SHA-256:F507859F15A1E06A0F21E2A7B060D78491A9219A6A499472AA84176797F9DB02
                                                                                      SHA-512:9FD82784C7E06F00257D387F96E732CE4A4BD065F9EC5B023265396D58051BECC2D129ABDE24D05276D5CD8447B7DED394A02C7B71035CED27CBF094ED82547D
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\Y..2...2...2......2.i.3...2...3...2...3...2.i.7...2.i.6...2.i.1...2...:...2...2...2.......2...0...2.Rich..2.........PE..d....y.e.........." ...#............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_keccak.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15872
                                                                                      Entropy (8bit):5.2616188776014665
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:JP2T9FRjRskTdf4YBU7YP5yUYDE1give:qHlRl57IC8UYDEG
                                                                                      MD5:1708C4D1B28C303DA19480AF3C6D04FF
                                                                                      SHA1:BAC78207EFAA6D838A8684117E76FB871BD423D5
                                                                                      SHA-256:C90FB9F28AD4E7DEED774597B12AA7785F01DC4458076BE514930BF7AB0D15EC
                                                                                      SHA-512:2A174C1CB712E8B394CBEE20C33974AA277E09631701C80864B8935680F8A4570FD040EA6F59AD71631D421183B329B85C749F0977AEB9DE339DFABE7C23762E
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d...}y.e.........." ...#. ... ......P.....................................................`.........................................`9......T:..d....`.......P..p............p..,....3...............................2..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..p....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Hash\_poly1305.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):15360
                                                                                      Entropy (8bit):5.130670522779765
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nZNGfqDgvUh43G6coX2SSwmPL4V7wTdDl41Y2cqgWjvE:CFMhuGGF2L4STdDcYWgWjvE
                                                                                      MD5:E08355F3952A748BADCA2DC2E82AA926
                                                                                      SHA1:F24828A3EEFB15A2550D872B5E485E2254C11B48
                                                                                      SHA-256:47C664CB7F738B4791C7D4C21A463E09E9C1AAAE2348E63FB2D13FC3E6E573EB
                                                                                      SHA-512:E7F48A140AFEF5D6F64A4A27D95E25A8D78963BB1F9175B0232D4198D811F6178648280635499C562F398613E0B46D237F7DB74A39B52003D6C8768B80EC6FB6
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<Y..R...R...R......R.i.S...R...S...R...S...R.i.W...R.i.V...R.i.Q...R...Z...R...R...R.......R...P...R.Rich..R.................PE..d....y.e.........." ...#..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Math\_modexp.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):34816
                                                                                      Entropy (8bit):5.935249615462395
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:gb+5F2hqrxS7yZAEfYcwcSPxpMgLp/GQNSpcVaGZ:gb+5Qwc7OAEfYcwJxpMgFJh
                                                                                      MD5:DB56C985DBC562A60325D5D68D2E5C5B
                                                                                      SHA1:854684CF126A10DE3B1C94FA6BCC018277275452
                                                                                      SHA-256:089585F5322ADF572B938D34892C2B4C9F29B62F21A5CF90F481F1B6752BC59F
                                                                                      SHA-512:274D9E4A200CAF6F60AC43F33AADF29C6853CC1A7E04DF7C8CA3E24A6243351E53F1E5D0207F23B34319DFC8EEE0D48B2821457B8F11B6D6A0DBA1AE820ACE43
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.\..........`.....................................................`..........................................~..d...$...d...............................,....s...............................q..@............p..(............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data................t..............@....pdata...............~..............@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Protocol\_scrypt.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):4.799861986912974
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:YTIekCffqPSTMeAk4OeR64ADpki6RcqgO5vE:YTNZMcPeR64ADh63gO5vE
                                                                                      MD5:6229A84562A9B1FBB0C3CF891813AADD
                                                                                      SHA1:4FAFB8AF76A7F858418AA18B812FEACADFA87B45
                                                                                      SHA-256:149027958A821CBC2F0EC8A0384D56908761CC544914CED491989B2AD9D5A4DC
                                                                                      SHA-512:599C33F81B77D094E97944BB0A93DA68D2CCB31E6871CE5679179FB6B9B2CE36A9F838617AC7308F131F8424559C5D1A44631E75D0847F3CC63AB7BB57FE1871
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................?.....q......................q.......q.......q.........................S.............Rich............PE..d....y.e.........." ...#............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ec_ws.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):754176
                                                                                      Entropy (8bit):7.628627007698131
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:31ETHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h+b:lETHoxJFf1p34hcrn5Go9yQO6g
                                                                                      MD5:BBB83671232E0BE361E812369A463E03
                                                                                      SHA1:A37DAEC475AB230E14897077D17E20B7A5112B8D
                                                                                      SHA-256:873A3E3E945421917BA780D95C78ECCB92D4E143227987D6812BC9F9E4653BE0
                                                                                      SHA-512:BF6718DE5235F6A7C348A1E2F325FEE59C74356D4722DFA99DA36A2BE1E6386C544EEC09190E2EBBA58B7C6B4157D00409C59F29AE2CC7BC13CBC301B8592586
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.....L...L...L.V+L...LKR.M...L.V.M...L...L...LKR.M...LKR.M...LKR.M...L-S.M...L-S.M...L-SGL...L-S.M...LRich...L................PE..d....y.e.........." ...#.n..........`.....................................................`..........................................p..d...dq..d...............$...............4...@Z...............................Y..@...............(............................text....m.......n.................. ..`.rdata...............r..............@..@.data...x............h..............@....pdata..$............p..............@..@.rsrc................~..............@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed25519.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):27648
                                                                                      Entropy (8bit):5.799740467345125
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:PvRwir5rOF2MZz1n0/kyTMIl9bhgIW0mvBaeoSzra2pftjGQDdsC0MgkbQ0e1r:PJLtg2MTeM+9dmvBaeoCtaQDekf
                                                                                      MD5:7F2C691DEB4FF86F2F3B19F26C55115C
                                                                                      SHA1:63A9D6FA3B149825EA691F5E9FDF81EEC98224AA
                                                                                      SHA-256:BF9224037CAE862FE220094B6D690BC1992C19A79F7267172C90CBED0198582E
                                                                                      SHA-512:3A51F43BF628E44736859781F7CFF0E0A6081CE7E5BDE2F82B3CDB52D75D0E3DFAE92FC2D5F7D003D0B313F6835DBA2E393A0A8436F9409D92E20B65D3AED7E2
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y...............i...................i......i......i......................m...........Rich...........PE..d....y.e.........." ...#.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text....D.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_ed448.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):67072
                                                                                      Entropy (8bit):6.060804942512998
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:HqvnErJyGoqQXZKfp23mXKUULBeCFTUCqHF+PELb7MSAEfnctefBd5:HqvnErJyGoqQXZKfp2ayLsCFTUCqHEP4
                                                                                      MD5:AF46798028AB3ED0E56889DFB593999B
                                                                                      SHA1:D4D7B39A473E69774771B2292FDBF43097CE6015
                                                                                      SHA-256:FD4F1F6306950276A362D2B3D46EDBB38FEABA017EDCA3CD3A2304340EC8DD6C
                                                                                      SHA-512:58A80AFEEAC16D7C35F8063D03A1F71CA6D74F200742CAE4ADB3094CF4B3F2CD1A6B3F30A664BD75AB0AF85802D935B90DD9A1C29BFEA1B837C8C800261C6265
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..|8k./8k./8k./1.Y/>k./....:k./s...;k./8k./.k./....4k./....0k./....;k./....:k./....9k./..5/9k./....9k./Rich8k./........................PE..d....y.e.........." ...#.....8......`........................................@............`.............................................h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\PublicKey\_x25519.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.488129745837651
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:kfuF7pVVdJvbrqTuy/Th/Y0IluLfcC75JiC4cs89EfqADQhDsAbcX6gn/7EC:TF/VddiTHThQTctdErDQDsicqgn/7
                                                                                      MD5:F4B7324A8F7908C3655BE4C75EAC36E7
                                                                                      SHA1:11A30562A85A444F580213417483BE8D4D9264AD
                                                                                      SHA-256:5397E3F5762D15DCD84271F49FC52983ED8F2717B258C7EF370B24977A5D374B
                                                                                      SHA-512:66CA15A9BAD39DD4BE7921A28112A034FFE9CD11F91093318845C269E263804AB22A4AF262182D1C6DAC8741D517362C1D595D9F79C2F729216738C3DD79D7C2
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4=.bUS.bUS.bUS.k-..`US..)R.`US.)-R.aUS.bUR.FUS..)V.iUS..)W.jUS..)P.aUS.([.cUS.(S.cUS.(..cUS.(Q.cUS.RichbUS.................PE..d....y.e.........." ...#............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_cpuid_c.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10240
                                                                                      Entropy (8bit):4.733990521299615
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:PzVVddiTHThQTctEEaEDKDnMRWJcqgbW6:PzTMdsc+EaEDKDnCWvgbW
                                                                                      MD5:3D566506052018F0556ADF9D499D4336
                                                                                      SHA1:C3112FF145FACF47AF56B6C8DCA67DAE36E614A2
                                                                                      SHA-256:B5899A53BC9D3112B3423C362A7F6278736418A297BF86D32FF3BE6A58D2DEEC
                                                                                      SHA-512:0AC6A1FC0379F5C3C80D5C88C34957DFDB656E4BF1F10A9FA715AAD33873994835D1DE131FC55CD8B0DEBDA2997993E978700890308341873B8684C4CD59A411
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Crypto\Util\_strxor.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10240
                                                                                      Entropy (8bit):4.689063511060661
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:P/ryZVVdJvbrqTuy/Th/Y0IluLfcC75JiCKs89EMz3DIWMot4BcX6gbW6O:PzQVddiTHThQTctEEO3DSoKcqgbW6
                                                                                      MD5:FAE081B2C91072288C1C8BF66AD1ABA5
                                                                                      SHA1:CD23DDB83057D5B056CA2B3AB49C8A51538247DE
                                                                                      SHA-256:AF76A5B10678F477069ADD6E0428E48461FB634D9F35FB518F9F6A10415E12D6
                                                                                      SHA-512:0ADB0B1088CB6C8F089CB9BF7AEC9EEEB1717CF6CF44B61FB0B053761FA70201AB3F7A6461AAAE1BC438D689E4F8B33375D31B78F1972AA5A4BF86AFAD66D3A4
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&4%.bUK.bUK.bUK.k-..`UK..)J.`UK.)-J.aUK.bUJ.AUK..)N.iUK..)O.jUK..)H.aUK.(C.cUK.(K.cUK.(..cUK.(I.cUK.RichbUK.........PE..d....y.e.........." ...#............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B........................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\mfc140u.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):5653424
                                                                                      Entropy (8bit):6.729277267882055
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
                                                                                      MD5:03A161718F1D5E41897236D48C91AE3C
                                                                                      SHA1:32B10EB46BAFB9F81A402CB7EFF4767418956BD4
                                                                                      SHA-256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
                                                                                      SHA-512:7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\Pythonwin\win32ui.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1142272
                                                                                      Entropy (8bit):6.040548449175261
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:cLokSyhffpJSf6VJtHUR2L2mVSvya6Lx15IQnpKTlYcf9WBo:cLok/pXJdUzOSMx15dcTlYiK
                                                                                      MD5:B505E88EB8995C2EC46129FB4B389E6C
                                                                                      SHA1:CBFA8650730CBF6C07F5ED37B0744D983ABFE50A
                                                                                      SHA-256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
                                                                                      SHA-512:6A51B746D0FBC03F57FF28BE08F7E894AD2E9F2A2F3B61D88EAE22E7491CF35AE299CDB3261E85E4867F41D8FDA012AF5BD1EB8E1498F1A81ADC4354ADACDAAB
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aM.F%,r.%,r.%,r.,T../,r..Ys.',r..Es.',r.1Gs.+,r.wYv.-,r.wYq.!,r.wYw.3,r.%,s.-*r.wYs.",r..Y{..,r..Yr.$,r..Y..$,r..Yp.$,r.Rich%,r.........................PE..d......d.........." .........p......t.....................................................`..............................................T...q..h...............................`\..`...T.......................(.......8................0...........................text............................... ..`.rdata..............................@..@.data...............................@....pdata...............`..............@..@.rsrc...............................@..@.reloc..`\.......^..................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\VCRUNTIME140.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):109392
                                                                                      Entropy (8bit):6.643764685776923
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                      MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                      SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                      SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                      SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\VCRUNTIME140_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):49488
                                                                                      Entropy (8bit):6.652691609629867
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:8EgYXUcHJcUJSDW/tfxL1qBS3hO6nb/TEHEXi9zufUKQXi9zug:8vGS8fZ1eUpreA+zuTc+zug
                                                                                      MD5:BBA9680BC310D8D25E97B12463196C92
                                                                                      SHA1:9A480C0CF9D377A4CAEDD4EA60E90FA79001F03A
                                                                                      SHA-256:E0B66601CC28ECB171C3D4B7AC690C667F47DA6B6183BFF80604C84C00D265AB
                                                                                      SHA-512:1575C786AC3324B17057255488DA5F0BC13AD943AC9383656BAF98DB64D4EC6E453230DE4CD26B535CE7E8B7D41A9F2D3F569A0EFF5A84AEB1C2F9D6E3429739
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d...%CU..........." ...".<...8.......A...............................................@....`A........................................0m.......m..x....................r..PO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_asyncio.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):64384
                                                                                      Entropy (8bit):6.115753860836585
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:aW3/DZG0409EevNR4aimAWAs+FI75nED7SynRPx:aW39GlANR4aim6hFI75nUJVx
                                                                                      MD5:4543813A21958D0764975032B09DED7B
                                                                                      SHA1:C571DEA89AB89B6AAB6DA9B88AFE78ACE90DD882
                                                                                      SHA-256:45C229C3988F30580C79B38FC0C19C81E6F7D5778E64CEF6CE04DD188A9CCAB5
                                                                                      SHA-512:3B007AB252CCCDA210B473CA6E2D4B7FE92C211FB81ADE41A5A69C67ADDE703A9B0BC97990F31DCBE049794C62BA2B70DADF699E83764893A979E95FD6E89D8F
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TF.q.F.q.F.q.O...D.q...p.D.q...t.J.q...u.N.q...r.E.q...p.E.q...p.D.q.F.p...q...|.G.q...q.G.q....G.q...s.G.q.RichF.q.................PE..d...$..c.........." ...".T..........`................................................+....`............................................P...0...d........................)..........pw..T...........................0v..@............p...............................text...uR.......T.................. ..`.rdata...I...p...J...X..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_bz2.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):83320
                                                                                      Entropy (8bit):6.534931868118148
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:V/Uez7qlsjcaNXZIzNYM4B0NDX8rjE2tI7tVj7SyxPx9:eezGiXMjdMrjPtI7tVjLx9
                                                                                      MD5:BBE89CF70B64F38C67B7BF23C0EA8A48
                                                                                      SHA1:44577016E9C7B463A79B966B67C3ECC868957470
                                                                                      SHA-256:775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723
                                                                                      SHA-512:3EE72BA60541116BBCA1A62DB64074276D40AD8ED7D0CA199A9C51D65C3F0762A8EF6D0E1E9EBF04BF4EFE1347F120E4BC3D502DD288339B4DF646A59AAD0EC1
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ...".....^..............................................P............`.........................................p...H............0....... .. .......x)...@..........T...........................p...@............................................text...g........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_cffi_backend.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):181248
                                                                                      Entropy (8bit):6.188683787528254
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
                                                                                      MD5:EBB660902937073EC9695CE08900B13D
                                                                                      SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
                                                                                      SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
                                                                                      SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_ctypes.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):122232
                                                                                      Entropy (8bit):6.015707129535061
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:YjjHoXs01LUZJNUoNZf4adhfrI70s3nRI7QPY2xB:Y3HUJ6f5dhfrIHX1
                                                                                      MD5:CA4CEF051737B0E4E56B7D597238DF94
                                                                                      SHA1:583DF3F7ECADE0252FDFF608EB969439956F5C4A
                                                                                      SHA-256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
                                                                                      SHA-512:17103D6B5FA84156055E60F9E5756FFC31584CDB6274C686A136291C58BA0BE00238D501F8ACC1F1CA7E1A1FADCB0C7FEFDDCB98CEDB9DD04325314F7E905DF3
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ..."............PZ....................................................`.........................................0P.......P..................,.......x).......... ...T...............................@...............H............................text............................... ..`.rdata..6k.......l..................@..@.data...D>...p...8...\..............@....pdata..,...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_decimal.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):248704
                                                                                      Entropy (8bit):6.54473795039927
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:LbdyrWOay+msmOE8qQRiJpCWi9qWMa3pLW1AUg42G:6zsmsmGNRm1omZ2G
                                                                                      MD5:6339FA92584252C3B24E4CCE9D73EF50
                                                                                      SHA1:DCCDA9B641125B16E56C5B1530F3D04E302325CD
                                                                                      SHA-256:4AE6F6FB3992BB878416211221B3D62515E994D78F72EAB51E0126CA26D0EE96
                                                                                      SHA-512:428B62591D4EBA3A4E12F7088C990C48E30B6423019BEBF8EDE3636F6708E1F4151F46D442516D2F96453694EBEEF78618C0C8A72E234F679C6E4D52BEBC1B84
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".j...:......<................................................2....`.........................................@E..P....E...................'.......)......@...p...T...........................0...@............................................text....h.......j.................. ..`.rdata..l............n..............@..@.data....)...`...$...F..............@....pdata...'.......(...j..............@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_hashlib.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):61824
                                                                                      Entropy (8bit):6.21086555394527
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:aIpTlJFWaIDPZbdqzOgB1fFI75IJ7SyXPxMVt:rT36bZbdqzXfFI75IJRxMV
                                                                                      MD5:D856A545A960BF2DCA1E2D9BE32E5369
                                                                                      SHA1:67A15ECF763CDC2C2AA458A521DB8A48D816D91E
                                                                                      SHA-256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
                                                                                      SHA-512:34A074025C8B28F54C01A7FD44700FDEDB391F55BE39D578A003EDB90732DEC793C2B0D16DA3DA5CDBD8ADBAA7B3B83FC8887872E284800E7A8389345A30A6A4
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P...z.......<...............................................;....`............................................P...@............................)......X....l..T............................k..@............`..(............................text....N.......P.................. ..`.rdata..VM...`...N...T..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_lzma.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):157560
                                                                                      Entropy (8bit):6.834360512510993
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:PBKvRNVdG9LqSS2IAiznfI9mNoBkD9ZRqtI7e1Pvxs:PBKvRts82awYOBkvRqM
                                                                                      MD5:0A94C9F3D7728CF96326DB3AB3646D40
                                                                                      SHA1:8081DF1DCA4A8520604E134672C4BE79EB202D14
                                                                                      SHA-256:0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31
                                                                                      SHA-512:6F047F3BDAEAD121018623F52A35F7E8B38C58D3A9CB672E8056A5274D02395188975DE08CABAE948E2CC2C1CA01C74CA7BC1B82E2C23D652E952F3745491087
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...".b...........5..............................................ab....`.........................................0%..L...|%..x....p.......P.......>..x)......H.......T...........................`...@............................................text....`.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..H............<..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_multiprocessing.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):33152
                                                                                      Entropy (8bit):6.323290452921724
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:G9HI6RwgJ5xeKg2edhnJ81I7Rtt/YiSyvPPxWEa5Z:aIoJ5UKg2edhJ81I7Rtt/7SynPxeZ
                                                                                      MD5:62733CE8AE95241BF9CA69F38C977923
                                                                                      SHA1:E5C3F4809E85B331CC8C5BA0AE76979F2DFDDF85
                                                                                      SHA-256:AF84076B03A0EADEC2B75D01F06BB3765B35D6F0639FB7C14378736D64E1ACAA
                                                                                      SHA-512:FDFBF5D74374F25ED5269CDBCDF8E643B31FAA9C8205EAC4C22671AA5DEBDCE4052F1878F38E7FAB43B85A44CB5665E750EDCE786CABA172A2861A5EABFD8D49
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Z*.E4y.E4y.E4y.=.y.E4y.95x.E4y.91x.E4y.90x.E4y.97x.E4yS95x.E4y.E5y.E4y?75x.E4yS99x.E4yS94x.E4yS9.y.E4yS96x.E4yRich.E4y........................PE..d...+..c.........." ...".....<......0................................................y....`.........................................0D..`....D..x....p.......`.......X...)...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_overlapped.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):48512
                                                                                      Entropy (8bit):6.325592382122715
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:zy4KxRzXINGAQSKant/QKhl6XoTZfWJhSVAWiUOJI7stsYiSyvxPxWEa:XKxqztLTQSVAkOJI7sts7SypPx
                                                                                      MD5:02C0F2EFF280B9A92003786FDED7C440
                                                                                      SHA1:5A7FE7ED605FF1C49036D001AE60305E309C5509
                                                                                      SHA-256:F16E595B0A87C32D9ABD2035F8EA97B39339548E7C518DF16A6CC27BA7733973
                                                                                      SHA-512:2B05DDF7BC57E8472E5795E68660D52E843271FD08F2E8002376B056A8C20200D31FFD5E194CE486F8A0928A8486951FDB5670246F1C909F82CF4B0929EFEDAC
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........({..F(..F(..F(...(..F(..G)..F(..C)..F(..B)..F(..E)..F(..G)..F(..G(..F(c.G)..F(c.B)..F(..K)..F(..F)..F(...(..F(..D)..F(Rich..F(................PE..d...-..c.........." ...".>...X...... .....................................................`..........................................w..X...(x...........................)...... ....V..T............................U..@............P...............................text....<.......>.................. ..`.rdata...4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_queue.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):30592
                                                                                      Entropy (8bit):6.413040228053335
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:yez/DF36r3CkrAIeRI77UNYiSyvlfUvPxWEl:yeDM3CkrAIeRI77UN7SyOvPx
                                                                                      MD5:52D0A6009D3DE40F4FA6EC61DB98C45C
                                                                                      SHA1:5083A2AFF5BCCE07C80409646347C63D2A87BD25
                                                                                      SHA-256:007BCF19D9B036A7E73F5EF31F39BFB1910F72C9C10E4A1B0658352CFE7A8B75
                                                                                      SHA-512:CD552A38EFAA8720A342B60318F62320CE20C03871D2E50D3FA3A9A730B84DACDBB8EB4D0AB7A1C8A97215B537826C8DC532C9A55213BCD0C1D13D7D8A9AD824
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".....8......................................................B.....`..........................................C..L....C..d....p.......`.......N...)..........`4..T........................... 3..@............0..(............................text............................... ..`.rdata..2....0......................@..@.data...x....P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_socket.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):77696
                                                                                      Entropy (8bit):6.248960816871735
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:c67eU/Bgujs9/s+S+py8k/DDjaRI7Qw27Syj/Px:c673/aujs9/sT+pPk/XmRI7Qw2xx
                                                                                      MD5:0F5E64E33F4D328EF11357635707D154
                                                                                      SHA1:8B6DCB4B9952B362F739A3F16AE96C44BEA94A0E
                                                                                      SHA-256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
                                                                                      SHA-512:4BE9FEBB583364DA75B6FB3A43A8B50EE29CA8FC1DDA35B96C0FCC493342372F69B4F27F2604888BCA099C8D00F38A16F4C9463C16EFF098227D812C29563643
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".l.......... &.......................................P............`.............................................P...P........0....... ..l........)...@.........T...............................@............................................text...Rj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..l.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_sqlite3.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):97664
                                                                                      Entropy (8bit):6.170877221164934
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:QzgM+YDOyvuPwYXGqijQa4rlIain9NbT19c4LOyZkyDFI75Qx87SyDPx:vtYCDPSQa4rlIXDbPc23ZkyDFI75Qx8H
                                                                                      MD5:9F38F603BD8F7559609C4FFA47F23C86
                                                                                      SHA1:8B0136FC2506C1CCEF2009DB663E4E7006E23C92
                                                                                      SHA-256:28090432A18B59EB8CBE8FDCF11A277420B404007F31CA571321488A43B96319
                                                                                      SHA-512:273A19F2F609BEDE9634DAE7C47D7B28D369C88420B2B62D42858B1268D6C19B450D83877D2DBA241E52755A3F67A87F63FEA8E5754831C86D16E2A8F214AD72
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...|..........u......}....|.}......}...Rich|...........PE..d...[..c.........." ..."..................................................................`.............................................P....................`.......T...)..............T...............................@...............`............................text...n........................... ..`.rdata...p.......r..................@..@.data...,....@......................@....pdata.......`.......2..............@..@.rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_ssl.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):159096
                                                                                      Entropy (8bit):6.001271339711538
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:xOoLGtbSpE3z/J/PUE1ueW5J2oEPwu3rE923+nuI5Piev9mutI7t7L+xu:xOoitbSpE3zhH7ueAE8nuaF9muy
                                                                                      MD5:9DDB64354EF0B91C6999A4B244A0A011
                                                                                      SHA1:86A9DC5EA931638699EB6D8D03355AD7992D2FEE
                                                                                      SHA-256:E33B7A4AA5CDD5462EE66830636FDD38048575A43D06EB7E2F688358525DDEAB
                                                                                      SHA-512:4C86478861FA4220680A94699E7D55FBDC90D2785CAEE10619CECB058F833292EE7C3D6AC2ED1EF34B38FBFF628B79D672194A337701727A54BB6BBC5BF9AECA
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............l*.............................................._M....`............................................d...4........`.......P.......D..x)...p..<.......T...............................@............................................text...x........................... ..`.rdata..J...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..<....p.......6..............@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\_uuid.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):23936
                                                                                      Entropy (8bit):6.532904843385081
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:JfwFpEW96TfQtI7ewyIIYiSy1pCQDMaPxh8E9VF0Nyvzo:JqpEnjQtI7ewAYiSyvfPxWEx
                                                                                      MD5:041556420BDB334A71765D33229E9945
                                                                                      SHA1:0122316E74EE4ADA1CE1E0310B8DCA1131972CE1
                                                                                      SHA-256:8B3D4767057C18C1C496E138D4843F25E5C98DDFC6A8D1B0ED46FD938EDE5BB6
                                                                                      SHA-512:18DA574B362726EDE927D4231CC7F2AEBAFBAAAB47DF1E31B233F7EDA798253AEF4C142BED1A80164464BD629015D387AE97BA36FCD3CEDCFE54A5A1E5C5CAA3
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;$p^ZJ#^ZJ#^ZJ#W".#\ZJ#.&K"\ZJ#.&O"RZJ#.&N"VZJ#.&I"]ZJ#.&K"\ZJ#.(K"[ZJ#^ZK#tZJ#.&B"_ZJ#.&J"_ZJ#.&.#_ZJ#.&H"_ZJ#Rich^ZJ#................PE..d...+..c.........." ...".....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4...)...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\base_library.zip

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                      Category:dropped
                                                                                      Size (bytes):880537
                                                                                      Entropy (8bit):5.683035771422093
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2Y42dOVwx/fpEWertSLMNM:lgYJiVBFLa21nVwx/fpEWe+MNM
                                                                                      MD5:22FEE1506D933ABB3335FFB4A1E1D230
                                                                                      SHA1:18331CBA91F33FB6B11C6FDEFA031706AE6D43A0
                                                                                      SHA-256:03F6A37FC2E166E99CE0AD8916DFB8A70945E089F9FC09B88E60A1649441AB6E
                                                                                      SHA-512:3F764337A3FD4F8271CBA9602AEF0663D6B7C37A021389395A00D39BD305D2B927A150C2627B1C629FDBD41C044AF0F7BC9897F84C348C2BCCC085DF911EEE02
                                                                                      Malicious:false
                                                                                      Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\certifi\cacert.pem

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):290282
                                                                                      Entropy (8bit):6.048183244201235
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:QW1H/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5Np:QWN/TRJLWURrI55MWavdF0L
                                                                                      MD5:302B49C5F476C0AE35571430BB2E4AA0
                                                                                      SHA1:35A7837A3F1B960807BF46B1C95EC22792262846
                                                                                      SHA-256:CF9D37FA81407AFE11DCC0D70FE602561422AA2344708C324E4504DB8C6C5748
                                                                                      SHA-512:1345AF52984B570B1FF223032575FEB36CDFB4F38E75E0BD3B998BC46E9C646F7AC5C583D23A70460219299B9C04875EF672BF5A0D614618731DF9B7A5637D0A
                                                                                      Malicious:false
                                                                                      Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):10752
                                                                                      Entropy (8bit):4.675182011095312
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:FL8Khp72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFaiHrmHcX6g8cim1qeSC:Zj2HzzU2bRYoe4Hmcqgvimoe
                                                                                      MD5:F33CA57D413E6B5313272FA54DBC8BAA
                                                                                      SHA1:4E0CABE7D38FE8D649A0A497ED18D4D1CA5F4C44
                                                                                      SHA-256:9B3D70922DCFAEB02812AFA9030A40433B9D2B58BCF088781F9AB68A74D20664
                                                                                      SHA-512:F17C06F4202B6EDBB66660D68FF938D4F75B411F9FAB48636C3575E42ABAAB6464D66CB57BCE7F84E8E2B5755B6EF757A820A50C13DD5F85FAA63CD553D3FF32
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/..\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W..xW..g.._W..g.._W..g.a._W..g.._W..Rich^W..........PE..d....hAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):120320
                                                                                      Entropy (8bit):5.879886869577473
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:YKBCiXU2SBEUemE+OaOb3OEOz0fEDrF9pQKhN:YJZ2zOfdQKX
                                                                                      MD5:494F5B9ADC1CFB7FDB919C9B1AF346E1
                                                                                      SHA1:4A5FDDD47812D19948585390F76D5435C4220E6B
                                                                                      SHA-256:AD9BCC0DE6815516DFDE91BB2E477F8FB5F099D7F5511D0F54B50FA77B721051
                                                                                      SHA-512:2C0D68DA196075EA30D97B5FD853C673E28949DF2B6BF005AE72FD8B60A0C036F18103C5DE662CAC63BAAEF740B65B4ED2394FCD2E6DA4DFCFBEEF5B64DAB794
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........SRxr.Rxr.Rxr.[...Zxr.G.s.Pxr...s.Pxr.G.w._xr.G.v.Zxr.G.q.Qxr...s.Qxr.Rxs..xr.k.z.Sxr.k.r.Sxr.k...Sxr.k.p.Sxr.RichRxr.........................PE..d....hAe.........." ...%............02....................................... ............`.............................................d..........................................Px...............................w..@............@...............................text...X-.......................... ..`.rdata...X...@...Z...2..............@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\INSTALLER

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):1.5
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Mn:M
                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                      Malicious:false
                                                                                      Preview:pip.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\LICENSE

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):197
                                                                                      Entropy (8bit):4.61968998873571
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                      MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                      SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                      SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                      SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                      Malicious:false
                                                                                      Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\LICENSE.APACHE

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):11360
                                                                                      Entropy (8bit):4.426756947907149
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                      MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                      SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                      SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                      SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                      Malicious:false
                                                                                      Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\LICENSE.BSD

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1532
                                                                                      Entropy (8bit):5.058591167088024
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                      MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                      SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                      SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                      SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                      Malicious:false
                                                                                      Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\METADATA

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5292
                                                                                      Entropy (8bit):5.115440205505611
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:DxapqZink/QIHQIyzQIZQILuQIR8vtklGovxNx6sWwCvCCcTKvIrrg9BMM6VwDjz:sJnkoBs/sqLz8cTKvIrrUiM6VwDjyeWs
                                                                                      MD5:137D13F917D94C83137A0FA5AE12B467
                                                                                      SHA1:01E93402C225BF2A4EE59F9A06F8062CB5E4801E
                                                                                      SHA-256:36738E6971D2F20DB78433185A0EF7912A48544AA6FF7006505A7DC785158859
                                                                                      SHA-512:1B22CBC6E22FA5E2BD5CC4A370443A342D00E7DD53330A4000E9A680DE80262BCA7188764E3568944D01025188291602AC8C53C971630984FBD9FA7D75AAB124
                                                                                      Malicious:false
                                                                                      Preview:Metadata-Version: 2.1..Name: cryptography..Version: 41.0.7..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\RECORD

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):15334
                                                                                      Entropy (8bit):5.555125785454221
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:3X6eU/ZfaigPOSJN5E6W1HepPNx6uvnNLEw:3RUxfzOPtREw
                                                                                      MD5:4ED1DF753C330417D290331FD1E18219
                                                                                      SHA1:556BED31DCDFA36166B45D8BCBB04C0D3B66C745
                                                                                      SHA-256:F71F64A0875F365A8C6CA53BC96CFB428C5102F98029459BA2091958802DCFD9
                                                                                      SHA-512:6984EF6D5DFC1062E6AB655E7B0C0A8AB916F1A3D88D8FA7FAD799E2792A2CB06C5C78C2292CCDB983CB6F68BA92B9F6453996B060CFDE7EE9C293FCE5F4D698
                                                                                      Malicious:false
                                                                                      Preview:cryptography-41.0.7.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-41.0.7.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-41.0.7.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-41.0.7.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-41.0.7.dist-info/METADATA,sha256=NnOOaXHS8g23hDMYWg73kSpIVEqm_3AGUFp9x4UViFk,5292..cryptography-41.0.7.dist-info/RECORD,,..cryptography-41.0.7.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-41.0.7.dist-info/WHEEL,sha256=-EX5DQzNGQEoyL99Q-0P0-D-CXbfqafenaAeiSQ_Ufk,100..cryptography-41.0.7.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=uPXMbbcptt7EzZ_jllGRx0pVdMn-NBsAM4L74hOv-b0,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\WHEEL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):100
                                                                                      Entropy (8bit):5.0203365408149025
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKc/SKQLn:RtBMwlVCxWKxDQLn
                                                                                      MD5:4B432A99682DE414B29A683A3546B69F
                                                                                      SHA1:F59C5016889EE5E9F62D09B22AEFBC2211A56C93
                                                                                      SHA-256:F845F90D0CCD190128C8BF7D43ED0FD3E0FE0976DFA9A7DE9DA01E89243F51F9
                                                                                      SHA-512:CBBF10E19B6F4072C416EA95D7AE259B9C5A1B89068B7B6660B7C637D6F2437AEA8D8202A2E26A0BEC36DAECD8BBB6B59016FC2DDEB13C545F0868B3E15479CA
                                                                                      Malicious:false
                                                                                      Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp37-abi3-win_amd64..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography-41.0.7.dist-info\top_level.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):13
                                                                                      Entropy (8bit):3.2389012566026314
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:cOv:Nv
                                                                                      MD5:E7274BD06FF93210298E7117D11EA631
                                                                                      SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                      SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                      SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                      Malicious:false
                                                                                      Preview:cryptography.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\cryptography\hazmat\bindings\_rust.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):6673920
                                                                                      Entropy (8bit):6.582002531606852
                                                                                      Encrypted:false
                                                                                      SSDEEP:98304:EzN+T+xtLlk0PPMAiGoTzeDy3x8lGBlWi9Nk:E5Y6Jk0PPMtfTzp3x8c
                                                                                      MD5:486085AAC7BB246A173CEEA0879230AF
                                                                                      SHA1:EF1095843B2A9C6D8285C7D9E8E334A9CE812FAE
                                                                                      SHA-256:C3964FC08E4CA8BC193F131DEF6CC4B4724B18073AA0E12FED8B87C2E627DC83
                                                                                      SHA-512:8A56774A08DA0AB9DD561D21FEBEEBC23A5DEA6F63D5638EA1B608CD923B857DF1F096262865E6EBD56B13EFD3BBA8D714FFDCE8316293229974532C49136460
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......QN.../.../.../...W(../......./......./......./......./...R.../...Z.../..^W.../.../...-../...",......./.../.../......./......./..Rich./..........PE..d...M7ee.........." ...&..M..........L...................................... f...........`......................................... .a.p.....a.|............Pb..............Pe.p...p.[.T.....................[.(...0.[.@............0M..............................text.....M.......M................. ..`.rdata.......0M.......M.............@..@.data........0a.......a.............@....pdata.......Pb.......b.............@..@.reloc..p....Pe.......e.............@..B........................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\libcrypto-1_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):3441504
                                                                                      Entropy (8bit):6.097985120800337
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                      MD5:6F4B8EB45A965372156086201207C81F
                                                                                      SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                      SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                      SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\libffi-7.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):32792
                                                                                      Entropy (8bit):6.3566777719925565
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
                                                                                      MD5:EEF7981412BE8EA459064D3090F4B3AA
                                                                                      SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
                                                                                      SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
                                                                                      SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\libssl-1_1.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):702816
                                                                                      Entropy (8bit):5.547832370836076
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                      MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                      SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                      SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                      SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\pyexpat.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):198520
                                                                                      Entropy (8bit):6.365137514820493
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:nYSqakQm3pSouj2yVi00L+Drqk8avRoxtLR8C9ekJhgkFyRnObUpzGxvspVRI7QD:YwcPuj2yk+Drqk8/yMfJyvt
                                                                                      MD5:43E5A1470C298BA773AC9FCF5D99E8F9
                                                                                      SHA1:06DB03DAF3194C9E492B2F406B38ED33A8C87AB3
                                                                                      SHA-256:56984D43BE27422D31D8ECE87D0ABDA2C0662EA2FF22AF755E49E3462A5F8B65
                                                                                      SHA-512:A5A1EBB34091EA17C8F0E7748004558D13807FDC16529BC6F8F6C6A3A586EE997BF72333590DC451D78D9812EF8ADFA7DEABAB6C614FCE537F56FA38CE669CFC
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9h..}..}..}..tqu.q..2u....2u.p..2u.u..2u.~...u....{.~..}......u.y...u.|...u..|...u.|..Rich}..................PE..d...+..c.........." ..."............................................................U.....`.........................................`...P...............................x)..........@6..T............................5..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\python3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):64896
                                                                                      Entropy (8bit):6.101810529421494
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:Y88LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJq9:Y8wewnvtjnsfwERI7Q0L7SyCPx
                                                                                      MD5:C17B7A4B853827F538576F4C3521C653
                                                                                      SHA1:6115047D02FBBAD4FF32AFB4EBD439F5D529485A
                                                                                      SHA-256:D21E60F3DFBF2BAB0CC8A06656721FA3347F026DF10297674FC635EBF9559A68
                                                                                      SHA-512:8E08E702D69DF6840781D174C4565E14A28022B40F650FDA88D60172BE2D4FFD96A3E9426D20718C54072CA0DA27E0455CC0394C098B75E062A27559234A3DF7
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]{....e...e...e..fm...e..fe...e..f....e..fg...e.Rich..e.........................PE..d......c.........." ..."..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\python310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):4492664
                                                                                      Entropy (8bit):6.463653563183579
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:m/4rIQeEKdN4uxzx1njuYWxKLx5NFnb7d1G2F58rkx7qzMJYlf1GCJLvNyoInO3V:mS7q35VNFnlRqT84NAnYHAMDlPK0r
                                                                                      MD5:DEAF0C0CC3369363B800D2E8E756A402
                                                                                      SHA1:3085778735DD8BADAD4E39DF688139F4EED5F954
                                                                                      SHA-256:156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D
                                                                                      SHA-512:5CAC1D92AF7EE18425B5EE8E7CD4E941A9DDFFB4BC1C12BB8AEABEED09ACEC1FF0309ABC41A2E0C8DB101FEE40724F8BFB27A78898128F8746C8FE01C1631989
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ..."..#...!...............................................E.......D...`..........................................?=.......>.|.....E.......B......dD.x)....E..t.. @%.T............................>%.@.............#.8............................text...r.#.......#................. ..`.rdata..<e....#..f....#.............@..@.data........0>.......>.............@....pdata........B.. ....A.............@..@PyRuntim`.....D.......C.............@....rsrc.........E.......C.............@..@.reloc...t....E..v....C.............@..B........................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pythoncom310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):669184
                                                                                      Entropy (8bit):6.03765159448253
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:zxxMpraRSS9Y68EuBPjIQN5cJzS7bUxgyPxFMH0PIXY3dVVVVAuLpdorrcK/CXjW:zxxMZMX1bQIJO7bazPEQSYNBLpdwNu
                                                                                      MD5:65DD753F51CD492211986E7B700983EF
                                                                                      SHA1:F5B469EC29A4BE76BC479B2219202F7D25A261E2
                                                                                      SHA-256:C3B33BA6C4F646151AED4172562309D9F44A83858DDFD84B2D894A8B7DA72B1E
                                                                                      SHA-512:8BD505E504110E40FA4973FEFF2FAE17EDC310A1CE1DC78B6AF7972EFDD93348087E6F16296BFD57ABFDBBE49AF769178F063BB0AA1DEE661C08659F47A6216D
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..x...+...+...+..P+...+T..*...+T..*...+T..*...+T..*...+..*...+...*...+...*...+...*...+...+U..+..*W..+..*...+..*...+Rich...+................PE..d...k..d.........." ................4.....................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text...#........................... ..`.rdata...$.......&..................@..@.data....I..........................@....pdata...z...@...|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\pywin32_system32\pywintypes310.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):134656
                                                                                      Entropy (8bit):5.992653928086484
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:DLVxziezwPZSMaAXpuuwNNDY/r06trfSsSYOejKVJBtGdI8hvnMu:HfziezwMMaAX2Y/rxjbOejKDBtG681n
                                                                                      MD5:CEB06A956B276CEA73098D145FA64712
                                                                                      SHA1:6F0BA21F0325ACC7CF6BF9F099D9A86470A786BF
                                                                                      SHA-256:C8EC6429D243AEF1F78969863BE23D59273FA6303760A173AB36AB71D5676005
                                                                                      SHA-512:05BAB4A293E4C7EFA85FA2491C32F299AFD46FDB079DCB7EE2CC4C31024E01286DAAF4AEAD5082FC1FD0D4169B2D1BE589D1670FCF875B06C6F15F634E0C6F34
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.$.X.w.X.w.X.w. [w.X.w.-.v.X.w.75w.X.w.-.v.X.w.-.v.X.w.-.v.X.w.3.v.X.wJ1.v.X.w.3.v.X.w.X.w.X.w,-.v.X.w,-.v.X.w,-.v.X.wRich.X.w........................PE..d......d.........." .........................................................P............`......................................... u..dB......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\select.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):29048
                                                                                      Entropy (8bit):6.478463870483955
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:zeS+FwhCWHqhmIRI77GwYiSyv87PxWEgC:zeS+ahVKhmIRI77Gw7SyGPxL
                                                                                      MD5:C119811A40667DCA93DFE6FAA418F47A
                                                                                      SHA1:113E792B7DCEC4366FC273E80B1FC404C309074C
                                                                                      SHA-256:8F27CD8C5071CB740A2191B3C599E99595B121F461988166F07D9F841E7116B7
                                                                                      SHA-512:107257DBD8CF2607E4A1C7BEF928A6F61EBDFC21BE1C4BDC3A649567E067E9BB7EA40C0AC8844D2CEDD08682447B963148B52F85ADB1837F243DF57AF94C04B3
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".....2............................................................`..........................................@..L....@..x....p.......`.......H..x)......L....3..T............................2..@............0...............................text............................... ..`.rdata..H....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\INSTALLER

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):1.5
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Mn:M
                                                                                      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                      Malicious:false
                                                                                      Preview:pip.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\LICENSE

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1050
                                                                                      Entropy (8bit):5.072538194763298
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
                                                                                      MD5:7A7126E068206290F3FE9F8D6C713EA6
                                                                                      SHA1:8E6689D37F82D5617B7F7F7232C94024D41066D1
                                                                                      SHA-256:DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
                                                                                      SHA-512:C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
                                                                                      Malicious:false
                                                                                      Preview:Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\METADATA

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):6301
                                                                                      Entropy (8bit):5.107162422517841
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
                                                                                      MD5:9E59BD13BB75B38EB7962BF64AC30D6F
                                                                                      SHA1:70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
                                                                                      SHA-256:80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
                                                                                      SHA-512:67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
                                                                                      Malicious:false
                                                                                      Preview:Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\RECORD

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):37694
                                                                                      Entropy (8bit):5.560695955910088
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:DDz9AkShgQUgq/kc2mIkpIVh498WjXYW1P5+Eu8X62aDoaQPKJfRQIbwA+hof2yf:Dn3OIyQgIAY8T/7T962lSsSGxt9Im
                                                                                      MD5:E30355B5F7466BEE1691929B05EED672
                                                                                      SHA1:B9F1275EF04F2D36DD1F801DE116AC12AA68722E
                                                                                      SHA-256:CEBD9639E6923A470E818350691053C3CC846A72426A9BFCB70F092868FA0D5B
                                                                                      SHA-512:C7A56FE3037A07035279FF063406F7999360D5B275D743C0EF88335EB98BE4CA539775CC1470BF121CE166AA53E3E55002BE7402350E62811EA2B4D0BBD6A617
                                                                                      Malicious:false
                                                                                      Preview:_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-310.pyc,,.._distutils_hack/__pycache__/override.cpython-310.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-310.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-310.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\WHEEL

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):92
                                                                                      Entropy (8bit):4.820827594031884
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
                                                                                      MD5:4D57030133E279CEB6A8236264823DFD
                                                                                      SHA1:0FDC3988857C560E55D6C36DCC56EE21A51C196D
                                                                                      SHA-256:1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
                                                                                      SHA-512:CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
                                                                                      Malicious:false
                                                                                      Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\entry_points.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):2740
                                                                                      Entropy (8bit):4.540737240939103
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
                                                                                      MD5:D3262B65DB35BFFAAC248075345A266C
                                                                                      SHA1:93AD6FE5A696252B9DEF334D182432CDA2237D1D
                                                                                      SHA-256:DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
                                                                                      SHA-512:1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
                                                                                      Malicious:false
                                                                                      Preview:[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\setuptools-65.5.0.dist-info\top_level.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):41
                                                                                      Entropy (8bit):3.9115956018096876
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:3Wd+Nt8AfQYv:3Wd+Nttv
                                                                                      MD5:789A691C859DEA4BB010D18728BAD148
                                                                                      SHA1:AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
                                                                                      SHA-256:77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
                                                                                      SHA-512:BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
                                                                                      Malicious:false
                                                                                      Preview:_distutils_hack.pkg_resources.setuptools.

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\sqlite3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1473912
                                                                                      Entropy (8bit):6.572390758739341
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:7nFjRWofXcFcdEKl+89yJ30SQUhXF7TuR7MNdRIxsg8xqh:77X6K080J30nUhXF7TuR7rxV8Y
                                                                                      MD5:AAF9FD98BC2161AD7DFF996450173A3B
                                                                                      SHA1:AB634C09B60AA18EA165084A042D917B65D1FE85
                                                                                      SHA-256:F1E8B6C4D61AC6A320FA2566DA9391FBFD65A5AC34AC2E2013BC37C8B7B41592
                                                                                      SHA-512:597FFE3C2F0966AB94FBB7ECAC27160C691F4A07332311F6A9BAF8DEC8B16FB16EC64DF734C3BDBABF2C0328699E234D14F1B8BD5AC951782D35EA0C78899E5F
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".f..........lj..............................................Nw....`.............................................d"..$3.......................T..x).......... ...T...............................@...............(............................text...8e.......f.................. ..`.rdata...............j..............@..@.data....G...P...>...,..............@....pdata...............j..............@..@.rsrc................<..............@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\unicodedata.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1122176
                                                                                      Entropy (8bit):5.381221577408984
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:6DYYMmuZ63NIQCb5Pfhnzr0ql8L8kXM7IRG5eeme6VZyrIBHdQLhfFE+uAM:gYYuLZV0m8vMMREtV6Vo4uYAM
                                                                                      MD5:4C8AF8A30813E9380F5F54309325D6B8
                                                                                      SHA1:169A80D8923FB28F89BC26EBF89FFE37F8545C88
                                                                                      SHA-256:4B6E3BA734C15EC789B5D7469A5097BD082BDFD8E55E636DED0D097CF6511E05
                                                                                      SHA-512:EA127779901B10953A2BF9233E20A4FAB2FBA6F97D7BAF40C1B314B7CD03549E0F4D2FB9BAD0FBC23736E21EB391A418D79A51D64402245C1CD8899E4D765C5A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".B..........@*.......................................@......4.....`.............................................X............ ..........<........)...0...... b..T............................`..@............`..x............................text...gA.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..<...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\win32\_win32sysloader.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):14848
                                                                                      Entropy (8bit):5.112106937352672
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:lGCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPmitE255qDLWn7ycLmrO/:8ardA0Bzx14r6nbN50W9/
                                                                                      MD5:F9C9445BE13026F8DB777E2BBC26651D
                                                                                      SHA1:E1D58C30E94B00B32AD1E9B806465643F4AFE980
                                                                                      SHA-256:C953DB1F67BBD92114531FF44EE4D76492FDD3CF608DA57D5C04E4FE4FDD1B96
                                                                                      SHA-512:587D9E8521C246865E16695E372A1675CFBC324E6258DD03479892D3238F634138EBB56985ED34E0C8C964C1AB75313182A4E687B598BB09C07FC143B506E9A8
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tSf.02..02..02..9J..22..bG..22..$Y..22..bG..;2..bG..82..bG..32..[..32..02...2...G..12...G..12...G..12..Rich02..................PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32api.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):133632
                                                                                      Entropy (8bit):5.849731189887005
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:l2J5loMoEg9enX4oD8cdf0nlRVFhLaNKP/IyymuqCyqJhe:cblovEgqXHdfqlRVlP/IyzCyy
                                                                                      MD5:00E5DA545C6A4979A6577F8F091E85E1
                                                                                      SHA1:A31A2C85E272234584DACF36F405D102D9C43C05
                                                                                      SHA-256:AC483D60A565CC9CBF91A6F37EA516B2162A45D255888D50FBBB7E5FF12086EE
                                                                                      SHA-512:9E4F834F56007F84E8B4EC1C16FB916E68C3BAADAB1A3F6B82FAF5360C57697DC69BE86F3C2EA6E30F95E7C32413BABBE5D29422D559C99E6CF4242357A85F31
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.uV....................N.......N.......N.......................N...................J...........................Rich............PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text............................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\win32\win32trace.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):23552
                                                                                      Entropy (8bit):5.279236779449316
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:peeH8ZmV+zknwMsADuVLw0T8DmrRl2j9BfEAZnpC9QJQ1BA:5+zi/uVDS9dl6pB
                                                                                      MD5:B291ADAB2446DA62F93369A0DD662076
                                                                                      SHA1:A6B6C1054C1F511C64AEFB5F6C031AFE553E70F0
                                                                                      SHA-256:C5AD56E205530780326BD1081E94B212C65082B58E0F69788E3DC60EFFBD6410
                                                                                      SHA-512:847CC9E82B9939DBDC58BFA3E5A9899D614642E0B07CF1508AA866CD69E4AD8C905DBF810A045D225E6C364E1D9F2A45006F0EB0895BCD5AAF9D81EE344D4AEA
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*U@qD.@qD.@qD.I...DqD...E.BqD...A.JqD...@.HqD...G.CqD...E.BqD...E.BqD.T.E.EqD.@qE..qD...M.AqD...D.AqD...F.AqD.Rich@qD.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\_MEI70522\win32com\shell\shell.pyd

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):527872
                                                                                      Entropy (8bit):6.165923585421349
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:bXtpsewPjUA2jGZ90SmgopJgUCBKw84O3Rpd0K1VS0cTZdxi2y3:bXtp5sIAN90pleK1VSXXi2g
                                                                                      MD5:C2E1B245D4221BDA4C198CF18D9CA6AF
                                                                                      SHA1:9682B6E966495F7B58255348563A86C63FBD488C
                                                                                      SHA-256:89A8651DAD701DCE6B42B0E20C18B07DF6D08A341123659E05381EE796D23858
                                                                                      SHA-512:C2F57E9303D37547671E40086DDAD4B1FC31C52D43994CFCEC974B259125E125C644873073F216F28066BB0C213CBEB1B9A3C149727C9F1BC50F198AC45A4C8A
                                                                                      Malicious:false
                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M................).....[......[......[......[...................................................O.................Rich............................PE..d...(..d.........." ....."..........t.....................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...^!.......".................. ..`.rdata.......@.......&..............@..@.data...@....0...^..................@....pdata..xx.......z...n..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\crcook.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with very long lines (515), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3187
                                                                                      Entropy (8bit):5.909307662439236
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:yJMpO2gpcRqpZX22HTSjv3pB7H7e8zLs/Zw49ckse:IkXRQSfIh
                                                                                      MD5:0D0BDB7209D6AF018CD3FEC189D50C75
                                                                                      SHA1:4ADD2DADCFE8B32316B3C2872FC8A786D106B579
                                                                                      SHA-256:8781C718DC844B36BDBA104F1A59F40E17B3F6F01BA8D11FCE1A7E39DF2BBE49
                                                                                      SHA-512:DB1352F59546216FF59A875F07E65ACFACD19A1C3489F541B256A332AB26F8A37A50CE92EE1A6985E00D2BED0D271FEE8E9E2E27B0371C18B43FEFDBCFE44F37
                                                                                      Malicious:false
                                                                                      Preview:<--Creal STEALER BEST -->.....google.com.TRUE./.FALSE.2597573456.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.FALSE.2597573456.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.2597573456.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310&V=4&LU=

                                                                                      C:\Users\user\AppData\Local\Temp\crpassw.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):29
                                                                                      Entropy (8bit):3.9783335811852645
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vgt2TO1ng2DIIbr:FO1g2D1v
                                                                                      MD5:155EA3C94A04CEAB8BD7480F9205257D
                                                                                      SHA1:B46BBBB64B3DF5322DD81613E7FA14426816B1C1
                                                                                      SHA-256:445E2BCECAA0D8D427B87E17E7E53581D172AF1B9674CF1A33DBE1014732108B
                                                                                      SHA-512:3D47449DA7C91FE279217A946D2F86E5D95D396F53B55607EC8ACA7E9AA545CFAF9CB97914B643A5D8A91944570F9237E18EECEC0F1526735BE6CEEE45ECBA05
                                                                                      Malicious:false
                                                                                      Preview:<--Creal STEALER BEST -->....

                                                                                      C:\Users\user\AppData\Local\Temp\ptl2s04f

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):2.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:qn:qn
                                                                                      MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                      SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                      SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                      SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                      Malicious:false
                                                                                      Preview:blat

                                                                                      C:\Users\user\AppData\Local\Temp\y_075ejy

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):2.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:qn:qn
                                                                                      MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                                                      SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                                                      SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                                                      SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                                                      Malicious:false
                                                                                      Preview:blat

                                                                                      C:\Users\user\AppData\Local\Tempcrclhmlxfb.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):2.5793180405395284
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Tempcrcnqgwgmy.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Tempcrmuwbruhr.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Tempcruchlhshk.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):2.5793180405395284
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Tempcrusvgunhk.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):49152
                                                                                      Entropy (8bit):0.8180424350137764
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Tempcrvtkhkshw.db

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):49152
                                                                                      Entropy (8bit):0.8180424350137764
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):17812549
                                                                                      Entropy (8bit):7.996514637627007
                                                                                      Encrypted:true
                                                                                      SSDEEP:393216:3iIE7YoPQJSpUTLfhJjdQuslSl99oWOv+9fgIIye9l9a1J:M7rPQEUTLJRdQu9DorvSYIIjl9O
                                                                                      MD5:0B02E32E57E2345C026243F8F309F808
                                                                                      SHA1:33652FD7B37D46D8DE6A51B914568FC4B9A82411
                                                                                      SHA-256:7182C67494763B41A8ED5324CED374C1741E67197047D373E540C4C28AB9AC8E
                                                                                      SHA-512:1D87255FB2AEADC28AD539E40D7DC557053031242AC1AA47609597AF1547F4ED1162AF25811DE4F38E48D5759B48F0AC01D36F5E71108200E4A405120F8E770B
                                                                                      Malicious:true
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y~M..-M..-M..-...,E..-...,...-...,G..-X..-I..-X..,e..-X..,\..-X..,D..-...,F..-M..-..-t..,X..-t..,L..-RichM..-........................PE..d....nte.........."....%.....^.................@.............................p............`.....................................................x....`....... ..."...........`..\...0..................................@............... ............................text...@........................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\....`......................@..B................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Entropy (8bit):7.996514637627007
                                                                                      TrID:
                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:231210-10-Creal-33652f.exe
                                                                                      File size:17'812'549 bytes
                                                                                      MD5:0b02e32e57e2345c026243f8f309f808
                                                                                      SHA1:33652fd7b37d46d8de6a51b914568fc4b9a82411
                                                                                      SHA256:7182c67494763b41a8ed5324ced374c1741e67197047d373e540c4c28ab9ac8e
                                                                                      SHA512:1d87255fb2aeadc28ad539e40d7dc557053031242ac1aa47609597af1547f4ed1162af25811de4f38e48d5759b48f0ac01d36f5e71108200e4a405120f8e770b
                                                                                      SSDEEP:393216:3iIE7YoPQJSpUTLfhJjdQuslSl99oWOv+9fgIIye9l9a1J:M7rPQEUTLJRdQu9DorvSYIIjl9O
                                                                                      TLSH:8A07339653586CA1E9D2A13E4526885C4AB2FC5013F0F29B83F9D5AE0ED73F03DB6E50
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y~M..-M..-M..-...,E..-...,...-...,G..-X..-I..-X..,e..-X..,\..-X..,D..-...,F..-M..-...-t..,X..-t..,L..-RichM..-...............

                                                                                      File Icon

                                                                                      Icon Hash:4a464cd47461e179

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x14000c1a0
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x140000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x65746EC7 [Sat Dec 9 13:42:31 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:2
                                                                                      File Version Major:5
                                                                                      File Version Minor:2
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:2
                                                                                      Import Hash:1af6c885af093afc55142c2f1761dbe8

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      call 00007FF1FC7F971Ch
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      jmp 00007FF1FC7F932Fh
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      dec eax
                                                                                      sub esp, 28h
                                                                                      call 00007FF1FC7F9C94h
                                                                                      test eax, eax
                                                                                      je 00007FF1FC7F94D3h
                                                                                      dec eax
                                                                                      mov eax, dword ptr [00000030h]
                                                                                      dec eax
                                                                                      mov ecx, dword ptr [eax+08h]
                                                                                      jmp 00007FF1FC7F94B7h
                                                                                      dec eax
                                                                                      cmp ecx, eax
                                                                                      je 00007FF1FC7F94C6h
                                                                                      xor eax, eax
                                                                                      dec eax
                                                                                      cmpxchg dword ptr [000342CCh], ecx
                                                                                      jne 00007FF1FC7F94A0h
                                                                                      xor al, al
                                                                                      dec eax
                                                                                      add esp, 28h
                                                                                      ret
                                                                                      mov al, 01h
                                                                                      jmp 00007FF1FC7F94A9h
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      inc eax
                                                                                      push ebx
                                                                                      dec eax
                                                                                      sub esp, 20h
                                                                                      movzx eax, byte ptr [000342B7h]
                                                                                      test ecx, ecx
                                                                                      mov ebx, 00000001h
                                                                                      cmove eax, ebx
                                                                                      mov byte ptr [000342A7h], al
                                                                                      call 00007FF1FC7F9A93h
                                                                                      call 00007FF1FC7FABB2h
                                                                                      test al, al
                                                                                      jne 00007FF1FC7F94B6h
                                                                                      xor al, al
                                                                                      jmp 00007FF1FC7F94C6h
                                                                                      call 00007FF1FC807A51h
                                                                                      test al, al
                                                                                      jne 00007FF1FC7F94BBh
                                                                                      xor ecx, ecx
                                                                                      call 00007FF1FC7FABC2h
                                                                                      jmp 00007FF1FC7F949Ch
                                                                                      mov al, bl
                                                                                      dec eax
                                                                                      add esp, 20h
                                                                                      pop ebx
                                                                                      ret
                                                                                      int3
                                                                                      int3
                                                                                      int3
                                                                                      inc eax
                                                                                      push ebx
                                                                                      dec eax
                                                                                      sub esp, 20h
                                                                                      cmp byte ptr [0003426Ch], 00000000h
                                                                                      mov ebx, ecx
                                                                                      jne 00007FF1FC7F9519h
                                                                                      cmp ecx, 01h
                                                                                      jnbe 00007FF1FC7F951Ch
                                                                                      call 00007FF1FC7F9BFAh
                                                                                      test eax, eax
                                                                                      je 00007FF1FC7F94DAh

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3cdc40x78.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000xf41c.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x420000x2280.pdata
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000x75c.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3a3300x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3a1f00x140.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x420.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x29b400x29c000c0d0bf933870a553ec338c7b2d209feFalse0.5530735404191617data6.486836379301198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x2b0000x12bec0x12c0079391ec451ef9b895b469219d0da9287False0.5183463541666666data5.835059260985671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x3e0000x33380xe0099d84572872f2ce8d9bdbc2521e1966eFalse0.1328125Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 01.8271683819747706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .pdata0x420000x22800x2400e2545e2f74a35deeeef182f66686f24bFalse0.4736328125data5.3141353008647245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      _RDATA0x450000x15c0x200bf311594b9029e58fbee44d001fb3751False0.388671875data2.7898294787301503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x460000xf41c0xf600c654ab5a3bc06ebf8c554f36c31153c0False0.8030837144308943data7.554967714213712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x560000x75c0x8004138d4447f190c2657ec208ef31be551False0.5458984375data5.240127521097618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0x462080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.585820895522388
                                                                                      RT_ICON0x470b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.7360108303249098
                                                                                      RT_ICON0x479580x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.755057803468208
                                                                                      RT_ICON0x47ec00x952cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9975384937676757
                                                                                      RT_ICON0x513ec0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3887966804979253
                                                                                      RT_ICON0x539940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.49530956848030017
                                                                                      RT_ICON0x54a3c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7207446808510638
                                                                                      RT_GROUP_ICON0x54ea40x68data0.7019230769230769
                                                                                      RT_MANIFEST0x54f0c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                      Imports

                                                                                      DLLImport
                                                                                      USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                      COMCTL32.dll
                                                                                      KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                      ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                      GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jul 24, 2024 14:16:15.970535994 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:15.970626116 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:15.970704079 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:15.970731020 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:15.970758915 CEST4434974651.91.7.6192.168.2.4
                                                                                      Jul 24, 2024 14:16:15.970885038 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:15.972136974 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:15.972174883 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:15.987109900 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:15.987149954 CEST4434974651.91.7.6192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.465109110 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.465903044 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.465930939 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.467000961 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.467068911 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.468955040 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.469050884 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.469248056 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.469255924 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.524059057 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.605293036 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.605370045 CEST44349747104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.605475903 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.606393099 CEST49747443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:16.636230946 CEST4434974651.91.7.6192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.654664993 CEST49748443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:16.654710054 CEST44349748159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.654792070 CEST49748443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:16.655152082 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:16.655205965 CEST4434974651.91.7.6192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.655644894 CEST49748443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:16.655661106 CEST44349748159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.656884909 CEST4434974651.91.7.6192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.656954050 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:16.660041094 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:16.660224915 CEST49746443192.168.2.451.91.7.6
                                                                                      Jul 24, 2024 14:16:17.000368118 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:17.000415087 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:17.000503063 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:17.000894070 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:17.000906944 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.841383934 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.841849089 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.841875076 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.842943907 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.843008995 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.843621016 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.843688965 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.843761921 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.843770981 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.899045944 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.994386911 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.994456053 CEST44349749104.26.12.205192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.994508028 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.995157957 CEST49749443192.168.2.4104.26.12.205
                                                                                      Jul 24, 2024 14:16:18.996395111 CEST49750443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:18.996434927 CEST44349750159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:18.996498108 CEST49750443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:18.999382973 CEST49750443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:18.999397039 CEST44349750159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.019179106 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.019223928 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.019371033 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.020303965 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.020318031 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.026299000 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.026346922 CEST4435884845.112.123.126192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.026407957 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.040047884 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.040088892 CEST4435884845.112.123.126192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.483084917 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.483889103 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.483920097 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.485079050 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.485138893 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.486193895 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.486279964 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.486319065 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.528496981 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.539623976 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.539633989 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.586500883 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.887831926 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.887917042 CEST44358847172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.887980938 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.888552904 CEST58847443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.889772892 CEST4435884845.112.123.126192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.890073061 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.890100002 CEST4435884845.112.123.126192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.891196012 CEST4435884845.112.123.126192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.891251087 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.891921997 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.892056942 CEST58848443192.168.2.445.112.123.126
                                                                                      Jul 24, 2024 14:16:32.893523932 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.893558025 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.893781900 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.894119024 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:32.894129992 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.905441999 CEST58850443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:32.905484915 CEST44358850159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.905544996 CEST58850443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:32.905930996 CEST58850443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:32.905944109 CEST44358850159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.613010883 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.613462925 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.613492966 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.615509033 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.615572929 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.616199970 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.616287947 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.616321087 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.656521082 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.664632082 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.664647102 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.711502075 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.765302896 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.765374899 CEST44358849172.67.74.152192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.765780926 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.765912056 CEST58849443192.168.2.4172.67.74.152
                                                                                      Jul 24, 2024 14:16:33.767112970 CEST58851443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:33.767163992 CEST44358851159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:33.767276049 CEST58851443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:33.767612934 CEST58851443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:33.767626047 CEST44358851159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:59.436666965 CEST44349748159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:16:59.436726093 CEST49748443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:59.436934948 CEST49748443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:16:59.436954021 CEST44349748159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:01.743562937 CEST44349750159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:01.743643999 CEST49750443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:01.743925095 CEST49750443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:01.743944883 CEST44349750159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:15.871413946 CEST44358850159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:15.871586084 CEST58850443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:15.871968031 CEST58850443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:15.871993065 CEST44358850159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:16.562073946 CEST44358851159.89.102.253192.168.2.4
                                                                                      Jul 24, 2024 14:17:16.562139988 CEST58851443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:16.562419891 CEST58851443192.168.2.4159.89.102.253
                                                                                      Jul 24, 2024 14:17:16.562441111 CEST44358851159.89.102.253192.168.2.4

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jul 24, 2024 14:16:15.776348114 CEST5322953192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:15.780889034 CEST5285153192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:15.967077017 CEST53532291.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:15.968264103 CEST53528511.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:16.607664108 CEST6017453192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:16.619467974 CEST53601741.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:24.348419905 CEST5351615162.159.36.2192.168.2.4
                                                                                      Jul 24, 2024 14:16:24.849816084 CEST4921853192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:24.861897945 CEST53492181.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.005820990 CEST5974753192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:32.016305923 CEST6491453192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:32.016973972 CEST53597471.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.025639057 CEST53649141.1.1.1192.168.2.4
                                                                                      Jul 24, 2024 14:16:32.889643908 CEST5009953192.168.2.41.1.1.1
                                                                                      Jul 24, 2024 14:16:32.904767990 CEST53500991.1.1.1192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jul 24, 2024 14:16:15.776348114 CEST192.168.2.41.1.1.10x2274Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.780889034 CEST192.168.2.41.1.1.10x6523Standard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:16.607664108 CEST192.168.2.41.1.1.10x7f66Standard query (0)geolocation-db.comA (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:24.849816084 CEST192.168.2.41.1.1.10xd872Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.005820990 CEST192.168.2.41.1.1.10xa30cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.016305923 CEST192.168.2.41.1.1.10x523eStandard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.889643908 CEST192.168.2.41.1.1.10x4262Standard query (0)geolocation-db.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jul 24, 2024 14:15:49.389425039 CEST1.1.1.1192.168.2.40x65cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Jul 24, 2024 14:15:49.389425039 CEST1.1.1.1192.168.2.40x65cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.967077017 CEST1.1.1.1192.168.2.40x2274No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.967077017 CEST1.1.1.1192.168.2.40x2274No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.967077017 CEST1.1.1.1192.168.2.40x2274No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.968264103 CEST1.1.1.1192.168.2.40x6523No error (0)api.gofile.io51.91.7.6A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:15.968264103 CEST1.1.1.1192.168.2.40x6523No error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:16.619467974 CEST1.1.1.1192.168.2.40x7f66No error (0)geolocation-db.com159.89.102.253A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:24.861897945 CEST1.1.1.1192.168.2.40xd872Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.016973972 CEST1.1.1.1192.168.2.40xa30cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.016973972 CEST1.1.1.1192.168.2.40xa30cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.016973972 CEST1.1.1.1192.168.2.40xa30cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.025639057 CEST1.1.1.1192.168.2.40x523eNo error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.025639057 CEST1.1.1.1192.168.2.40x523eNo error (0)api.gofile.io51.91.7.6A (IP address)IN (0x0001)false
                                                                                      Jul 24, 2024 14:16:32.904767990 CEST1.1.1.1192.168.2.40x4262No error (0)geolocation-db.com159.89.102.253A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • api.ipify.org

                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.449747104.26.12.2054436292C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-07-24 12:16:16 UTC117OUTGET / HTTP/1.1
                                                                                      Accept-Encoding: identity
                                                                                      Host: api.ipify.org
                                                                                      User-Agent: Python-urllib/3.10
                                                                                      Connection: close
                                                                                      2024-07-24 12:16:16 UTC211INHTTP/1.1 200 OK
                                                                                      Date: Wed, 24 Jul 2024 12:16:16 GMT
                                                                                      Content-Type: text/plain
                                                                                      Content-Length: 11
                                                                                      Connection: close
                                                                                      Vary: Origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8a83d7276b2a42b3-EWR
                                                                                      2024-07-24 12:16:16 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                      Data Ascii: 8.46.123.33


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449749104.26.12.2054436292C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-07-24 12:16:18 UTC117OUTGET / HTTP/1.1
                                                                                      Accept-Encoding: identity
                                                                                      Host: api.ipify.org
                                                                                      User-Agent: Python-urllib/3.10
                                                                                      Connection: close
                                                                                      2024-07-24 12:16:18 UTC211INHTTP/1.1 200 OK
                                                                                      Date: Wed, 24 Jul 2024 12:16:18 GMT
                                                                                      Content-Type: text/plain
                                                                                      Content-Length: 11
                                                                                      Connection: close
                                                                                      Vary: Origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8a83d7365e246a4f-EWR
                                                                                      2024-07-24 12:16:18 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                      Data Ascii: 8.46.123.33


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.458847172.67.74.1524431420C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-07-24 12:16:32 UTC117OUTGET / HTTP/1.1
                                                                                      Accept-Encoding: identity
                                                                                      Host: api.ipify.org
                                                                                      User-Agent: Python-urllib/3.10
                                                                                      Connection: close
                                                                                      2024-07-24 12:16:32 UTC211INHTTP/1.1 200 OK
                                                                                      Date: Wed, 24 Jul 2024 12:16:32 GMT
                                                                                      Content-Type: text/plain
                                                                                      Content-Length: 11
                                                                                      Connection: close
                                                                                      Vary: Origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8a83d78b9d96428f-EWR
                                                                                      2024-07-24 12:16:32 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                      Data Ascii: 8.46.123.33


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.458849172.67.74.1524431420C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-07-24 12:16:33 UTC117OUTGET / HTTP/1.1
                                                                                      Accept-Encoding: identity
                                                                                      Host: api.ipify.org
                                                                                      User-Agent: Python-urllib/3.10
                                                                                      Connection: close
                                                                                      2024-07-24 12:16:33 UTC211INHTTP/1.1 200 OK
                                                                                      Date: Wed, 24 Jul 2024 12:16:33 GMT
                                                                                      Content-Type: text/plain
                                                                                      Content-Length: 11
                                                                                      Connection: close
                                                                                      Vary: Origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 8a83d792aef341ef-EWR
                                                                                      2024-07-24 12:16:33 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                      Data Ascii: 8.46.123.33


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:08:16:08
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\Desktop\231210-10-Creal-33652f.exe"
                                                                                      Imagebase:0x7ff780460000
                                                                                      File size:17'812'549 bytes
                                                                                      MD5 hash:0B02E32E57E2345C026243F8F309F808
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:08:16:11
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\Desktop\231210-10-Creal-33652f.exe"
                                                                                      Imagebase:0x7ff780460000
                                                                                      File size:17'812'549 bytes
                                                                                      MD5 hash:0B02E32E57E2345C026243F8F309F808
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.3089335128.000001CD634B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.3088018698.000001CD62B06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:08:16:12
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                      Imagebase:0x7ff71f1a0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:08:16:12
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:08:16:13
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                      Imagebase:0x7ff71f1a0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:08:16:13
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:08:16:13
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:106'496 bytes
                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:08:16:24
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe"
                                                                                      Imagebase:0x7ff60f520000
                                                                                      File size:17'812'549 bytes
                                                                                      MD5 hash:0B02E32E57E2345C026243F8F309F808
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:08:16:27
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231210-10-Creal-33652f.exe"
                                                                                      Imagebase:0x7ff60f520000
                                                                                      File size:17'812'549 bytes
                                                                                      MD5 hash:0B02E32E57E2345C026243F8F309F808
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000B.00000002.3089238430.000001AFC16C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 0000000B.00000002.3088138594.000001AFC0E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:08:16:29
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                      Imagebase:0x7ff71f1a0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:08:16:29
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:08:16:30
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist"
                                                                                      Imagebase:0x7ff71f1a0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:08:16:30
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:08:16:30
                                                                                      Start date:24/07/2024
                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0x7ff7ed0a0000
                                                                                      File size:106'496 bytes
                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:9.7%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:18.5%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:21
                                                                                        execution_graph 18698 7ff780480de8 18699 7ff780480e0c 18698->18699 18702 7ff780480e1c 18698->18702 18700 7ff7804752d4 _wfindfirst32i64 11 API calls 18699->18700 18723 7ff780480e11 18700->18723 18701 7ff7804810fc 18704 7ff7804752d4 _wfindfirst32i64 11 API calls 18701->18704 18702->18701 18703 7ff780480e3e 18702->18703 18705 7ff780480e5f 18703->18705 18829 7ff7804814a4 18703->18829 18706 7ff780481101 18704->18706 18709 7ff780480ed1 18705->18709 18710 7ff780480e85 18705->18710 18715 7ff780480ec5 18705->18715 18708 7ff78047adbc __free_lconv_mon 11 API calls 18706->18708 18708->18723 18713 7ff78047f008 _wfindfirst32i64 11 API calls 18709->18713 18727 7ff780480e94 18709->18727 18844 7ff780479b00 18710->18844 18711 7ff780480f7e 18722 7ff780480f9b 18711->18722 18728 7ff780480fed 18711->18728 18716 7ff780480ee7 18713->18716 18715->18711 18715->18727 18850 7ff7804878ac 18715->18850 18719 7ff78047adbc __free_lconv_mon 11 API calls 18716->18719 18718 7ff78047adbc __free_lconv_mon 11 API calls 18718->18723 18724 7ff780480ef5 18719->18724 18720 7ff780480ead 18720->18715 18730 7ff7804814a4 45 API calls 18720->18730 18721 7ff780480e8f 18725 7ff7804752d4 _wfindfirst32i64 11 API calls 18721->18725 18726 7ff78047adbc __free_lconv_mon 11 API calls 18722->18726 18724->18715 18724->18727 18732 7ff78047f008 _wfindfirst32i64 11 API calls 18724->18732 18725->18727 18729 7ff780480fa4 18726->18729 18727->18718 18728->18727 18731 7ff7804838fc 40 API calls 18728->18731 18737 7ff780480fa9 18729->18737 18886 7ff7804838fc 18729->18886 18730->18715 18733 7ff78048102a 18731->18733 18735 7ff780480f17 18732->18735 18736 7ff78047adbc __free_lconv_mon 11 API calls 18733->18736 18740 7ff78047adbc __free_lconv_mon 11 API calls 18735->18740 18741 7ff780481034 18736->18741 18738 7ff7804810f0 18737->18738 18744 7ff78047f008 _wfindfirst32i64 11 API calls 18737->18744 18743 7ff78047adbc __free_lconv_mon 11 API calls 18738->18743 18739 7ff780480fd5 18742 7ff78047adbc __free_lconv_mon 11 API calls 18739->18742 18740->18715 18741->18727 18741->18737 18742->18737 18743->18723 18745 7ff780481078 18744->18745 18746 7ff780481089 18745->18746 18747 7ff780481080 18745->18747 18749 7ff78047a8ec __std_exception_copy 37 API calls 18746->18749 18748 7ff78047adbc __free_lconv_mon 11 API calls 18747->18748 18750 7ff780481087 18748->18750 18751 7ff780481098 18749->18751 18755 7ff78047adbc __free_lconv_mon 11 API calls 18750->18755 18752 7ff78048112b 18751->18752 18753 7ff7804810a0 18751->18753 18754 7ff78047ad74 _wfindfirst32i64 17 API calls 18752->18754 18895 7ff7804879c4 18753->18895 18757 7ff78048113f 18754->18757 18755->18723 18759 7ff780481168 18757->18759 18769 7ff780481178 18757->18769 18763 7ff7804752d4 _wfindfirst32i64 11 API calls 18759->18763 18760 7ff7804810e8 18764 7ff78047adbc __free_lconv_mon 11 API calls 18760->18764 18761 7ff7804810c7 18762 7ff7804752d4 _wfindfirst32i64 11 API calls 18761->18762 18765 7ff7804810cc 18762->18765 18766 7ff78048116d 18763->18766 18764->18738 18767 7ff78047adbc __free_lconv_mon 11 API calls 18765->18767 18767->18750 18768 7ff78048145b 18770 7ff7804752d4 _wfindfirst32i64 11 API calls 18768->18770 18769->18768 18772 7ff78048119a 18769->18772 18773 7ff780481460 18770->18773 18771 7ff7804811b7 18776 7ff78048122b 18771->18776 18778 7ff7804811df 18771->18778 18782 7ff78048121f 18771->18782 18772->18771 18914 7ff78048158c 18772->18914 18775 7ff78047adbc __free_lconv_mon 11 API calls 18773->18775 18775->18766 18780 7ff780481253 18776->18780 18783 7ff78047f008 _wfindfirst32i64 11 API calls 18776->18783 18796 7ff7804811ee 18776->18796 18777 7ff7804812de 18791 7ff7804812fb 18777->18791 18797 7ff78048134e 18777->18797 18929 7ff780479b3c 18778->18929 18780->18782 18785 7ff78047f008 _wfindfirst32i64 11 API calls 18780->18785 18780->18796 18782->18777 18782->18796 18935 7ff78048776c 18782->18935 18787 7ff780481245 18783->18787 18790 7ff780481275 18785->18790 18786 7ff78047adbc __free_lconv_mon 11 API calls 18786->18766 18792 7ff78047adbc __free_lconv_mon 11 API calls 18787->18792 18788 7ff7804811e9 18793 7ff7804752d4 _wfindfirst32i64 11 API calls 18788->18793 18789 7ff780481207 18789->18782 18799 7ff78048158c 45 API calls 18789->18799 18794 7ff78047adbc __free_lconv_mon 11 API calls 18790->18794 18795 7ff78047adbc __free_lconv_mon 11 API calls 18791->18795 18792->18780 18793->18796 18794->18782 18798 7ff780481304 18795->18798 18796->18786 18797->18796 18800 7ff7804838fc 40 API calls 18797->18800 18802 7ff7804838fc 40 API calls 18798->18802 18805 7ff78048130a 18798->18805 18799->18782 18801 7ff78048138c 18800->18801 18803 7ff78047adbc __free_lconv_mon 11 API calls 18801->18803 18804 7ff780481336 18802->18804 18807 7ff780481396 18803->18807 18808 7ff78047adbc __free_lconv_mon 11 API calls 18804->18808 18806 7ff78048144f 18805->18806 18810 7ff78047f008 _wfindfirst32i64 11 API calls 18805->18810 18809 7ff78047adbc __free_lconv_mon 11 API calls 18806->18809 18807->18796 18807->18805 18808->18805 18809->18766 18811 7ff7804813db 18810->18811 18812 7ff7804813ec 18811->18812 18813 7ff7804813e3 18811->18813 18815 7ff780480d04 _wfindfirst32i64 37 API calls 18812->18815 18814 7ff78047adbc __free_lconv_mon 11 API calls 18813->18814 18816 7ff7804813ea 18814->18816 18817 7ff7804813fa 18815->18817 18821 7ff78047adbc __free_lconv_mon 11 API calls 18816->18821 18818 7ff780481402 SetEnvironmentVariableW 18817->18818 18819 7ff78048148f 18817->18819 18822 7ff780481447 18818->18822 18823 7ff780481426 18818->18823 18820 7ff78047ad74 _wfindfirst32i64 17 API calls 18819->18820 18825 7ff7804814a3 18820->18825 18821->18766 18826 7ff78047adbc __free_lconv_mon 11 API calls 18822->18826 18824 7ff7804752d4 _wfindfirst32i64 11 API calls 18823->18824 18827 7ff78048142b 18824->18827 18826->18806 18828 7ff78047adbc __free_lconv_mon 11 API calls 18827->18828 18828->18816 18830 7ff7804814d9 18829->18830 18836 7ff7804814c1 18829->18836 18831 7ff78047f008 _wfindfirst32i64 11 API calls 18830->18831 18839 7ff7804814fd 18831->18839 18832 7ff78048155e 18835 7ff78047adbc __free_lconv_mon 11 API calls 18832->18835 18833 7ff78047a94c __CxxCallCatchBlock 45 API calls 18834 7ff780481588 18833->18834 18835->18836 18836->18705 18837 7ff78047f008 _wfindfirst32i64 11 API calls 18837->18839 18838 7ff78047adbc __free_lconv_mon 11 API calls 18838->18839 18839->18832 18839->18837 18839->18838 18840 7ff78047a8ec __std_exception_copy 37 API calls 18839->18840 18841 7ff78048156d 18839->18841 18843 7ff780481582 18839->18843 18840->18839 18842 7ff78047ad74 _wfindfirst32i64 17 API calls 18841->18842 18842->18843 18843->18833 18845 7ff780479b19 18844->18845 18846 7ff780479b10 18844->18846 18845->18720 18845->18721 18846->18845 18959 7ff7804795d8 18846->18959 18851 7ff780486a5c 18850->18851 18852 7ff7804878b9 18850->18852 18853 7ff780486a69 18851->18853 18859 7ff780486a9f 18851->18859 18854 7ff7804758ac 45 API calls 18852->18854 18857 7ff7804752d4 _wfindfirst32i64 11 API calls 18853->18857 18872 7ff780486a10 18853->18872 18856 7ff7804878ed 18854->18856 18855 7ff780486ac9 18858 7ff7804752d4 _wfindfirst32i64 11 API calls 18855->18858 18863 7ff780487903 18856->18863 18867 7ff78048791a 18856->18867 18883 7ff7804878f2 18856->18883 18860 7ff780486a73 18857->18860 18861 7ff780486ace 18858->18861 18859->18855 18862 7ff780486aee 18859->18862 18864 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18860->18864 18865 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18861->18865 18866 7ff780486ad9 18862->18866 18873 7ff7804758ac 45 API calls 18862->18873 18868 7ff7804752d4 _wfindfirst32i64 11 API calls 18863->18868 18869 7ff780486a7e 18864->18869 18865->18866 18866->18715 18870 7ff780487936 18867->18870 18871 7ff780487924 18867->18871 18874 7ff780487908 18868->18874 18869->18715 18876 7ff78048795e 18870->18876 18877 7ff780487947 18870->18877 18875 7ff7804752d4 _wfindfirst32i64 11 API calls 18871->18875 18872->18715 18873->18866 18878 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18874->18878 18879 7ff780487929 18875->18879 19191 7ff7804896d4 18876->19191 19182 7ff780486aac 18877->19182 18878->18883 18882 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18879->18882 18882->18883 18883->18715 18885 7ff7804752d4 _wfindfirst32i64 11 API calls 18885->18883 18887 7ff78048391e 18886->18887 18888 7ff78048393b 18886->18888 18887->18888 18890 7ff78048392c 18887->18890 18889 7ff780483945 18888->18889 19231 7ff7804883b8 18888->19231 19238 7ff780480d6c 18889->19238 18892 7ff7804752d4 _wfindfirst32i64 11 API calls 18890->18892 18894 7ff780483931 memcpy_s 18892->18894 18894->18739 18896 7ff7804758ac 45 API calls 18895->18896 18897 7ff780487a2a 18896->18897 18898 7ff780487a38 18897->18898 18899 7ff78047f294 5 API calls 18897->18899 18900 7ff780475394 14 API calls 18898->18900 18899->18898 18901 7ff780487a94 18900->18901 18902 7ff780487b24 18901->18902 18903 7ff7804758ac 45 API calls 18901->18903 18905 7ff780487b35 18902->18905 18906 7ff78047adbc __free_lconv_mon 11 API calls 18902->18906 18904 7ff780487aa7 18903->18904 18908 7ff78047f294 5 API calls 18904->18908 18910 7ff780487ab0 18904->18910 18907 7ff7804810c3 18905->18907 18909 7ff78047adbc __free_lconv_mon 11 API calls 18905->18909 18906->18905 18907->18760 18907->18761 18908->18910 18909->18907 18911 7ff780475394 14 API calls 18910->18911 18912 7ff780487b0b 18911->18912 18912->18902 18913 7ff780487b13 SetEnvironmentVariableW 18912->18913 18913->18902 18915 7ff7804815cc 18914->18915 18922 7ff7804815af 18914->18922 18916 7ff78047f008 _wfindfirst32i64 11 API calls 18915->18916 18924 7ff7804815f0 18916->18924 18917 7ff780481674 18918 7ff78047a94c __CxxCallCatchBlock 45 API calls 18917->18918 18920 7ff78048167a 18918->18920 18919 7ff780481651 18921 7ff78047adbc __free_lconv_mon 11 API calls 18919->18921 18921->18922 18922->18771 18923 7ff78047f008 _wfindfirst32i64 11 API calls 18923->18924 18924->18917 18924->18919 18924->18923 18925 7ff78047adbc __free_lconv_mon 11 API calls 18924->18925 18926 7ff780480d04 _wfindfirst32i64 37 API calls 18924->18926 18927 7ff780481660 18924->18927 18925->18924 18926->18924 18928 7ff78047ad74 _wfindfirst32i64 17 API calls 18927->18928 18928->18917 18930 7ff780479b4c 18929->18930 18931 7ff780479b55 18929->18931 18930->18931 19250 7ff78047964c 18930->19250 18931->18788 18931->18789 18937 7ff780487779 18935->18937 18940 7ff7804877a6 18935->18940 18936 7ff78048777e 18938 7ff7804752d4 _wfindfirst32i64 11 API calls 18936->18938 18937->18936 18937->18940 18941 7ff780487783 18938->18941 18939 7ff7804877ea 18942 7ff7804752d4 _wfindfirst32i64 11 API calls 18939->18942 18940->18939 18943 7ff780487809 18940->18943 18957 7ff7804877de __crtLCMapStringW 18940->18957 18944 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18941->18944 18945 7ff7804877ef 18942->18945 18946 7ff780487825 18943->18946 18947 7ff780487813 18943->18947 18948 7ff78048778e 18944->18948 18949 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18945->18949 18951 7ff7804758ac 45 API calls 18946->18951 18950 7ff7804752d4 _wfindfirst32i64 11 API calls 18947->18950 18948->18782 18949->18957 18952 7ff780487818 18950->18952 18953 7ff780487832 18951->18953 18954 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18952->18954 18953->18957 19297 7ff780489290 18953->19297 18954->18957 18957->18782 18958 7ff7804752d4 _wfindfirst32i64 11 API calls 18958->18957 18960 7ff7804795f1 18959->18960 18961 7ff7804795ed 18959->18961 18982 7ff780482b10 18960->18982 18961->18845 18974 7ff78047992c 18961->18974 18966 7ff780479603 18968 7ff78047adbc __free_lconv_mon 11 API calls 18966->18968 18967 7ff78047960f 19008 7ff7804796bc 18967->19008 18968->18961 18971 7ff78047adbc __free_lconv_mon 11 API calls 18972 7ff780479636 18971->18972 18973 7ff78047adbc __free_lconv_mon 11 API calls 18972->18973 18973->18961 18975 7ff780479955 18974->18975 18978 7ff78047996e 18974->18978 18975->18845 18976 7ff780480378 WideCharToMultiByte 18976->18978 18977 7ff78047f008 _wfindfirst32i64 11 API calls 18977->18978 18978->18975 18978->18976 18978->18977 18979 7ff7804799fe 18978->18979 18981 7ff78047adbc __free_lconv_mon 11 API calls 18978->18981 18980 7ff78047adbc __free_lconv_mon 11 API calls 18979->18980 18980->18975 18981->18978 18983 7ff780482b1d 18982->18983 18987 7ff7804795f6 18982->18987 19027 7ff78047b694 18983->19027 18988 7ff780482e4c GetEnvironmentStringsW 18987->18988 18989 7ff780482e7c 18988->18989 18990 7ff7804795fb 18988->18990 18991 7ff780480378 WideCharToMultiByte 18989->18991 18990->18966 18990->18967 18992 7ff780482ecd 18991->18992 18993 7ff780482ed4 FreeEnvironmentStringsW 18992->18993 18994 7ff78047da6c _fread_nolock 12 API calls 18992->18994 18993->18990 18995 7ff780482ee7 18994->18995 18996 7ff780482ef8 18995->18996 18997 7ff780482eef 18995->18997 18999 7ff780480378 WideCharToMultiByte 18996->18999 18998 7ff78047adbc __free_lconv_mon 11 API calls 18997->18998 19000 7ff780482ef6 18998->19000 19001 7ff780482f1b 18999->19001 19000->18993 19002 7ff780482f29 19001->19002 19003 7ff780482f1f 19001->19003 19005 7ff78047adbc __free_lconv_mon 11 API calls 19002->19005 19004 7ff78047adbc __free_lconv_mon 11 API calls 19003->19004 19006 7ff780482f27 FreeEnvironmentStringsW 19004->19006 19005->19006 19006->18990 19009 7ff7804796e1 19008->19009 19009->19009 19010 7ff78047f008 _wfindfirst32i64 11 API calls 19009->19010 19022 7ff780479717 19010->19022 19011 7ff78047971f 19012 7ff78047adbc __free_lconv_mon 11 API calls 19011->19012 19013 7ff780479617 19012->19013 19013->18971 19014 7ff780479792 19015 7ff78047adbc __free_lconv_mon 11 API calls 19014->19015 19015->19013 19016 7ff78047f008 _wfindfirst32i64 11 API calls 19016->19022 19017 7ff780479781 19176 7ff7804798e8 19017->19176 19018 7ff78047a8ec __std_exception_copy 37 API calls 19018->19022 19021 7ff7804797b7 19024 7ff78047ad74 _wfindfirst32i64 17 API calls 19021->19024 19022->19011 19022->19014 19022->19016 19022->19017 19022->19018 19022->19021 19025 7ff78047adbc __free_lconv_mon 11 API calls 19022->19025 19023 7ff78047adbc __free_lconv_mon 11 API calls 19023->19011 19026 7ff7804797ca 19024->19026 19025->19022 19028 7ff78047b6a5 FlsGetValue 19027->19028 19029 7ff78047b6c0 FlsSetValue 19027->19029 19030 7ff78047b6ba 19028->19030 19031 7ff78047b6b2 19028->19031 19029->19031 19032 7ff78047b6cd 19029->19032 19030->19029 19034 7ff78047b6b8 19031->19034 19035 7ff78047a94c __CxxCallCatchBlock 45 API calls 19031->19035 19033 7ff78047f008 _wfindfirst32i64 11 API calls 19032->19033 19036 7ff78047b6dc 19033->19036 19047 7ff7804827e4 19034->19047 19037 7ff78047b735 19035->19037 19038 7ff78047b6fa FlsSetValue 19036->19038 19039 7ff78047b6ea FlsSetValue 19036->19039 19041 7ff78047b718 19038->19041 19042 7ff78047b706 FlsSetValue 19038->19042 19040 7ff78047b6f3 19039->19040 19043 7ff78047adbc __free_lconv_mon 11 API calls 19040->19043 19044 7ff78047b368 _wfindfirst32i64 11 API calls 19041->19044 19042->19040 19043->19031 19045 7ff78047b720 19044->19045 19046 7ff78047adbc __free_lconv_mon 11 API calls 19045->19046 19046->19034 19070 7ff780482a54 19047->19070 19049 7ff780482819 19085 7ff7804824e4 19049->19085 19052 7ff780482836 19052->18987 19053 7ff78047da6c _fread_nolock 12 API calls 19054 7ff780482847 19053->19054 19055 7ff78048284f 19054->19055 19057 7ff78048285e 19054->19057 19056 7ff78047adbc __free_lconv_mon 11 API calls 19055->19056 19056->19052 19057->19057 19092 7ff780482b8c 19057->19092 19060 7ff78048295a 19061 7ff7804752d4 _wfindfirst32i64 11 API calls 19060->19061 19062 7ff78048295f 19061->19062 19066 7ff78047adbc __free_lconv_mon 11 API calls 19062->19066 19063 7ff7804829b5 19065 7ff780482a1c 19063->19065 19103 7ff780482314 19063->19103 19064 7ff780482974 19064->19063 19067 7ff78047adbc __free_lconv_mon 11 API calls 19064->19067 19069 7ff78047adbc __free_lconv_mon 11 API calls 19065->19069 19066->19052 19067->19063 19069->19052 19071 7ff780482a77 19070->19071 19074 7ff780482a81 19071->19074 19118 7ff780480b68 EnterCriticalSection 19071->19118 19075 7ff780482af3 19074->19075 19078 7ff78047a94c __CxxCallCatchBlock 45 API calls 19074->19078 19075->19049 19079 7ff780482b0b 19078->19079 19080 7ff780482b62 19079->19080 19082 7ff78047b694 50 API calls 19079->19082 19080->19049 19083 7ff780482b4c 19082->19083 19084 7ff7804827e4 65 API calls 19083->19084 19084->19080 19086 7ff7804758ac 45 API calls 19085->19086 19087 7ff7804824f8 19086->19087 19088 7ff780482516 19087->19088 19089 7ff780482504 GetOEMCP 19087->19089 19090 7ff78048252b 19088->19090 19091 7ff78048251b GetACP 19088->19091 19089->19090 19090->19052 19090->19053 19091->19090 19093 7ff7804824e4 47 API calls 19092->19093 19094 7ff780482bb9 19093->19094 19095 7ff780482d0f 19094->19095 19097 7ff780482bf6 IsValidCodePage 19094->19097 19102 7ff780482c10 memcpy_s 19094->19102 19096 7ff78046bc70 _wfindfirst32i64 8 API calls 19095->19096 19099 7ff780482951 19096->19099 19097->19095 19098 7ff780482c07 19097->19098 19100 7ff780482c36 GetCPInfo 19098->19100 19098->19102 19099->19060 19099->19064 19100->19095 19100->19102 19119 7ff7804825fc 19102->19119 19175 7ff780480b68 EnterCriticalSection 19103->19175 19120 7ff780482639 GetCPInfo 19119->19120 19129 7ff78048272f 19119->19129 19126 7ff78048264c 19120->19126 19120->19129 19121 7ff78046bc70 _wfindfirst32i64 8 API calls 19122 7ff7804827ce 19121->19122 19122->19095 19123 7ff780483360 48 API calls 19124 7ff7804826c3 19123->19124 19130 7ff780488304 19124->19130 19126->19123 19128 7ff780488304 54 API calls 19128->19129 19129->19121 19131 7ff7804758ac 45 API calls 19130->19131 19132 7ff780488329 19131->19132 19135 7ff780487fd0 19132->19135 19136 7ff780488011 19135->19136 19137 7ff78047fab0 _fread_nolock MultiByteToWideChar 19136->19137 19138 7ff78048805b 19137->19138 19141 7ff78047da6c _fread_nolock 12 API calls 19138->19141 19142 7ff7804882d9 19138->19142 19143 7ff780488191 19138->19143 19145 7ff780488093 19138->19145 19139 7ff78046bc70 _wfindfirst32i64 8 API calls 19140 7ff7804826f6 19139->19140 19140->19128 19141->19145 19142->19139 19143->19142 19144 7ff78047adbc __free_lconv_mon 11 API calls 19143->19144 19144->19142 19145->19143 19146 7ff78047fab0 _fread_nolock MultiByteToWideChar 19145->19146 19147 7ff780488106 19146->19147 19147->19143 19166 7ff78047f454 19147->19166 19150 7ff780488151 19150->19143 19153 7ff78047f454 __crtLCMapStringW 6 API calls 19150->19153 19151 7ff7804881a2 19152 7ff78047da6c _fread_nolock 12 API calls 19151->19152 19154 7ff780488274 19151->19154 19156 7ff7804881c0 19151->19156 19152->19156 19153->19143 19154->19143 19155 7ff78047adbc __free_lconv_mon 11 API calls 19154->19155 19155->19143 19156->19143 19157 7ff78047f454 __crtLCMapStringW 6 API calls 19156->19157 19158 7ff780488240 19157->19158 19158->19154 19159 7ff780488260 19158->19159 19160 7ff780488276 19158->19160 19162 7ff780480378 WideCharToMultiByte 19159->19162 19161 7ff780480378 WideCharToMultiByte 19160->19161 19163 7ff78048826e 19161->19163 19162->19163 19163->19154 19164 7ff78048828e 19163->19164 19164->19143 19165 7ff78047adbc __free_lconv_mon 11 API calls 19164->19165 19165->19143 19167 7ff78047f080 __crtLCMapStringW 5 API calls 19166->19167 19168 7ff78047f492 19167->19168 19171 7ff78047f49a 19168->19171 19172 7ff78047f540 19168->19172 19170 7ff78047f503 LCMapStringW 19170->19171 19171->19143 19171->19150 19171->19151 19173 7ff78047f080 __crtLCMapStringW 5 API calls 19172->19173 19174 7ff78047f56e __crtLCMapStringW 19173->19174 19174->19170 19177 7ff7804798ed 19176->19177 19178 7ff780479789 19176->19178 19179 7ff780479916 19177->19179 19180 7ff78047adbc __free_lconv_mon 11 API calls 19177->19180 19178->19023 19181 7ff78047adbc __free_lconv_mon 11 API calls 19179->19181 19180->19177 19181->19178 19183 7ff780486ac9 19182->19183 19184 7ff780486ae0 19182->19184 19185 7ff7804752d4 _wfindfirst32i64 11 API calls 19183->19185 19184->19183 19187 7ff780486aee 19184->19187 19186 7ff780486ace 19185->19186 19188 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 19186->19188 19189 7ff7804758ac 45 API calls 19187->19189 19190 7ff780486ad9 19187->19190 19188->19190 19189->19190 19190->18883 19192 7ff7804758ac 45 API calls 19191->19192 19193 7ff7804896f9 19192->19193 19196 7ff780489350 19193->19196 19200 7ff78048939e 19196->19200 19197 7ff78046bc70 _wfindfirst32i64 8 API calls 19198 7ff780487985 19197->19198 19198->18883 19198->18885 19199 7ff780489425 19201 7ff78047fab0 _fread_nolock MultiByteToWideChar 19199->19201 19205 7ff780489429 19199->19205 19200->19199 19202 7ff780489410 GetCPInfo 19200->19202 19200->19205 19203 7ff7804894bd 19201->19203 19202->19199 19202->19205 19204 7ff78047da6c _fread_nolock 12 API calls 19203->19204 19203->19205 19206 7ff7804894f4 19203->19206 19204->19206 19205->19197 19206->19205 19207 7ff78047fab0 _fread_nolock MultiByteToWideChar 19206->19207 19208 7ff780489562 19207->19208 19209 7ff780489644 19208->19209 19210 7ff78047fab0 _fread_nolock MultiByteToWideChar 19208->19210 19209->19205 19211 7ff78047adbc __free_lconv_mon 11 API calls 19209->19211 19212 7ff780489588 19210->19212 19211->19205 19212->19209 19213 7ff78047da6c _fread_nolock 12 API calls 19212->19213 19214 7ff7804895b5 19212->19214 19213->19214 19214->19209 19215 7ff78047fab0 _fread_nolock MultiByteToWideChar 19214->19215 19216 7ff78048962c 19215->19216 19217 7ff780489632 19216->19217 19218 7ff78048964c 19216->19218 19217->19209 19220 7ff78047adbc __free_lconv_mon 11 API calls 19217->19220 19225 7ff78047f2d8 19218->19225 19220->19209 19222 7ff78048968b 19222->19205 19224 7ff78047adbc __free_lconv_mon 11 API calls 19222->19224 19223 7ff78047adbc __free_lconv_mon 11 API calls 19223->19222 19224->19205 19226 7ff78047f080 __crtLCMapStringW 5 API calls 19225->19226 19227 7ff78047f316 19226->19227 19228 7ff78047f31e 19227->19228 19229 7ff78047f540 __crtLCMapStringW 5 API calls 19227->19229 19228->19222 19228->19223 19230 7ff78047f387 CompareStringW 19229->19230 19230->19228 19232 7ff7804883c1 19231->19232 19233 7ff7804883da HeapSize 19231->19233 19234 7ff7804752d4 _wfindfirst32i64 11 API calls 19232->19234 19235 7ff7804883c6 19234->19235 19236 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 19235->19236 19237 7ff7804883d1 19236->19237 19237->18889 19239 7ff780480d8b 19238->19239 19240 7ff780480d81 19238->19240 19242 7ff780480d90 19239->19242 19248 7ff780480d97 _wfindfirst32i64 19239->19248 19241 7ff78047da6c _fread_nolock 12 API calls 19240->19241 19246 7ff780480d89 19241->19246 19245 7ff78047adbc __free_lconv_mon 11 API calls 19242->19245 19243 7ff780480d9d 19247 7ff7804752d4 _wfindfirst32i64 11 API calls 19243->19247 19244 7ff780480dca HeapReAlloc 19244->19246 19244->19248 19245->19246 19246->18894 19247->19246 19248->19243 19248->19244 19249 7ff780483ab0 _wfindfirst32i64 2 API calls 19248->19249 19249->19248 19251 7ff780479665 19250->19251 19258 7ff780479661 19250->19258 19271 7ff780482f5c GetEnvironmentStringsW 19251->19271 19254 7ff78047967e 19278 7ff7804797cc 19254->19278 19255 7ff780479672 19257 7ff78047adbc __free_lconv_mon 11 API calls 19255->19257 19257->19258 19258->18931 19263 7ff780479a0c 19258->19263 19260 7ff78047adbc __free_lconv_mon 11 API calls 19261 7ff7804796a5 19260->19261 19262 7ff78047adbc __free_lconv_mon 11 API calls 19261->19262 19262->19258 19264 7ff780479a2f 19263->19264 19269 7ff780479a46 19263->19269 19264->18931 19265 7ff78047f008 _wfindfirst32i64 11 API calls 19265->19269 19266 7ff780479aba 19268 7ff78047adbc __free_lconv_mon 11 API calls 19266->19268 19267 7ff78047fab0 MultiByteToWideChar _fread_nolock 19267->19269 19268->19264 19269->19264 19269->19265 19269->19266 19269->19267 19270 7ff78047adbc __free_lconv_mon 11 API calls 19269->19270 19270->19269 19272 7ff78047966a 19271->19272 19273 7ff780482f80 19271->19273 19272->19254 19272->19255 19273->19273 19274 7ff78047da6c _fread_nolock 12 API calls 19273->19274 19275 7ff780482fb7 memcpy_s 19274->19275 19276 7ff78047adbc __free_lconv_mon 11 API calls 19275->19276 19277 7ff780482fd7 FreeEnvironmentStringsW 19276->19277 19277->19272 19279 7ff7804797f4 19278->19279 19280 7ff78047f008 _wfindfirst32i64 11 API calls 19279->19280 19290 7ff78047982f 19280->19290 19281 7ff78047adbc __free_lconv_mon 11 API calls 19282 7ff780479686 19281->19282 19282->19260 19283 7ff7804798b1 19284 7ff78047adbc __free_lconv_mon 11 API calls 19283->19284 19284->19282 19285 7ff78047f008 _wfindfirst32i64 11 API calls 19285->19290 19286 7ff7804798a0 19287 7ff7804798e8 11 API calls 19286->19287 19289 7ff7804798a8 19287->19289 19288 7ff780480d04 _wfindfirst32i64 37 API calls 19288->19290 19291 7ff78047adbc __free_lconv_mon 11 API calls 19289->19291 19290->19283 19290->19285 19290->19286 19290->19288 19292 7ff7804798d4 19290->19292 19293 7ff780479837 19290->19293 19295 7ff78047adbc __free_lconv_mon 11 API calls 19290->19295 19291->19293 19294 7ff78047ad74 _wfindfirst32i64 17 API calls 19292->19294 19293->19281 19296 7ff7804798e6 19294->19296 19295->19290 19298 7ff7804892b9 __crtLCMapStringW 19297->19298 19299 7ff78047f2d8 6 API calls 19298->19299 19300 7ff78048786e 19298->19300 19299->19300 19300->18957 19300->18958 18209 7ff78046b1f0 18210 7ff78046b21e 18209->18210 18211 7ff78046b205 18209->18211 18211->18210 18213 7ff78047da6c 12 API calls 18211->18213 18212 7ff78046b27c 18213->18212 18300 7ff78047c990 18311 7ff780480b68 EnterCriticalSection 18300->18311 18312 7ff78047a190 18315 7ff78047a10c 18312->18315 18322 7ff780480b68 EnterCriticalSection 18315->18322 15313 7ff78046c02c 15334 7ff78046c1fc 15313->15334 15316 7ff78046c178 15430 7ff78046c52c IsProcessorFeaturePresent 15316->15430 15317 7ff78046c048 __scrt_acquire_startup_lock 15319 7ff78046c182 15317->15319 15323 7ff78046c066 __scrt_release_startup_lock 15317->15323 15320 7ff78046c52c 7 API calls 15319->15320 15322 7ff78046c18d __CxxCallCatchBlock 15320->15322 15321 7ff78046c08b 15323->15321 15324 7ff78046c111 15323->15324 15419 7ff780479f6c 15323->15419 15340 7ff78046c678 15324->15340 15326 7ff78046c116 15343 7ff780461000 15326->15343 15331 7ff78046c139 15331->15322 15426 7ff78046c390 15331->15426 15437 7ff78046c7fc 15334->15437 15337 7ff78046c040 15337->15316 15337->15317 15338 7ff78046c22b __scrt_initialize_crt 15338->15337 15439 7ff78046d948 15338->15439 15466 7ff78046d090 15340->15466 15342 7ff78046c68f GetStartupInfoW 15342->15326 15344 7ff78046100b 15343->15344 15468 7ff780468660 15344->15468 15346 7ff78046101d 15475 7ff780475da4 15346->15475 15348 7ff78046397b 15482 7ff780461e50 15348->15482 15352 7ff78046bc70 _wfindfirst32i64 8 API calls 15353 7ff780463a96 15352->15353 15424 7ff78046c6bc GetModuleHandleW 15353->15424 15354 7ff78046399a 15416 7ff780463a82 15354->15416 15498 7ff780467b10 15354->15498 15356 7ff7804639cf 15357 7ff780463a1b 15356->15357 15358 7ff780467b10 61 API calls 15356->15358 15513 7ff780467ff0 15357->15513 15363 7ff7804639f0 __vcrt_freefls 15358->15363 15360 7ff780463a30 15517 7ff780461c50 15360->15517 15363->15357 15368 7ff780467ff0 58 API calls 15363->15368 15364 7ff780463b21 15366 7ff780463b45 15364->15366 15536 7ff7804614f0 15364->15536 15365 7ff780461c50 121 API calls 15367 7ff780463a66 15365->15367 15372 7ff780463b9f 15366->15372 15366->15416 15543 7ff780468a90 15366->15543 15369 7ff780463aa8 15367->15369 15370 7ff780463a6a 15367->15370 15368->15357 15369->15364 15611 7ff780463f80 15369->15611 15598 7ff780462ad0 15370->15598 15557 7ff780466d90 15372->15557 15374 7ff780463b7c 15377 7ff780463b92 SetDllDirectoryW 15374->15377 15378 7ff780463b81 15374->15378 15377->15372 15381 7ff780462ad0 59 API calls 15378->15381 15381->15416 15384 7ff780463ac6 15387 7ff780462ad0 59 API calls 15384->15387 15385 7ff780463bb9 15411 7ff780463beb 15385->15411 15643 7ff7804665a0 15385->15643 15387->15416 15388 7ff780463cb6 15561 7ff780463470 15388->15561 15389 7ff780463af4 15389->15364 15390 7ff780463af9 15389->15390 15630 7ff78047013c 15390->15630 15396 7ff780463c0a 15404 7ff780463c55 15396->15404 15684 7ff780461e90 15396->15684 15397 7ff780463bed 15678 7ff7804667f0 15397->15678 15403 7ff780463cde 15406 7ff780467b10 61 API calls 15403->15406 15404->15416 15688 7ff780463410 15404->15688 15409 7ff780463cea 15406->15409 15575 7ff780468030 15409->15575 15410 7ff780463c91 15413 7ff7804667f0 FreeLibrary 15410->15413 15411->15388 15411->15396 15413->15416 15416->15352 15420 7ff780479fa4 15419->15420 15421 7ff780479f83 15419->15421 18204 7ff78047a818 15420->18204 15421->15324 15425 7ff78046c6cd 15424->15425 15425->15331 15427 7ff78046c3a1 15426->15427 15428 7ff78046c150 15427->15428 15429 7ff78046d948 __scrt_initialize_crt 7 API calls 15427->15429 15428->15321 15429->15428 15431 7ff78046c552 _wfindfirst32i64 memcpy_s 15430->15431 15432 7ff78046c571 RtlCaptureContext RtlLookupFunctionEntry 15431->15432 15433 7ff78046c59a RtlVirtualUnwind 15432->15433 15434 7ff78046c5d6 memcpy_s 15432->15434 15433->15434 15435 7ff78046c608 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15434->15435 15436 7ff78046c65a _wfindfirst32i64 15435->15436 15436->15319 15438 7ff78046c21e __scrt_dllmain_crt_thread_attach 15437->15438 15438->15337 15438->15338 15440 7ff78046d95a 15439->15440 15441 7ff78046d950 15439->15441 15440->15337 15445 7ff78046dcc4 15441->15445 15446 7ff78046dcd3 15445->15446 15447 7ff78046d955 15445->15447 15453 7ff78046df00 15446->15453 15449 7ff78046dd30 15447->15449 15450 7ff78046dd5b 15449->15450 15451 7ff78046dd3e DeleteCriticalSection 15450->15451 15452 7ff78046dd5f 15450->15452 15451->15450 15452->15440 15457 7ff78046dd68 15453->15457 15458 7ff78046ddac __vcrt_FlsAlloc 15457->15458 15463 7ff78046de82 TlsFree 15457->15463 15459 7ff78046ddda LoadLibraryExW 15458->15459 15460 7ff78046de71 GetProcAddress 15458->15460 15458->15463 15465 7ff78046de1d LoadLibraryExW 15458->15465 15461 7ff78046ddfb GetLastError 15459->15461 15462 7ff78046de51 15459->15462 15460->15463 15461->15458 15462->15460 15464 7ff78046de68 FreeLibrary 15462->15464 15464->15460 15465->15458 15465->15462 15467 7ff78046d070 15466->15467 15467->15342 15467->15467 15473 7ff78046867f 15468->15473 15469 7ff7804686d0 WideCharToMultiByte 15471 7ff780468776 15469->15471 15469->15473 15470 7ff780468724 WideCharToMultiByte 15470->15471 15470->15473 15736 7ff780462980 15471->15736 15473->15469 15473->15470 15473->15471 15474 7ff780468687 __vcrt_freefls 15473->15474 15474->15346 15478 7ff78047ff00 15475->15478 15476 7ff78047ff53 15477 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15476->15477 15480 7ff78047ff7c 15477->15480 15478->15476 15479 7ff78047ffa6 15478->15479 16133 7ff78047fdd8 15479->16133 15480->15348 15483 7ff780461e65 15482->15483 15485 7ff780461e80 15483->15485 16141 7ff780462830 15483->16141 15485->15416 15486 7ff780463e70 15485->15486 15487 7ff78046bc10 15486->15487 15488 7ff780463e7c GetModuleFileNameW 15487->15488 15489 7ff780463eab 15488->15489 15490 7ff780463ec2 15488->15490 15491 7ff780462980 57 API calls 15489->15491 16181 7ff780468ba0 15490->16181 15496 7ff780463ebe 15491->15496 15494 7ff780462ad0 59 API calls 15494->15496 15495 7ff78046bc70 _wfindfirst32i64 8 API calls 15497 7ff780463eff 15495->15497 15496->15495 15497->15354 15499 7ff780467b1a 15498->15499 15500 7ff780468a90 57 API calls 15499->15500 15501 7ff780467b3c GetEnvironmentVariableW 15500->15501 15502 7ff780467b54 ExpandEnvironmentStringsW 15501->15502 15503 7ff780467ba6 15501->15503 15505 7ff780468ba0 59 API calls 15502->15505 15504 7ff78046bc70 _wfindfirst32i64 8 API calls 15503->15504 15506 7ff780467bb8 15504->15506 15507 7ff780467b7c 15505->15507 15506->15356 15507->15503 15508 7ff780467b86 15507->15508 16192 7ff78047a84c 15508->16192 15511 7ff78046bc70 _wfindfirst32i64 8 API calls 15512 7ff780467b9e 15511->15512 15512->15356 15514 7ff780468a90 57 API calls 15513->15514 15515 7ff780468007 SetEnvironmentVariableW 15514->15515 15516 7ff78046801f __vcrt_freefls 15515->15516 15516->15360 15518 7ff780461c5e 15517->15518 15519 7ff780461e90 49 API calls 15518->15519 15520 7ff780461c94 15519->15520 15521 7ff780461e90 49 API calls 15520->15521 15530 7ff780461d7e 15520->15530 15522 7ff780461cba 15521->15522 15522->15530 16199 7ff780461a40 15522->16199 15523 7ff78046bc70 _wfindfirst32i64 8 API calls 15524 7ff780461e0c 15523->15524 15524->15364 15524->15365 15528 7ff780461d6c 15529 7ff780463df0 49 API calls 15528->15529 15529->15530 15530->15523 15531 7ff780461d2f 15531->15528 15532 7ff780461dd4 15531->15532 15533 7ff780463df0 49 API calls 15532->15533 15534 7ff780461de1 15533->15534 16235 7ff780464000 15534->16235 15537 7ff780461506 15536->15537 15540 7ff78046157f 15536->15540 16277 7ff780467900 15537->16277 15540->15366 15541 7ff780462ad0 59 API calls 15542 7ff780461564 15541->15542 15542->15366 15544 7ff780468b37 MultiByteToWideChar 15543->15544 15545 7ff780468ab1 MultiByteToWideChar 15543->15545 15546 7ff780468b5a 15544->15546 15547 7ff780468b7f 15544->15547 15548 7ff780468ad7 15545->15548 15549 7ff780468afc 15545->15549 15550 7ff780462980 55 API calls 15546->15550 15547->15374 15551 7ff780462980 55 API calls 15548->15551 15549->15544 15554 7ff780468b12 15549->15554 15553 7ff780468b6d 15550->15553 15552 7ff780468aea 15551->15552 15552->15374 15553->15374 15555 7ff780462980 55 API calls 15554->15555 15556 7ff780468b25 15555->15556 15556->15374 15558 7ff780466da5 15557->15558 15559 7ff780463ba4 15558->15559 15560 7ff780462830 59 API calls 15558->15560 15559->15411 15634 7ff780466a40 15559->15634 15560->15559 15562 7ff7804634e3 15561->15562 15563 7ff780463524 15561->15563 15562->15563 16819 7ff780461710 15562->16819 16861 7ff780462d10 15562->16861 15564 7ff78046bc70 _wfindfirst32i64 8 API calls 15563->15564 15565 7ff780463575 15564->15565 15565->15416 15568 7ff780467f80 15565->15568 15569 7ff780468a90 57 API calls 15568->15569 15570 7ff780467f9f 15569->15570 15571 7ff780468a90 57 API calls 15570->15571 15572 7ff780467faf 15571->15572 15573 7ff780477c9c 38 API calls 15572->15573 15574 7ff780467fbd __vcrt_freefls 15573->15574 15574->15403 15576 7ff780468040 15575->15576 15577 7ff780468a90 57 API calls 15576->15577 15578 7ff780468071 SetConsoleCtrlHandler GetStartupInfoW 15577->15578 15599 7ff780462af0 15598->15599 15600 7ff780474a74 49 API calls 15599->15600 15601 7ff780462b3b memcpy_s 15600->15601 15602 7ff780468a90 57 API calls 15601->15602 15603 7ff780462b70 15602->15603 15604 7ff780462bad MessageBoxA 15603->15604 15605 7ff780462b75 15603->15605 15606 7ff780462bc7 15604->15606 15607 7ff780468a90 57 API calls 15605->15607 15609 7ff78046bc70 _wfindfirst32i64 8 API calls 15606->15609 15608 7ff780462b8f MessageBoxW 15607->15608 15608->15606 15610 7ff780462bd7 15609->15610 15610->15416 15612 7ff780463f8c 15611->15612 15613 7ff780468a90 57 API calls 15612->15613 15614 7ff780463fb7 15613->15614 15615 7ff780468a90 57 API calls 15614->15615 15616 7ff780463fca 15615->15616 17351 7ff780476358 15616->17351 15619 7ff78046bc70 _wfindfirst32i64 8 API calls 15620 7ff780463abe 15619->15620 15620->15384 15621 7ff780468260 15620->15621 15622 7ff780468284 15621->15622 15623 7ff7804707c4 73 API calls 15622->15623 15628 7ff78046835b __vcrt_freefls 15622->15628 15624 7ff78046829e 15623->15624 15624->15628 17730 7ff780478f20 15624->17730 15628->15389 15631 7ff78047016c 15630->15631 17745 7ff78046ff18 15631->17745 15635 7ff780466a7a 15634->15635 15636 7ff780466a63 15634->15636 15635->15385 15636->15635 17756 7ff7804615a0 15636->17756 15638 7ff780466a84 15638->15635 15639 7ff780464000 49 API calls 15638->15639 15640 7ff780466ae5 15639->15640 15641 7ff780462ad0 59 API calls 15640->15641 15642 7ff780466b55 memcpy_s __vcrt_freefls 15640->15642 15641->15635 15642->15385 15648 7ff7804665ba memcpy_s 15643->15648 15644 7ff7804666df 15646 7ff780464000 49 API calls 15644->15646 15645 7ff7804666fb 15647 7ff780462ad0 59 API calls 15645->15647 15652 7ff780466758 15646->15652 15650 7ff7804666f1 __vcrt_freefls 15647->15650 15648->15644 15648->15645 15648->15648 15649 7ff780464000 49 API calls 15648->15649 15651 7ff7804666c0 15648->15651 15659 7ff780461710 144 API calls 15648->15659 15660 7ff7804666e1 15648->15660 15649->15648 15656 7ff78046bc70 _wfindfirst32i64 8 API calls 15650->15656 15651->15644 15655 7ff780464000 49 API calls 15651->15655 15653 7ff780464000 49 API calls 15652->15653 15654 7ff780466788 15653->15654 15658 7ff780464000 49 API calls 15654->15658 15655->15644 15657 7ff780463bca 15656->15657 15657->15397 15662 7ff780466520 15657->15662 15658->15650 15659->15648 15661 7ff780462ad0 59 API calls 15660->15661 15661->15650 17780 7ff780468210 15662->17780 15664 7ff78046653c 15665 7ff780468210 58 API calls 15664->15665 15667 7ff78046654f 15665->15667 15666 7ff780466585 15669 7ff780462ad0 59 API calls 15666->15669 15667->15666 15668 7ff780466567 15667->15668 17784 7ff780466ea0 GetProcAddress 15668->17784 15682 7ff78046682d 15678->15682 15683 7ff780466802 15678->15683 15681 7ff7804668eb 15681->15682 17844 7ff7804681f0 FreeLibrary 15681->17844 15682->15411 15683->15681 15683->15682 17843 7ff7804681f0 FreeLibrary 15683->17843 15685 7ff780461eb5 15684->15685 15686 7ff780474a74 49 API calls 15685->15686 15687 7ff780461ed8 15686->15687 15687->15404 17845 7ff780465b70 15688->17845 15691 7ff78046345d 15691->15410 15755 7ff78046bc10 15736->15755 15739 7ff7804629c9 15757 7ff780474a74 15739->15757 15744 7ff780461e90 49 API calls 15745 7ff780462a26 memcpy_s 15744->15745 15746 7ff780468a90 54 API calls 15745->15746 15747 7ff780462a5b 15746->15747 15748 7ff780462a98 MessageBoxA 15747->15748 15749 7ff780462a60 15747->15749 15751 7ff780462ab2 15748->15751 15750 7ff780468a90 54 API calls 15749->15750 15752 7ff780462a7a MessageBoxW 15750->15752 15753 7ff78046bc70 _wfindfirst32i64 8 API calls 15751->15753 15752->15751 15754 7ff780462ac2 15753->15754 15754->15474 15756 7ff78046299c GetLastError 15755->15756 15756->15739 15758 7ff780474ace 15757->15758 15759 7ff780474af3 15758->15759 15761 7ff780474b2f 15758->15761 15760 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15759->15760 15763 7ff780474b1d 15760->15763 15787 7ff780472d00 15761->15787 15765 7ff78046bc70 _wfindfirst32i64 8 API calls 15763->15765 15764 7ff780474c0c 15766 7ff78047adbc __free_lconv_mon 11 API calls 15764->15766 15768 7ff7804629f7 15765->15768 15766->15763 15775 7ff780468510 15768->15775 15769 7ff780474be1 15772 7ff78047adbc __free_lconv_mon 11 API calls 15769->15772 15770 7ff780474c30 15770->15764 15771 7ff780474c3a 15770->15771 15774 7ff78047adbc __free_lconv_mon 11 API calls 15771->15774 15772->15763 15773 7ff780474bd8 15773->15764 15773->15769 15774->15763 15776 7ff78046851c 15775->15776 15777 7ff78046853d FormatMessageW 15776->15777 15778 7ff780468537 GetLastError 15776->15778 15779 7ff78046858c WideCharToMultiByte 15777->15779 15780 7ff780468570 15777->15780 15778->15777 15781 7ff7804685c6 15779->15781 15782 7ff780468583 15779->15782 15783 7ff780462980 54 API calls 15780->15783 15784 7ff780462980 54 API calls 15781->15784 15785 7ff78046bc70 _wfindfirst32i64 8 API calls 15782->15785 15783->15782 15784->15782 15786 7ff7804629fe 15785->15786 15786->15744 15788 7ff780472d3e 15787->15788 15789 7ff780472d2e 15787->15789 15790 7ff780472d47 15788->15790 15797 7ff780472d75 15788->15797 15791 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15789->15791 15792 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15790->15792 15793 7ff780472d6d 15791->15793 15792->15793 15793->15764 15793->15769 15793->15770 15793->15773 15796 7ff780473024 15799 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15796->15799 15797->15789 15797->15793 15797->15796 15801 7ff780473690 15797->15801 15827 7ff780473358 15797->15827 15857 7ff780472be0 15797->15857 15860 7ff7804748b0 15797->15860 15799->15789 15802 7ff780473745 15801->15802 15803 7ff7804736d2 15801->15803 15806 7ff78047374a 15802->15806 15807 7ff78047379f 15802->15807 15804 7ff7804736d8 15803->15804 15805 7ff78047376f 15803->15805 15810 7ff7804737ae 15804->15810 15812 7ff7804736dd 15804->15812 15884 7ff780471c40 15805->15884 15808 7ff78047374c 15806->15808 15809 7ff78047377f 15806->15809 15807->15805 15807->15810 15825 7ff780473708 15807->15825 15815 7ff78047375b 15808->15815 15818 7ff7804736ed 15808->15818 15891 7ff780471830 15809->15891 15826 7ff7804737dd 15810->15826 15898 7ff780472050 15810->15898 15816 7ff780473720 15812->15816 15812->15818 15812->15825 15815->15805 15819 7ff780473760 15815->15819 15816->15826 15876 7ff7804744b0 15816->15876 15818->15826 15866 7ff780473ff4 15818->15866 15819->15826 15880 7ff780474648 15819->15880 15821 7ff78046bc70 _wfindfirst32i64 8 API calls 15823 7ff780473a73 15821->15823 15823->15797 15825->15826 15905 7ff78047ecc8 15825->15905 15826->15821 15828 7ff780473379 15827->15828 15829 7ff780473363 15827->15829 15830 7ff7804733b7 15828->15830 15833 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15828->15833 15829->15830 15831 7ff780473745 15829->15831 15832 7ff7804736d2 15829->15832 15830->15797 15836 7ff78047374a 15831->15836 15837 7ff78047379f 15831->15837 15834 7ff7804736d8 15832->15834 15835 7ff78047376f 15832->15835 15833->15830 15838 7ff7804736dd 15834->15838 15839 7ff7804737ae 15834->15839 15840 7ff780471c40 38 API calls 15835->15840 15841 7ff78047377f 15836->15841 15842 7ff78047374c 15836->15842 15837->15835 15837->15839 15855 7ff780473708 15837->15855 15843 7ff7804736ed 15838->15843 15846 7ff780473720 15838->15846 15838->15855 15847 7ff780472050 38 API calls 15839->15847 15856 7ff7804737dd 15839->15856 15840->15855 15844 7ff780471830 38 API calls 15841->15844 15842->15843 15848 7ff78047375b 15842->15848 15845 7ff780473ff4 47 API calls 15843->15845 15843->15856 15844->15855 15845->15855 15849 7ff7804744b0 47 API calls 15846->15849 15846->15856 15847->15855 15848->15835 15850 7ff780473760 15848->15850 15849->15855 15852 7ff780474648 37 API calls 15850->15852 15850->15856 15851 7ff78046bc70 _wfindfirst32i64 8 API calls 15853 7ff780473a73 15851->15853 15852->15855 15853->15797 15854 7ff78047ecc8 47 API calls 15854->15855 15855->15854 15855->15856 15856->15851 16061 7ff780470e04 15857->16061 15861 7ff7804748c7 15860->15861 16078 7ff78047de28 15861->16078 15867 7ff780474016 15866->15867 15915 7ff780470c70 15867->15915 15871 7ff780474153 15874 7ff7804748b0 45 API calls 15871->15874 15875 7ff7804741dc 15871->15875 15873 7ff7804748b0 45 API calls 15873->15871 15874->15875 15875->15825 15877 7ff7804744c8 15876->15877 15879 7ff780474530 15876->15879 15878 7ff78047ecc8 47 API calls 15877->15878 15877->15879 15878->15879 15879->15825 15883 7ff780474669 15880->15883 15881 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15882 7ff78047469a 15881->15882 15882->15825 15883->15881 15883->15882 15885 7ff780471c73 15884->15885 15886 7ff780471ca2 15885->15886 15889 7ff780471d5f 15885->15889 15887 7ff780471cdf 15886->15887 15888 7ff780470c70 12 API calls 15886->15888 15887->15825 15888->15887 15890 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15889->15890 15890->15887 15892 7ff780471863 15891->15892 15893 7ff780471892 15892->15893 15895 7ff78047194f 15892->15895 15894 7ff780470c70 12 API calls 15893->15894 15897 7ff7804718cf 15893->15897 15894->15897 15896 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15895->15896 15896->15897 15897->15825 15899 7ff780472083 15898->15899 15900 7ff7804720b2 15899->15900 15902 7ff78047216f 15899->15902 15901 7ff780470c70 12 API calls 15900->15901 15903 7ff7804720ef 15900->15903 15901->15903 15904 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15902->15904 15903->15825 15904->15903 15906 7ff78047ecf0 15905->15906 15907 7ff78047ed35 15906->15907 15908 7ff7804748b0 45 API calls 15906->15908 15910 7ff78047ed1e memcpy_s 15906->15910 15913 7ff78047ecf5 memcpy_s 15906->15913 15907->15910 15907->15913 16058 7ff780480378 15907->16058 15908->15907 15909 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15909->15913 15910->15909 15910->15913 15913->15825 15916 7ff780470c96 15915->15916 15917 7ff780470ca7 15915->15917 15923 7ff78047e9e0 15916->15923 15917->15916 15945 7ff78047da6c 15917->15945 15920 7ff780470ce8 15922 7ff78047adbc __free_lconv_mon 11 API calls 15920->15922 15921 7ff78047adbc __free_lconv_mon 11 API calls 15921->15920 15922->15916 15924 7ff78047e9fd 15923->15924 15925 7ff78047ea30 15923->15925 15926 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15924->15926 15925->15924 15927 7ff78047ea62 15925->15927 15936 7ff780474131 15926->15936 15930 7ff78047eb75 15927->15930 15940 7ff78047eaaa 15927->15940 15928 7ff78047ec67 15985 7ff78047decc 15928->15985 15929 7ff78047ec2d 15978 7ff78047e264 15929->15978 15930->15928 15930->15929 15932 7ff78047ebfc 15930->15932 15934 7ff78047ebbf 15930->15934 15937 7ff78047ebb5 15930->15937 15971 7ff78047e544 15932->15971 15961 7ff78047e774 15934->15961 15936->15871 15936->15873 15937->15929 15939 7ff78047ebba 15937->15939 15939->15932 15939->15934 15940->15936 15952 7ff78047a8ec 15940->15952 15943 7ff78047ad74 _wfindfirst32i64 17 API calls 15944 7ff78047ecc4 15943->15944 15946 7ff78047dab7 15945->15946 15951 7ff78047da7b _wfindfirst32i64 15945->15951 15947 7ff7804752d4 _wfindfirst32i64 11 API calls 15946->15947 15949 7ff780470cd4 15947->15949 15948 7ff78047da9e RtlAllocateHeap 15948->15949 15948->15951 15949->15920 15949->15921 15950 7ff780483ab0 _wfindfirst32i64 2 API calls 15950->15951 15951->15946 15951->15948 15951->15950 15953 7ff78047a8f9 15952->15953 15954 7ff78047a903 15952->15954 15953->15954 15959 7ff78047a91e 15953->15959 15955 7ff7804752d4 _wfindfirst32i64 11 API calls 15954->15955 15956 7ff78047a90a 15955->15956 15958 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 15956->15958 15957 7ff78047a916 15957->15936 15957->15943 15958->15957 15959->15957 15960 7ff7804752d4 _wfindfirst32i64 11 API calls 15959->15960 15960->15956 15994 7ff7804845cc 15961->15994 15965 7ff78047e820 15965->15936 15966 7ff78047e81c 15966->15965 15967 7ff78047e871 15966->15967 15968 7ff78047e83c 15966->15968 16047 7ff78047e360 15967->16047 16043 7ff78047e61c 15968->16043 15972 7ff7804845cc 38 API calls 15971->15972 15973 7ff78047e58e 15972->15973 15974 7ff780484014 37 API calls 15973->15974 15975 7ff78047e5de 15974->15975 15976 7ff78047e5e2 15975->15976 15977 7ff78047e61c 45 API calls 15975->15977 15976->15936 15977->15976 15979 7ff7804845cc 38 API calls 15978->15979 15980 7ff78047e2af 15979->15980 15981 7ff780484014 37 API calls 15980->15981 15982 7ff78047e307 15981->15982 15983 7ff78047e30b 15982->15983 15984 7ff78047e360 45 API calls 15982->15984 15983->15936 15984->15983 15986 7ff78047df44 15985->15986 15987 7ff78047df11 15985->15987 15989 7ff78047df5c 15986->15989 15992 7ff78047dfdd 15986->15992 15988 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 15987->15988 15991 7ff78047df3d memcpy_s 15988->15991 15990 7ff78047e264 46 API calls 15989->15990 15990->15991 15991->15936 15992->15991 15993 7ff7804748b0 45 API calls 15992->15993 15993->15991 15995 7ff78048461f fegetenv 15994->15995 15996 7ff78048852c 37 API calls 15995->15996 16000 7ff780484672 15996->16000 15997 7ff78048469f 16002 7ff78047a8ec __std_exception_copy 37 API calls 15997->16002 15998 7ff780484762 15999 7ff78048852c 37 API calls 15998->15999 16001 7ff78048478c 15999->16001 16000->15998 16003 7ff78048473c 16000->16003 16004 7ff78048468d 16000->16004 16005 7ff78048852c 37 API calls 16001->16005 16006 7ff78048471d 16002->16006 16009 7ff78047a8ec __std_exception_copy 37 API calls 16003->16009 16004->15997 16004->15998 16007 7ff78048479d 16005->16007 16008 7ff780485844 16006->16008 16013 7ff780484725 16006->16013 16010 7ff780488720 20 API calls 16007->16010 16011 7ff78047ad74 _wfindfirst32i64 17 API calls 16008->16011 16009->16006 16021 7ff780484806 memcpy_s 16010->16021 16012 7ff780485859 16011->16012 16014 7ff78046bc70 _wfindfirst32i64 8 API calls 16013->16014 16015 7ff78047e7c1 16014->16015 16039 7ff780484014 16015->16039 16016 7ff780484baf memcpy_s 16017 7ff780484eef 16018 7ff780484130 37 API calls 16017->16018 16026 7ff780485607 16018->16026 16019 7ff780484e9b 16019->16017 16022 7ff78048585c memcpy_s 37 API calls 16019->16022 16020 7ff780484847 memcpy_s 16033 7ff780484ca3 memcpy_s 16020->16033 16034 7ff78048518b memcpy_s 16020->16034 16021->16016 16021->16020 16023 7ff7804752d4 _wfindfirst32i64 11 API calls 16021->16023 16022->16017 16024 7ff780484c80 16023->16024 16027 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16024->16027 16025 7ff780485662 16028 7ff7804857e8 16025->16028 16035 7ff780484130 37 API calls 16025->16035 16037 7ff78048585c memcpy_s 37 API calls 16025->16037 16026->16025 16029 7ff78048585c memcpy_s 37 API calls 16026->16029 16027->16020 16031 7ff78048852c 37 API calls 16028->16031 16029->16025 16030 7ff7804752d4 11 API calls _wfindfirst32i64 16030->16034 16031->16013 16032 7ff7804752d4 11 API calls _wfindfirst32i64 16032->16033 16033->16019 16033->16032 16036 7ff78047ad54 37 API calls _invalid_parameter_noinfo 16033->16036 16034->16017 16034->16019 16034->16030 16038 7ff78047ad54 37 API calls _invalid_parameter_noinfo 16034->16038 16035->16025 16036->16033 16037->16025 16038->16034 16040 7ff780484033 16039->16040 16041 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16040->16041 16042 7ff78048405e memcpy_s 16040->16042 16041->16042 16042->15966 16044 7ff78047e648 memcpy_s 16043->16044 16045 7ff7804748b0 45 API calls 16044->16045 16046 7ff78047e702 memcpy_s 16044->16046 16045->16046 16046->15965 16048 7ff78047e39b 16047->16048 16053 7ff78047e3e8 memcpy_s 16047->16053 16049 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16048->16049 16050 7ff78047e3c7 16049->16050 16050->15965 16051 7ff78047e453 16052 7ff78047a8ec __std_exception_copy 37 API calls 16051->16052 16057 7ff78047e495 memcpy_s 16052->16057 16053->16051 16054 7ff7804748b0 45 API calls 16053->16054 16054->16051 16055 7ff78047ad74 _wfindfirst32i64 17 API calls 16056 7ff78047e540 16055->16056 16057->16055 16060 7ff78048039c WideCharToMultiByte 16058->16060 16062 7ff780470e43 16061->16062 16063 7ff780470e31 16061->16063 16066 7ff780470e50 16062->16066 16070 7ff780470e8d 16062->16070 16064 7ff7804752d4 _wfindfirst32i64 11 API calls 16063->16064 16065 7ff780470e36 16064->16065 16067 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16065->16067 16068 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16066->16068 16077 7ff780470e41 16067->16077 16068->16077 16069 7ff780470f36 16072 7ff7804752d4 _wfindfirst32i64 11 API calls 16069->16072 16069->16077 16070->16069 16071 7ff7804752d4 _wfindfirst32i64 11 API calls 16070->16071 16073 7ff780470f2b 16071->16073 16074 7ff780470fe0 16072->16074 16075 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16073->16075 16076 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16074->16076 16075->16069 16076->16077 16077->15797 16079 7ff7804748ef 16078->16079 16080 7ff78047de41 16078->16080 16082 7ff78047de94 16079->16082 16080->16079 16086 7ff780483824 16080->16086 16083 7ff78047dead 16082->16083 16084 7ff7804748ff 16082->16084 16083->16084 16130 7ff780482b70 16083->16130 16084->15797 16098 7ff78047b5c0 GetLastError 16086->16098 16089 7ff78048387e 16089->16079 16099 7ff78047b5e4 FlsGetValue 16098->16099 16100 7ff78047b601 FlsSetValue 16098->16100 16101 7ff78047b5fb 16099->16101 16102 7ff78047b5f1 16099->16102 16100->16102 16103 7ff78047b613 16100->16103 16101->16100 16104 7ff78047b66d SetLastError 16102->16104 16105 7ff78047f008 _wfindfirst32i64 11 API calls 16103->16105 16106 7ff78047b68d 16104->16106 16107 7ff78047b67a 16104->16107 16108 7ff78047b622 16105->16108 16121 7ff78047a94c 16106->16121 16107->16089 16120 7ff780480b68 EnterCriticalSection 16107->16120 16110 7ff78047b640 FlsSetValue 16108->16110 16111 7ff78047b630 FlsSetValue 16108->16111 16114 7ff78047b65e 16110->16114 16115 7ff78047b64c FlsSetValue 16110->16115 16113 7ff78047b639 16111->16113 16116 7ff78047adbc __free_lconv_mon 11 API calls 16113->16116 16117 7ff78047b368 _wfindfirst32i64 11 API calls 16114->16117 16115->16113 16116->16102 16118 7ff78047b666 16117->16118 16119 7ff78047adbc __free_lconv_mon 11 API calls 16118->16119 16119->16104 16122 7ff780483b70 __CxxCallCatchBlock EnterCriticalSection LeaveCriticalSection 16121->16122 16123 7ff78047a955 16122->16123 16124 7ff78047a964 16123->16124 16125 7ff780483bc0 __CxxCallCatchBlock 44 API calls 16123->16125 16126 7ff78047a96d IsProcessorFeaturePresent 16124->16126 16127 7ff78047a997 __CxxCallCatchBlock 16124->16127 16125->16124 16128 7ff78047a97c 16126->16128 16129 7ff78047aa88 _wfindfirst32i64 14 API calls 16128->16129 16129->16127 16131 7ff78047b5c0 __CxxCallCatchBlock 45 API calls 16130->16131 16132 7ff780482b79 16131->16132 16140 7ff78047517c EnterCriticalSection 16133->16140 16142 7ff78046284c 16141->16142 16143 7ff780474a74 49 API calls 16142->16143 16144 7ff78046289d 16143->16144 16145 7ff7804752d4 _wfindfirst32i64 11 API calls 16144->16145 16146 7ff7804628a2 16145->16146 16160 7ff7804752f4 16146->16160 16149 7ff780461e90 49 API calls 16150 7ff7804628d1 memcpy_s 16149->16150 16151 7ff780468a90 57 API calls 16150->16151 16152 7ff780462906 16151->16152 16153 7ff78046290b 16152->16153 16154 7ff780462943 MessageBoxA 16152->16154 16156 7ff780468a90 57 API calls 16153->16156 16155 7ff78046295d 16154->16155 16157 7ff78046bc70 _wfindfirst32i64 8 API calls 16155->16157 16158 7ff780462925 MessageBoxW 16156->16158 16159 7ff78046296d 16157->16159 16158->16155 16159->15485 16161 7ff78047b738 _wfindfirst32i64 11 API calls 16160->16161 16162 7ff78047530b 16161->16162 16163 7ff7804628a9 16162->16163 16164 7ff78047f008 _wfindfirst32i64 11 API calls 16162->16164 16167 7ff78047534b 16162->16167 16163->16149 16165 7ff780475340 16164->16165 16166 7ff78047adbc __free_lconv_mon 11 API calls 16165->16166 16166->16167 16167->16163 16172 7ff78047f6d8 16167->16172 16170 7ff78047ad74 _wfindfirst32i64 17 API calls 16171 7ff780475390 16170->16171 16177 7ff78047f6f5 16172->16177 16173 7ff78047f6fa 16174 7ff780475371 16173->16174 16175 7ff7804752d4 _wfindfirst32i64 11 API calls 16173->16175 16174->16163 16174->16170 16176 7ff78047f704 16175->16176 16178 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16176->16178 16177->16173 16177->16174 16179 7ff78047f744 16177->16179 16178->16174 16179->16174 16180 7ff7804752d4 _wfindfirst32i64 11 API calls 16179->16180 16180->16176 16182 7ff780468bc4 WideCharToMultiByte 16181->16182 16183 7ff780468c32 WideCharToMultiByte 16181->16183 16184 7ff780468bee 16182->16184 16185 7ff780468c05 16182->16185 16186 7ff780463ed5 16183->16186 16187 7ff780468c5f 16183->16187 16189 7ff780462980 57 API calls 16184->16189 16185->16183 16190 7ff780468c1b 16185->16190 16186->15494 16186->15496 16188 7ff780462980 57 API calls 16187->16188 16188->16186 16189->16186 16191 7ff780462980 57 API calls 16190->16191 16191->16186 16193 7ff780467b8e 16192->16193 16194 7ff78047a863 16192->16194 16193->15511 16194->16193 16195 7ff78047a8ec __std_exception_copy 37 API calls 16194->16195 16196 7ff78047a890 16195->16196 16196->16193 16197 7ff78047ad74 _wfindfirst32i64 17 API calls 16196->16197 16198 7ff78047a8c0 16197->16198 16200 7ff780463f80 116 API calls 16199->16200 16201 7ff780461a76 16200->16201 16202 7ff780461c24 16201->16202 16204 7ff780468260 83 API calls 16201->16204 16203 7ff78046bc70 _wfindfirst32i64 8 API calls 16202->16203 16205 7ff780461c38 16203->16205 16206 7ff780461aae 16204->16206 16205->15530 16232 7ff780463df0 16205->16232 16231 7ff780461adf 16206->16231 16238 7ff7804707c4 16206->16238 16208 7ff78047013c 74 API calls 16208->16202 16209 7ff780461ac8 16210 7ff780461acc 16209->16210 16211 7ff780461ae4 16209->16211 16213 7ff780462830 59 API calls 16210->16213 16242 7ff78047048c 16211->16242 16213->16231 16215 7ff780461b17 16218 7ff7804707c4 73 API calls 16215->16218 16216 7ff780461aff 16217 7ff780462830 59 API calls 16216->16217 16217->16231 16219 7ff780461b64 16218->16219 16220 7ff780461b8e 16219->16220 16221 7ff780461b76 16219->16221 16223 7ff78047048c _fread_nolock 53 API calls 16220->16223 16222 7ff780462830 59 API calls 16221->16222 16222->16231 16224 7ff780461ba3 16223->16224 16225 7ff780461bbe 16224->16225 16226 7ff780461ba9 16224->16226 16245 7ff780470200 16225->16245 16227 7ff780462830 59 API calls 16226->16227 16227->16231 16230 7ff780462ad0 59 API calls 16230->16231 16231->16208 16233 7ff780461e90 49 API calls 16232->16233 16234 7ff780463e0d 16233->16234 16234->15531 16236 7ff780461e90 49 API calls 16235->16236 16237 7ff780464030 16236->16237 16237->15530 16237->16237 16239 7ff7804707f4 16238->16239 16251 7ff780470554 16239->16251 16241 7ff78047080d 16241->16209 16263 7ff7804704ac 16242->16263 16246 7ff780470209 16245->16246 16248 7ff780461bd2 16245->16248 16247 7ff7804752d4 _wfindfirst32i64 11 API calls 16246->16247 16248->16230 16248->16231 16252 7ff7804705be 16251->16252 16253 7ff78047057e 16251->16253 16252->16253 16254 7ff7804705ca 16252->16254 16255 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16253->16255 16262 7ff78047517c EnterCriticalSection 16254->16262 16257 7ff7804705a5 16255->16257 16257->16241 16264 7ff7804704d6 16263->16264 16275 7ff780461af9 16263->16275 16265 7ff7804704e5 memcpy_s 16264->16265 16266 7ff780470522 16264->16266 16264->16275 16269 7ff7804752d4 _wfindfirst32i64 11 API calls 16265->16269 16276 7ff78047517c EnterCriticalSection 16266->16276 16271 7ff7804704fa 16269->16271 16273 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16271->16273 16273->16275 16275->16215 16275->16216 16278 7ff780467916 16277->16278 16279 7ff78046798d GetTempPathW 16278->16279 16280 7ff78046793a 16278->16280 16281 7ff7804679a2 16279->16281 16282 7ff780467b10 61 API calls 16280->16282 16316 7ff7804627d0 16281->16316 16283 7ff780467946 16282->16283 16340 7ff7804673d0 16283->16340 16289 7ff78046bc70 _wfindfirst32i64 8 API calls 16291 7ff78046154f 16289->16291 16290 7ff78046796c __vcrt_freefls 16290->16279 16295 7ff78046797a 16290->16295 16291->15540 16291->15541 16293 7ff780467a66 16296 7ff780468ba0 59 API calls 16293->16296 16294 7ff7804679bb __vcrt_freefls 16294->16293 16299 7ff7804679f1 16294->16299 16320 7ff780478954 16294->16320 16323 7ff780468900 16294->16323 16297 7ff780462ad0 59 API calls 16295->16297 16301 7ff780467a77 __vcrt_freefls 16296->16301 16300 7ff780468a90 57 API calls 16299->16300 16315 7ff780467a2a __vcrt_freefls 16299->16315 16302 7ff780467a07 16300->16302 16303 7ff780468a90 57 API calls 16301->16303 16301->16315 16304 7ff780467a0c 16302->16304 16305 7ff780467a49 SetEnvironmentVariableW 16302->16305 16306 7ff780467a95 16303->16306 16307 7ff780468a90 57 API calls 16304->16307 16305->16315 16308 7ff780467acd SetEnvironmentVariableW 16306->16308 16309 7ff780467a9a 16306->16309 16310 7ff780467a1c 16307->16310 16308->16315 16311 7ff780468a90 57 API calls 16309->16311 16312 7ff780477c9c 38 API calls 16310->16312 16313 7ff780467aaa 16311->16313 16312->16315 16314 7ff780477c9c 38 API calls 16313->16314 16314->16315 16315->16289 16317 7ff7804627f5 16316->16317 16374 7ff780474cc8 16317->16374 16568 7ff780478580 16320->16568 16324 7ff78046bc10 16323->16324 16325 7ff780468910 GetCurrentProcess OpenProcessToken 16324->16325 16326 7ff78046895b GetTokenInformation 16325->16326 16327 7ff7804689d1 __vcrt_freefls 16325->16327 16328 7ff78046897d GetLastError 16326->16328 16329 7ff780468988 16326->16329 16330 7ff7804689ea 16327->16330 16331 7ff7804689e4 FindCloseChangeNotification 16327->16331 16328->16327 16328->16329 16329->16327 16332 7ff78046899e GetTokenInformation 16329->16332 16699 7ff780468600 16330->16699 16331->16330 16332->16327 16334 7ff7804689c4 ConvertSidToStringSidW 16332->16334 16334->16327 16341 7ff7804673dc 16340->16341 16342 7ff780468a90 57 API calls 16341->16342 16343 7ff7804673fe 16342->16343 16344 7ff780467419 ExpandEnvironmentStringsW 16343->16344 16345 7ff780467406 16343->16345 16347 7ff78046743f __vcrt_freefls 16344->16347 16346 7ff780462ad0 59 API calls 16345->16346 16353 7ff780467412 16346->16353 16348 7ff780467443 16347->16348 16349 7ff780467456 16347->16349 16351 7ff780462ad0 59 API calls 16348->16351 16354 7ff780467464 16349->16354 16355 7ff780467470 16349->16355 16350 7ff78046bc70 _wfindfirst32i64 8 API calls 16352 7ff780467538 16350->16352 16351->16353 16352->16315 16364 7ff780477c9c 16352->16364 16353->16350 16703 7ff780477854 16354->16703 16710 7ff7804761d8 16355->16710 16358 7ff78046746e 16359 7ff78046748a 16358->16359 16362 7ff78046749d memcpy_s 16358->16362 16360 7ff780462ad0 59 API calls 16359->16360 16360->16353 16361 7ff780467512 CreateDirectoryW 16361->16353 16362->16361 16363 7ff7804674ec CreateDirectoryW 16362->16363 16363->16362 16365 7ff780477cbc 16364->16365 16366 7ff780477ca9 16364->16366 16811 7ff780477920 16365->16811 16367 7ff7804752d4 _wfindfirst32i64 11 API calls 16366->16367 16369 7ff780477cae 16367->16369 16371 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16369->16371 16372 7ff780477cba 16371->16372 16372->16290 16377 7ff780474d22 16374->16377 16375 7ff780474d47 16376 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16375->16376 16380 7ff780474d71 16376->16380 16377->16375 16378 7ff780474d83 16377->16378 16392 7ff780473080 16378->16392 16383 7ff78046bc70 _wfindfirst32i64 8 API calls 16380->16383 16381 7ff780474e64 16382 7ff78047adbc __free_lconv_mon 11 API calls 16381->16382 16382->16380 16384 7ff780462814 16383->16384 16384->16294 16386 7ff780474e39 16388 7ff78047adbc __free_lconv_mon 11 API calls 16386->16388 16387 7ff780474e8a 16387->16381 16390 7ff780474e94 16387->16390 16388->16380 16389 7ff780474e30 16389->16381 16389->16386 16391 7ff78047adbc __free_lconv_mon 11 API calls 16390->16391 16391->16380 16393 7ff7804730be 16392->16393 16394 7ff7804730ae 16392->16394 16395 7ff7804730c7 16393->16395 16400 7ff7804730f5 16393->16400 16396 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16394->16396 16397 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16395->16397 16398 7ff7804730ed 16396->16398 16397->16398 16398->16381 16398->16386 16398->16387 16398->16389 16400->16394 16400->16398 16403 7ff780473a94 16400->16403 16436 7ff7804734e0 16400->16436 16473 7ff780472c70 16400->16473 16404 7ff780473b47 16403->16404 16405 7ff780473ad6 16403->16405 16408 7ff780473b4c 16404->16408 16409 7ff780473ba0 16404->16409 16406 7ff780473adc 16405->16406 16407 7ff780473b71 16405->16407 16410 7ff780473ae1 16406->16410 16411 7ff780473b10 16406->16411 16492 7ff780471e44 16407->16492 16412 7ff780473b4e 16408->16412 16413 7ff780473b81 16408->16413 16415 7ff780473bb7 16409->16415 16417 7ff780473baa 16409->16417 16422 7ff780473baf 16409->16422 16410->16415 16418 7ff780473ae7 16410->16418 16411->16418 16411->16422 16416 7ff780473af0 16412->16416 16425 7ff780473b5d 16412->16425 16499 7ff780471a34 16413->16499 16506 7ff78047479c 16415->16506 16435 7ff780473be0 16416->16435 16476 7ff780474248 16416->16476 16417->16407 16417->16422 16418->16416 16423 7ff780473b22 16418->16423 16431 7ff780473b0b 16418->16431 16422->16435 16510 7ff780472254 16422->16510 16423->16435 16486 7ff780474584 16423->16486 16425->16407 16427 7ff780473b62 16425->16427 16429 7ff780474648 37 API calls 16427->16429 16427->16435 16428 7ff78046bc70 _wfindfirst32i64 8 API calls 16430 7ff780473eda 16428->16430 16429->16431 16430->16400 16432 7ff7804748b0 45 API calls 16431->16432 16434 7ff780473dcc 16431->16434 16431->16435 16432->16434 16434->16435 16517 7ff78047ee78 16434->16517 16435->16428 16437 7ff7804734ee 16436->16437 16438 7ff780473504 16436->16438 16440 7ff780473b47 16437->16440 16441 7ff780473ad6 16437->16441 16442 7ff780473544 16437->16442 16439 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16438->16439 16438->16442 16439->16442 16445 7ff780473b4c 16440->16445 16446 7ff780473ba0 16440->16446 16443 7ff780473adc 16441->16443 16444 7ff780473b71 16441->16444 16442->16400 16447 7ff780473ae1 16443->16447 16448 7ff780473b10 16443->16448 16451 7ff780471e44 38 API calls 16444->16451 16449 7ff780473b4e 16445->16449 16450 7ff780473b81 16445->16450 16452 7ff780473bb7 16446->16452 16454 7ff780473baa 16446->16454 16458 7ff780473baf 16446->16458 16447->16452 16455 7ff780473ae7 16447->16455 16448->16455 16448->16458 16453 7ff780473af0 16449->16453 16462 7ff780473b5d 16449->16462 16456 7ff780471a34 38 API calls 16450->16456 16469 7ff780473b0b 16451->16469 16459 7ff78047479c 45 API calls 16452->16459 16457 7ff780474248 47 API calls 16453->16457 16471 7ff780473be0 16453->16471 16454->16444 16454->16458 16455->16453 16460 7ff780473b22 16455->16460 16455->16469 16456->16469 16457->16469 16461 7ff780472254 38 API calls 16458->16461 16458->16471 16459->16469 16463 7ff780474584 46 API calls 16460->16463 16460->16471 16461->16469 16462->16444 16464 7ff780473b62 16462->16464 16463->16469 16466 7ff780474648 37 API calls 16464->16466 16464->16471 16465 7ff78046bc70 _wfindfirst32i64 8 API calls 16467 7ff780473eda 16465->16467 16466->16469 16467->16400 16468 7ff7804748b0 45 API calls 16472 7ff780473dcc 16468->16472 16469->16468 16469->16471 16469->16472 16470 7ff78047ee78 46 API calls 16470->16472 16471->16465 16472->16470 16472->16471 16551 7ff7804710b8 16473->16551 16477 7ff78047426e 16476->16477 16478 7ff780470c70 12 API calls 16477->16478 16479 7ff7804742be 16478->16479 16480 7ff78047e9e0 46 API calls 16479->16480 16481 7ff780474391 16480->16481 16489 7ff7804745b9 16486->16489 16487 7ff7804745fe 16487->16431 16488 7ff7804745d7 16491 7ff78047ee78 46 API calls 16488->16491 16489->16487 16489->16488 16490 7ff7804748b0 45 API calls 16489->16490 16490->16488 16491->16487 16494 7ff780471e77 16492->16494 16493 7ff780471ea6 16498 7ff780471ee3 16493->16498 16529 7ff780470d18 16493->16529 16494->16493 16496 7ff780471f63 16494->16496 16497 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16496->16497 16497->16498 16498->16431 16500 7ff780471a67 16499->16500 16501 7ff780471a96 16500->16501 16503 7ff780471b53 16500->16503 16502 7ff780470d18 12 API calls 16501->16502 16505 7ff780471ad3 16501->16505 16502->16505 16504 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16503->16504 16504->16505 16505->16431 16507 7ff7804747df 16506->16507 16509 7ff7804747e3 __crtLCMapStringW 16507->16509 16537 7ff780474838 16507->16537 16509->16431 16511 7ff780472287 16510->16511 16512 7ff7804722b6 16511->16512 16514 7ff780472373 16511->16514 16513 7ff780470d18 12 API calls 16512->16513 16516 7ff7804722f3 16512->16516 16513->16516 16515 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16514->16515 16515->16516 16516->16431 16519 7ff78047eea9 16517->16519 16527 7ff78047eeb7 16517->16527 16518 7ff78047eed7 16520 7ff78047eee8 16518->16520 16521 7ff78047ef0f 16518->16521 16519->16518 16522 7ff7804748b0 45 API calls 16519->16522 16519->16527 16521->16527 16522->16518 16527->16434 16530 7ff780470d4f 16529->16530 16536 7ff780470d3e 16529->16536 16531 7ff78047da6c _fread_nolock 12 API calls 16530->16531 16530->16536 16532 7ff780470d80 16531->16532 16533 7ff780470d94 16532->16533 16534 7ff78047adbc __free_lconv_mon 11 API calls 16532->16534 16534->16533 16536->16498 16538 7ff78047485e 16537->16538 16539 7ff780474856 16537->16539 16538->16509 16540 7ff7804748b0 45 API calls 16539->16540 16540->16538 16552 7ff7804710ed 16551->16552 16553 7ff7804710ff 16551->16553 16554 7ff7804752d4 _wfindfirst32i64 11 API calls 16552->16554 16555 7ff78047110d 16553->16555 16560 7ff780471149 16553->16560 16556 7ff7804710f2 16554->16556 16557 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 16555->16557 16558 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16556->16558 16566 7ff7804710fd 16557->16566 16558->16566 16559 7ff7804714c5 16561 7ff7804752d4 _wfindfirst32i64 11 API calls 16559->16561 16559->16566 16560->16559 16562 7ff7804752d4 _wfindfirst32i64 11 API calls 16560->16562 16563 7ff780471759 16561->16563 16564 7ff7804714ba 16562->16564 16567 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16563->16567 16565 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16564->16565 16565->16559 16566->16400 16567->16566 16609 7ff780481a78 16568->16609 16668 7ff7804817f0 16609->16668 16689 7ff780480b68 EnterCriticalSection 16668->16689 16700 7ff780468625 16699->16700 16701 7ff780474cc8 48 API calls 16700->16701 16702 7ff780468648 LocalFree ConvertStringSecurityDescriptorToSecurityDescriptorW 16701->16702 16704 7ff7804778a5 16703->16704 16705 7ff780477872 16703->16705 16704->16358 16705->16704 16722 7ff780480d04 16705->16722 16708 7ff78047ad74 _wfindfirst32i64 17 API calls 16709 7ff7804778d5 16708->16709 16711 7ff7804761f4 16710->16711 16712 7ff780476262 16710->16712 16711->16712 16714 7ff7804761f9 16711->16714 16756 7ff780480350 16712->16756 16715 7ff78047622e 16714->16715 16716 7ff780476211 16714->16716 16739 7ff78047601c GetFullPathNameW 16715->16739 16731 7ff780475fa8 GetFullPathNameW 16716->16731 16721 7ff780476226 __vcrt_freefls 16721->16358 16723 7ff780480d1b 16722->16723 16724 7ff780480d11 16722->16724 16725 7ff7804752d4 _wfindfirst32i64 11 API calls 16723->16725 16724->16723 16729 7ff780480d37 16724->16729 16726 7ff780480d23 16725->16726 16727 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16726->16727 16728 7ff7804778a1 16727->16728 16728->16704 16728->16708 16729->16728 16730 7ff7804752d4 _wfindfirst32i64 11 API calls 16729->16730 16730->16726 16732 7ff780475fce GetLastError 16731->16732 16733 7ff780475fe4 16731->16733 16734 7ff780475248 _fread_nolock 11 API calls 16732->16734 16736 7ff780475fe0 16733->16736 16738 7ff7804752d4 _wfindfirst32i64 11 API calls 16733->16738 16735 7ff780475fdb 16734->16735 16737 7ff7804752d4 _wfindfirst32i64 11 API calls 16735->16737 16736->16721 16737->16736 16738->16736 16740 7ff78047604f GetLastError 16739->16740 16744 7ff780476065 __vcrt_freefls 16739->16744 16741 7ff780475248 _fread_nolock 11 API calls 16740->16741 16742 7ff78047605c 16741->16742 16743 7ff7804752d4 _wfindfirst32i64 11 API calls 16742->16743 16745 7ff780476061 16743->16745 16744->16745 16746 7ff7804760bf GetFullPathNameW 16744->16746 16747 7ff7804760f4 16745->16747 16746->16740 16746->16745 16751 7ff780476168 memcpy_s 16747->16751 16752 7ff78047611d memcpy_s 16747->16752 16748 7ff780476151 16751->16721 16752->16748 16752->16751 16754 7ff78047618a 16752->16754 16754->16751 16759 7ff780480160 16756->16759 16760 7ff78048018b 16759->16760 16761 7ff7804801a2 16759->16761 16762 7ff7804752d4 _wfindfirst32i64 11 API calls 16760->16762 16763 7ff7804801c7 16761->16763 16764 7ff7804801a6 16761->16764 16766 7ff780480190 16762->16766 16797 7ff78047f7c8 16763->16797 16785 7ff7804802cc 16764->16785 16770 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 16766->16770 16784 7ff78048019b __vcrt_freefls 16770->16784 16776 7ff78046bc70 _wfindfirst32i64 8 API calls 16784->16776 16786 7ff780480316 16785->16786 16787 7ff7804802e6 16785->16787 16788 7ff780480301 16786->16788 16789 7ff780480321 GetDriveTypeW 16786->16789 16790 7ff7804752b4 _fread_nolock 11 API calls 16787->16790 16793 7ff78046bc70 _wfindfirst32i64 8 API calls 16788->16793 16789->16788 16791 7ff7804802eb 16790->16791 16798 7ff78046d090 memcpy_s 16797->16798 16799 7ff78047f7fe GetCurrentDirectoryW 16798->16799 16800 7ff78047f83c 16799->16800 16801 7ff78047f815 16799->16801 16818 7ff780480b68 EnterCriticalSection 16811->16818 16820 7ff78046173e 16819->16820 16821 7ff780461726 16819->16821 16823 7ff780461768 16820->16823 16824 7ff780461744 16820->16824 16822 7ff780462ad0 59 API calls 16821->16822 16826 7ff780461732 16822->16826 16910 7ff780467bc0 16823->16910 16947 7ff7804612b0 16824->16947 16826->15562 16830 7ff78046175f 16830->15562 16831 7ff78046178d 16834 7ff780462830 59 API calls 16831->16834 16832 7ff7804617b9 16835 7ff780463f80 116 API calls 16832->16835 16833 7ff780462ad0 59 API calls 16833->16830 16836 7ff7804617a3 16834->16836 16837 7ff7804617ce 16835->16837 16836->15562 16838 7ff7804617ee 16837->16838 16839 7ff7804617d6 16837->16839 16840 7ff7804707c4 73 API calls 16838->16840 16841 7ff780462ad0 59 API calls 16839->16841 16842 7ff7804617ff 16840->16842 16843 7ff7804617e5 16841->16843 16862 7ff780462d26 16861->16862 16863 7ff780461e90 49 API calls 16862->16863 16864 7ff780462d59 16863->16864 16865 7ff780463df0 49 API calls 16864->16865 16891 7ff78046308a 16864->16891 16866 7ff780462dc7 16865->16866 16867 7ff780463df0 49 API calls 16866->16867 16868 7ff780462dd8 16867->16868 16869 7ff780462df9 16868->16869 16870 7ff780462e35 16868->16870 17082 7ff780463160 16869->17082 16872 7ff780463160 75 API calls 16870->16872 16873 7ff780462e33 16872->16873 16874 7ff780462e74 16873->16874 16875 7ff780462eb6 16873->16875 17090 7ff780467550 16874->17090 16876 7ff780463160 75 API calls 16875->16876 16879 7ff780462ee0 16876->16879 16883 7ff780463160 75 API calls 16879->16883 16888 7ff780462f7c 16879->16888 16881 7ff780463124 16885 7ff780462f12 16883->16885 16885->16888 16886 7ff780461e50 59 API calls 16888->16886 16903 7ff78046308f 16888->16903 16903->16881 16911 7ff780467bd0 16910->16911 16912 7ff780461e90 49 API calls 16911->16912 16913 7ff780467c11 16912->16913 16927 7ff780467c91 16913->16927 16990 7ff780463f10 16913->16990 16915 7ff78046bc70 _wfindfirst32i64 8 API calls 16917 7ff780461785 16915->16917 16917->16831 16917->16832 16918 7ff780467ccb 16996 7ff780467770 16918->16996 16920 7ff780467c80 17010 7ff780462bf0 16920->17010 16921 7ff780467b10 61 API calls 16928 7ff780467c42 __vcrt_freefls 16921->16928 16924 7ff780462bf0 59 API calls 16924->16918 16926 7ff780467cb4 16926->16924 16927->16915 16928->16920 16928->16926 16948 7ff7804612c2 16947->16948 16949 7ff780463f80 116 API calls 16948->16949 16950 7ff7804612f2 16949->16950 16951 7ff7804612fa 16950->16951 16952 7ff780461311 16950->16952 16953 7ff780462ad0 59 API calls 16951->16953 16954 7ff7804707c4 73 API calls 16952->16954 16982 7ff78046130a __vcrt_freefls 16953->16982 16955 7ff780461323 16954->16955 16956 7ff780461327 16955->16956 16958 7ff78046134d 16955->16958 16957 7ff780462830 59 API calls 16956->16957 16959 7ff78046133e 16957->16959 16960 7ff780461368 16958->16960 16961 7ff780461390 16958->16961 16963 7ff78047013c 74 API calls 16959->16963 16964 7ff780462830 59 API calls 16960->16964 16965 7ff7804613aa 16961->16965 16977 7ff780461463 16961->16977 16962 7ff78046bc70 _wfindfirst32i64 8 API calls 16966 7ff780461454 16962->16966 16963->16982 16967 7ff780461383 16964->16967 16968 7ff780461050 98 API calls 16965->16968 16966->16830 16966->16833 16970 7ff78047013c 74 API calls 16967->16970 16971 7ff7804613bb 16968->16971 16969 7ff7804613c3 16972 7ff78047013c 74 API calls 16969->16972 16970->16982 16971->16969 16973 7ff7804614d2 __vcrt_freefls 16971->16973 16974 7ff7804613cf 16972->16974 16975 7ff78047048c _fread_nolock 53 API calls 16975->16977 16977->16969 16977->16975 16978 7ff7804614bb 16977->16978 16980 7ff780462830 59 API calls 16978->16980 16980->16973 16982->16962 16991 7ff780463f1a 16990->16991 16992 7ff780468a90 57 API calls 16991->16992 16993 7ff780463f42 16992->16993 16994 7ff78046bc70 _wfindfirst32i64 8 API calls 16993->16994 16995 7ff780463f6a 16994->16995 16995->16918 16995->16921 16995->16928 16997 7ff780467780 16996->16997 17083 7ff780463194 17082->17083 17084 7ff780474a74 49 API calls 17083->17084 17085 7ff7804631ba 17084->17085 17086 7ff7804631cb 17085->17086 17127 7ff780475c98 17085->17127 17088 7ff78046bc70 _wfindfirst32i64 8 API calls 17086->17088 17089 7ff7804631e9 17088->17089 17089->16873 17091 7ff78046755e 17090->17091 17092 7ff780463f80 116 API calls 17091->17092 17093 7ff78046758d 17092->17093 17094 7ff780461e90 49 API calls 17093->17094 17128 7ff780475cb5 17127->17128 17129 7ff780475cc1 17127->17129 17144 7ff780475510 17128->17144 17169 7ff7804758ac 17129->17169 17352 7ff78047628c 17351->17352 17353 7ff7804762b2 17352->17353 17356 7ff7804762e5 17352->17356 17354 7ff7804752d4 _wfindfirst32i64 11 API calls 17353->17354 17355 7ff7804762b7 17354->17355 17357 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 17355->17357 17358 7ff7804762eb 17356->17358 17359 7ff7804762f8 17356->17359 17361 7ff780463fd9 17357->17361 17362 7ff7804752d4 _wfindfirst32i64 11 API calls 17358->17362 17370 7ff78047b09c 17359->17370 17361->15619 17362->17361 17383 7ff780480b68 EnterCriticalSection 17370->17383 17731 7ff780478f50 17730->17731 17734 7ff780478a2c 17731->17734 17735 7ff780478a47 17734->17735 17736 7ff780478a76 17734->17736 17738 7ff78047ac88 _invalid_parameter_noinfo 37 API calls 17735->17738 17744 7ff78047517c EnterCriticalSection 17736->17744 17746 7ff78046ff33 17745->17746 17747 7ff78046ff61 17745->17747 17757 7ff780463f80 116 API calls 17756->17757 17758 7ff7804615c7 17757->17758 17759 7ff7804615f0 17758->17759 17760 7ff7804615cf 17758->17760 17762 7ff7804707c4 73 API calls 17759->17762 17761 7ff780462ad0 59 API calls 17760->17761 17763 7ff7804615df 17761->17763 17764 7ff780461601 17762->17764 17763->15638 17765 7ff780461605 17764->17765 17766 7ff780461621 17764->17766 17767 7ff780462830 59 API calls 17765->17767 17769 7ff780461651 17766->17769 17770 7ff780461631 17766->17770 17768 7ff78046161c __vcrt_freefls 17767->17768 17774 7ff78047013c 74 API calls 17768->17774 17772 7ff78046167d 17769->17772 17773 7ff780461666 17769->17773 17771 7ff780462830 59 API calls 17770->17771 17771->17768 17772->17768 17777 7ff78047048c _fread_nolock 53 API calls 17772->17777 17778 7ff7804616be 17772->17778 17775 7ff780461050 98 API calls 17773->17775 17776 7ff7804616f7 17774->17776 17775->17768 17776->15638 17777->17772 17779 7ff780462830 59 API calls 17778->17779 17779->17768 17781 7ff780468a90 57 API calls 17780->17781 17782 7ff780468227 LoadLibraryExW 17781->17782 17783 7ff780468244 __vcrt_freefls 17782->17783 17783->15664 17843->15681 17844->15682 17846 7ff780465b80 17845->17846 17847 7ff780461e90 49 API calls 17846->17847 17848 7ff780465bb2 17847->17848 17849 7ff780465bdb 17848->17849 17850 7ff780465bbb 17848->17850 17852 7ff780465c32 17849->17852 17855 7ff780464000 49 API calls 17849->17855 17851 7ff780462ad0 59 API calls 17850->17851 17854 7ff780465bd1 17851->17854 17853 7ff780464000 49 API calls 17852->17853 17856 7ff780465c4b 17853->17856 17858 7ff78046bc70 _wfindfirst32i64 8 API calls 17854->17858 17857 7ff780465bfc 17855->17857 17859 7ff780465c69 17856->17859 17863 7ff780462ad0 59 API calls 17856->17863 17860 7ff780465c1a 17857->17860 17865 7ff780462ad0 59 API calls 17857->17865 17862 7ff78046341e 17858->17862 17864 7ff780468210 58 API calls 17859->17864 17861 7ff780463f10 57 API calls 17860->17861 17866 7ff780465c24 17861->17866 17862->15691 17873 7ff780465cd0 17862->17873 17863->17859 17867 7ff780465c76 17864->17867 17865->17860 17866->17852 17871 7ff780468210 58 API calls 17866->17871 17868 7ff780465c7b 17867->17868 17869 7ff780465c9d 17867->17869 17872 7ff780462980 57 API calls 17868->17872 17943 7ff780465190 GetProcAddress 17869->17943 17871->17852 17872->17854 18027 7ff780464d90 17873->18027 17875 7ff780465cf4 17876 7ff780465cfc 17875->17876 17877 7ff780465d0d 17875->17877 17878 7ff780462ad0 59 API calls 17876->17878 18034 7ff7804644e0 17877->18034 17944 7ff7804651d0 GetProcAddress 17943->17944 17945 7ff7804651b2 17943->17945 17944->17945 17946 7ff7804651f5 GetProcAddress 17944->17946 17947 7ff780462980 57 API calls 17945->17947 17946->17945 17948 7ff78046521a GetProcAddress 17946->17948 17949 7ff7804651c5 17947->17949 17948->17945 17949->17854 18030 7ff780464db5 18027->18030 18028 7ff780464dbd 18028->17875 18029 7ff7804650fa __vcrt_freefls 18029->17875 18030->18028 18032 7ff780464f4f 18030->18032 18069 7ff780476e68 18030->18069 18031 7ff780464200 47 API calls 18031->18032 18032->18029 18032->18031 18070 7ff780476e98 18069->18070 18073 7ff780476364 18070->18073 18074 7ff7804763a7 18073->18074 18075 7ff780476395 18073->18075 18205 7ff78047b5c0 __CxxCallCatchBlock 45 API calls 18204->18205 18207 7ff78047a821 18205->18207 18206 7ff78047a94c __CxxCallCatchBlock 45 API calls 18208 7ff78047a841 18206->18208 18207->18206 15131 7ff78047fb9c 15132 7ff78047fd8e 15131->15132 15134 7ff78047fbde _isindst 15131->15134 15184 7ff7804752d4 15132->15184 15134->15132 15137 7ff78047fc5e _isindst 15134->15137 15152 7ff7804867b4 15137->15152 15142 7ff78047fdba 15196 7ff78047ad74 IsProcessorFeaturePresent 15142->15196 15149 7ff78047fcbb 15151 7ff78047fd7e 15149->15151 15177 7ff7804867f8 15149->15177 15187 7ff78046bc70 15151->15187 15153 7ff7804867c3 15152->15153 15154 7ff78047fc7c 15152->15154 15200 7ff780480b68 EnterCriticalSection 15153->15200 15159 7ff780485bb8 15154->15159 15160 7ff78047fc91 15159->15160 15161 7ff780485bc1 15159->15161 15160->15142 15165 7ff780485be8 15160->15165 15162 7ff7804752d4 _wfindfirst32i64 11 API calls 15161->15162 15163 7ff780485bc6 15162->15163 15201 7ff78047ad54 15163->15201 15166 7ff78047fca2 15165->15166 15167 7ff780485bf1 15165->15167 15166->15142 15171 7ff780485c18 15166->15171 15168 7ff7804752d4 _wfindfirst32i64 11 API calls 15167->15168 15169 7ff780485bf6 15168->15169 15170 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 15169->15170 15170->15166 15172 7ff78047fcb3 15171->15172 15173 7ff780485c21 15171->15173 15172->15142 15172->15149 15174 7ff7804752d4 _wfindfirst32i64 11 API calls 15173->15174 15175 7ff780485c26 15174->15175 15176 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 15175->15176 15176->15172 15282 7ff780480b68 EnterCriticalSection 15177->15282 15283 7ff78047b738 GetLastError 15184->15283 15186 7ff7804752dd 15186->15151 15188 7ff78046bc79 15187->15188 15189 7ff78046bc84 15188->15189 15190 7ff78046bcd0 IsProcessorFeaturePresent 15188->15190 15191 7ff78046bce8 15190->15191 15300 7ff78046bec4 RtlCaptureContext 15191->15300 15197 7ff78047ad87 15196->15197 15305 7ff78047aa88 15197->15305 15203 7ff78047abec 15201->15203 15204 7ff78047ac17 15203->15204 15207 7ff78047ac88 15204->15207 15206 7ff78047ac3e 15215 7ff78047a9d0 15207->15215 15210 7ff78047acc3 15210->15206 15213 7ff78047ad74 _wfindfirst32i64 17 API calls 15214 7ff78047ad53 15213->15214 15216 7ff78047a9ec GetLastError 15215->15216 15217 7ff78047aa27 15215->15217 15218 7ff78047a9fc 15216->15218 15217->15210 15221 7ff78047aa3c 15217->15221 15224 7ff78047b800 15218->15224 15222 7ff78047aa58 GetLastError SetLastError 15221->15222 15223 7ff78047aa70 15221->15223 15222->15223 15223->15210 15223->15213 15225 7ff78047b83a FlsSetValue 15224->15225 15226 7ff78047b81f FlsGetValue 15224->15226 15228 7ff78047b847 15225->15228 15229 7ff78047aa17 SetLastError 15225->15229 15227 7ff78047b834 15226->15227 15226->15229 15227->15225 15241 7ff78047f008 15228->15241 15229->15217 15232 7ff78047b874 FlsSetValue 15234 7ff78047b892 15232->15234 15235 7ff78047b880 FlsSetValue 15232->15235 15233 7ff78047b864 FlsSetValue 15236 7ff78047b86d 15233->15236 15254 7ff78047b368 15234->15254 15235->15236 15248 7ff78047adbc 15236->15248 15246 7ff78047f019 _wfindfirst32i64 15241->15246 15242 7ff78047f06a 15245 7ff7804752d4 _wfindfirst32i64 10 API calls 15242->15245 15243 7ff78047f04e RtlAllocateHeap 15244 7ff78047b856 15243->15244 15243->15246 15244->15232 15244->15233 15245->15244 15246->15242 15246->15243 15259 7ff780483ab0 15246->15259 15249 7ff78047adf0 15248->15249 15250 7ff78047adc1 RtlRestoreThreadPreferredUILanguages 15248->15250 15249->15229 15250->15249 15251 7ff78047addc GetLastError 15250->15251 15252 7ff78047ade9 __free_lconv_mon 15251->15252 15253 7ff7804752d4 _wfindfirst32i64 9 API calls 15252->15253 15253->15249 15268 7ff78047b240 15254->15268 15262 7ff780483af0 15259->15262 15267 7ff780480b68 EnterCriticalSection 15262->15267 15280 7ff780480b68 EnterCriticalSection 15268->15280 15284 7ff78047b779 FlsSetValue 15283->15284 15285 7ff78047b75c 15283->15285 15286 7ff78047b78b 15284->15286 15289 7ff78047b769 15284->15289 15285->15284 15285->15289 15288 7ff78047f008 _wfindfirst32i64 5 API calls 15286->15288 15287 7ff78047b7e5 SetLastError 15287->15186 15290 7ff78047b79a 15288->15290 15289->15287 15291 7ff78047b7b8 FlsSetValue 15290->15291 15292 7ff78047b7a8 FlsSetValue 15290->15292 15294 7ff78047b7d6 15291->15294 15295 7ff78047b7c4 FlsSetValue 15291->15295 15293 7ff78047b7b1 15292->15293 15297 7ff78047adbc __free_lconv_mon 5 API calls 15293->15297 15296 7ff78047b368 _wfindfirst32i64 5 API calls 15294->15296 15295->15293 15298 7ff78047b7de 15296->15298 15297->15289 15299 7ff78047adbc __free_lconv_mon 5 API calls 15298->15299 15299->15287 15301 7ff78046bede RtlLookupFunctionEntry 15300->15301 15302 7ff78046bcfb 15301->15302 15303 7ff78046bef4 RtlVirtualUnwind 15301->15303 15304 7ff78046bc90 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15302->15304 15303->15301 15303->15302 15306 7ff78047aac2 _wfindfirst32i64 memcpy_s 15305->15306 15307 7ff78047aaea RtlCaptureContext RtlLookupFunctionEntry 15306->15307 15308 7ff78047ab5a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15307->15308 15309 7ff78047ab24 RtlVirtualUnwind 15307->15309 15312 7ff78047abac _wfindfirst32i64 15308->15312 15309->15308 15310 7ff78046bc70 _wfindfirst32i64 8 API calls 15311 7ff78047abcb GetCurrentProcess TerminateProcess 15310->15311 15312->15310 19685 7ff78048a9a4 19688 7ff780475188 LeaveCriticalSection 19685->19688 18459 7ff780475120 18460 7ff78047512b 18459->18460 18468 7ff78047f614 18460->18468 18481 7ff780480b68 EnterCriticalSection 18468->18481 18527 7ff78048a81e 18528 7ff78048a82e 18527->18528 18531 7ff780475188 LeaveCriticalSection 18528->18531 19804 7ff780481bd0 19815 7ff780487b64 19804->19815 19816 7ff780487b71 19815->19816 19817 7ff78047adbc __free_lconv_mon 11 API calls 19816->19817 19818 7ff780487b8d 19816->19818 19817->19816 19819 7ff78047adbc __free_lconv_mon 11 API calls 19818->19819 19820 7ff780481bd9 19818->19820 19819->19818 19821 7ff780480b68 EnterCriticalSection 19820->19821 18553 7ff78048aa39 18554 7ff78048aa52 18553->18554 18555 7ff78048aa48 18553->18555 18557 7ff780480bc8 LeaveCriticalSection 18555->18557 18572 7ff78047b440 18573 7ff78047b445 18572->18573 18574 7ff78047b45a 18572->18574 18578 7ff78047b460 18573->18578 18579 7ff78047b4aa 18578->18579 18580 7ff78047b4a2 18578->18580 18581 7ff78047adbc __free_lconv_mon 11 API calls 18579->18581 18582 7ff78047adbc __free_lconv_mon 11 API calls 18580->18582 18583 7ff78047b4b7 18581->18583 18582->18579 18584 7ff78047adbc __free_lconv_mon 11 API calls 18583->18584 18585 7ff78047b4c4 18584->18585 18586 7ff78047adbc __free_lconv_mon 11 API calls 18585->18586 18587 7ff78047b4d1 18586->18587 18588 7ff78047adbc __free_lconv_mon 11 API calls 18587->18588 18589 7ff78047b4de 18588->18589 18590 7ff78047adbc __free_lconv_mon 11 API calls 18589->18590 18591 7ff78047b4eb 18590->18591 18592 7ff78047adbc __free_lconv_mon 11 API calls 18591->18592 18593 7ff78047b4f8 18592->18593 18594 7ff78047adbc __free_lconv_mon 11 API calls 18593->18594 18595 7ff78047b505 18594->18595 18596 7ff78047adbc __free_lconv_mon 11 API calls 18595->18596 18597 7ff78047b515 18596->18597 18598 7ff78047adbc __free_lconv_mon 11 API calls 18597->18598 18599 7ff78047b525 18598->18599 18604 7ff78047b308 18599->18604 18618 7ff780480b68 EnterCriticalSection 18604->18618 18620 7ff78046bf40 18621 7ff78046bf50 18620->18621 18637 7ff780479fe8 18621->18637 18623 7ff78046bf5c 18643 7ff78046c248 18623->18643 18625 7ff78046c52c 7 API calls 18627 7ff78046bff5 18625->18627 18626 7ff78046bf74 _RTC_Initialize 18635 7ff78046bfc9 18626->18635 18648 7ff78046c3f8 18626->18648 18629 7ff78046bf89 18651 7ff780479454 18629->18651 18635->18625 18636 7ff78046bfe5 18635->18636 18638 7ff780479ff9 18637->18638 18639 7ff78047a001 18638->18639 18640 7ff7804752d4 _wfindfirst32i64 11 API calls 18638->18640 18639->18623 18641 7ff78047a010 18640->18641 18642 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18641->18642 18642->18639 18644 7ff78046c259 18643->18644 18647 7ff78046c25e __scrt_release_startup_lock 18643->18647 18645 7ff78046c52c 7 API calls 18644->18645 18644->18647 18646 7ff78046c2d2 18645->18646 18647->18626 18676 7ff78046c3bc 18648->18676 18650 7ff78046c401 18650->18629 18652 7ff780479474 18651->18652 18666 7ff78046bf95 18651->18666 18653 7ff78047947c 18652->18653 18654 7ff780479492 GetModuleFileNameW 18652->18654 18655 7ff7804752d4 _wfindfirst32i64 11 API calls 18653->18655 18658 7ff7804794bd 18654->18658 18656 7ff780479481 18655->18656 18657 7ff78047ad54 _invalid_parameter_noinfo 37 API calls 18656->18657 18657->18666 18659 7ff7804793f4 11 API calls 18658->18659 18660 7ff7804794fd 18659->18660 18661 7ff780479505 18660->18661 18665 7ff78047951d 18660->18665 18662 7ff7804752d4 _wfindfirst32i64 11 API calls 18661->18662 18663 7ff78047950a 18662->18663 18664 7ff78047adbc __free_lconv_mon 11 API calls 18663->18664 18664->18666 18668 7ff78047956b 18665->18668 18669 7ff780479584 18665->18669 18673 7ff78047953f 18665->18673 18666->18635 18675 7ff78046c4cc InitializeSListHead 18666->18675 18667 7ff78047adbc __free_lconv_mon 11 API calls 18667->18666 18670 7ff78047adbc __free_lconv_mon 11 API calls 18668->18670 18669->18669 18671 7ff78047adbc __free_lconv_mon 11 API calls 18669->18671 18672 7ff780479574 18670->18672 18671->18673 18674 7ff78047adbc __free_lconv_mon 11 API calls 18672->18674 18673->18667 18674->18666 18677 7ff78046c3d6 18676->18677 18679 7ff78046c3cf 18676->18679 18680 7ff78047a62c 18677->18680 18679->18650 18683 7ff78047a268 18680->18683 18690 7ff780480b68 EnterCriticalSection 18683->18690

                                                                                        Executed Functions

                                                                                        Function 00007FF780486220 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 133 7ff780486220-7ff78048625b call 7ff780485ba8 call 7ff780485bb0 call 7ff780485c18 140 7ff780486485-7ff7804864d1 call 7ff78047ad74 call 7ff780485ba8 call 7ff780485bb0 call 7ff780485c18 133->140 141 7ff780486261-7ff78048626c call 7ff780485bb8 133->141 167 7ff7804864d7-7ff7804864e2 call 7ff780485bb8 140->167 168 7ff78048660f-7ff78048667d call 7ff78047ad74 call 7ff780481a98 140->168 141->140 147 7ff780486272-7ff78048627c 141->147 149 7ff78048629e-7ff7804862a2 147->149 150 7ff78048627e-7ff780486281 147->150 153 7ff7804862a5-7ff7804862ad 149->153 152 7ff780486284-7ff78048628f 150->152 156 7ff78048629a-7ff78048629c 152->156 157 7ff780486291-7ff780486298 152->157 153->153 154 7ff7804862af-7ff7804862c2 call 7ff78047da6c 153->154 163 7ff7804862da-7ff7804862e6 call 7ff78047adbc 154->163 164 7ff7804862c4-7ff7804862c6 call 7ff78047adbc 154->164 156->149 160 7ff7804862cb-7ff7804862d9 156->160 157->152 157->156 174 7ff7804862ed-7ff7804862f5 163->174 164->160 167->168 177 7ff7804864e8-7ff7804864f3 call 7ff780485be8 167->177 186 7ff78048668b-7ff78048668e 168->186 187 7ff78048667f-7ff780486686 168->187 174->174 178 7ff7804862f7-7ff780486308 call 7ff780480d04 174->178 177->168 188 7ff7804864f9-7ff78048651c call 7ff78047adbc GetTimeZoneInformation 177->188 178->140 185 7ff78048630e-7ff780486364 call 7ff78046d090 * 4 call 7ff78048613c 178->185 245 7ff780486366-7ff78048636a 185->245 192 7ff7804866c5-7ff7804866d8 call 7ff78047da6c 186->192 193 7ff780486690 186->193 191 7ff78048671b-7ff78048671e 187->191 200 7ff7804865e4-7ff78048660e call 7ff780485ba0 call 7ff780485b90 call 7ff780485b98 188->200 201 7ff780486522-7ff780486543 188->201 197 7ff780486724-7ff78048672c call 7ff780486220 191->197 198 7ff780486693 191->198 206 7ff7804866da 192->206 207 7ff7804866e3-7ff7804866fe call 7ff780481a98 192->207 193->198 204 7ff780486698-7ff7804866c4 call 7ff78047adbc call 7ff78046bc70 197->204 198->204 205 7ff780486693 call 7ff78048649c 198->205 208 7ff78048654e-7ff780486555 201->208 209 7ff780486545-7ff78048654b 201->209 205->204 214 7ff7804866dc-7ff7804866e1 call 7ff78047adbc 206->214 232 7ff780486705-7ff780486717 call 7ff78047adbc 207->232 233 7ff780486700-7ff780486703 207->233 215 7ff780486569 208->215 216 7ff780486557-7ff78048655f 208->216 209->208 214->193 225 7ff78048656b-7ff7804865df call 7ff78046d090 * 4 call 7ff78048307c call 7ff780486734 * 2 215->225 216->215 222 7ff780486561-7ff780486567 216->222 222->225 225->200 232->191 233->214 247 7ff78048636c 245->247 248 7ff780486370-7ff780486374 245->248 247->248 248->245 250 7ff780486376-7ff78048639b call 7ff780476f1c 248->250 256 7ff78048639e-7ff7804863a2 250->256 258 7ff7804863a4-7ff7804863af 256->258 259 7ff7804863b1-7ff7804863b5 256->259 258->259 261 7ff7804863b7-7ff7804863bb 258->261 259->256 264 7ff7804863bd-7ff7804863e5 call 7ff780476f1c 261->264 265 7ff78048643c-7ff780486440 261->265 273 7ff7804863e7 264->273 274 7ff780486403-7ff780486407 264->274 266 7ff780486447-7ff780486454 265->266 267 7ff780486442-7ff780486444 265->267 269 7ff780486456-7ff78048646c call 7ff78048613c 266->269 270 7ff78048646f-7ff78048647e call 7ff780485ba0 call 7ff780485b90 266->270 267->266 269->270 270->140 277 7ff7804863ea-7ff7804863f1 273->277 274->265 279 7ff780486409-7ff780486427 call 7ff780476f1c 274->279 277->274 280 7ff7804863f3-7ff780486401 277->280 285 7ff780486433-7ff78048643a 279->285 280->274 280->277 285->265 286 7ff780486429-7ff78048642d 285->286 286->265 287 7ff78048642f 286->287 287->285
                                                                                        APIs
                                                                                        • _get_daylight.LIBCMT ref: 00007FF780486265
                                                                                          • Part of subcall function 00007FF780485BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780485BCC
                                                                                          • Part of subcall function 00007FF78047ADBC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADD2
                                                                                          • Part of subcall function 00007FF78047ADBC: GetLastError.KERNEL32(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADDC
                                                                                          • Part of subcall function 00007FF78047AD74: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF78047AD53,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047AD7D
                                                                                          • Part of subcall function 00007FF78047AD74: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF78047AD53,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047ADA2
                                                                                        • _get_daylight.LIBCMT ref: 00007FF780486254
                                                                                          • Part of subcall function 00007FF780485C18: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780485C2C
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864CA
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864DB
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864EC
                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78048672C), ref: 00007FF780486513
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                        • API String ID: 1458651798-239921721
                                                                                        • Opcode ID: 8440625829394677c22fe82ab18c4bd300af1f7d8d72cbabab1361158d842589
                                                                                        • Instruction ID: 94a78453d0893e8f549bc55028efe2430a0431916ad95c73b4aa38aa0dacd67d
                                                                                        • Opcode Fuzzy Hash: 8440625829394677c22fe82ab18c4bd300af1f7d8d72cbabab1361158d842589
                                                                                        • Instruction Fuzzy Hash: 2FD1CF26A4825286E760BF26D4502B9A3A1FF86B84FE04935EA1D47BE5DF3CF441C760
                                                                                        Function 00007FF78048716C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 318 7ff78048716c-7ff7804871df call 7ff780486ea0 321 7ff7804871f9-7ff780487203 call 7ff7804782e4 318->321 322 7ff7804871e1-7ff7804871ea call 7ff7804752b4 318->322 328 7ff78048721e-7ff780487287 CreateFileW 321->328 329 7ff780487205-7ff78048721c call 7ff7804752b4 call 7ff7804752d4 321->329 327 7ff7804871ed-7ff7804871f4 call 7ff7804752d4 322->327 341 7ff78048753a-7ff78048755a 327->341 332 7ff780487289-7ff78048728f 328->332 333 7ff780487304-7ff78048730f GetFileType 328->333 329->327 338 7ff7804872d1-7ff7804872ff GetLastError call 7ff780475248 332->338 339 7ff780487291-7ff780487295 332->339 335 7ff780487362-7ff780487369 333->335 336 7ff780487311-7ff78048734c GetLastError call 7ff780475248 CloseHandle 333->336 344 7ff78048736b-7ff78048736f 335->344 345 7ff780487371-7ff780487374 335->345 336->327 352 7ff780487352-7ff78048735d call 7ff7804752d4 336->352 338->327 339->338 346 7ff780487297-7ff7804872cf CreateFileW 339->346 350 7ff78048737a-7ff7804873cf call 7ff7804781fc 344->350 345->350 351 7ff780487376 345->351 346->333 346->338 356 7ff7804873ee-7ff78048741f call 7ff780486c20 350->356 357 7ff7804873d1-7ff7804873dd call 7ff7804870a8 350->357 351->350 352->327 364 7ff780487425-7ff780487467 356->364 365 7ff780487421-7ff780487423 356->365 357->356 363 7ff7804873df 357->363 366 7ff7804873e1-7ff7804873e9 call 7ff78047af34 363->366 367 7ff780487489-7ff780487494 364->367 368 7ff780487469-7ff78048746d 364->368 365->366 366->341 369 7ff78048749a-7ff78048749e 367->369 370 7ff780487538 367->370 368->367 372 7ff78048746f-7ff780487484 368->372 369->370 373 7ff7804874a4-7ff7804874e9 CloseHandle CreateFileW 369->373 370->341 372->367 375 7ff78048751e-7ff780487533 373->375 376 7ff7804874eb-7ff780487519 GetLastError call 7ff780475248 call 7ff780478424 373->376 375->370 376->375
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                        • String ID:
                                                                                        • API String ID: 1617910340-0
                                                                                        • Opcode ID: a4dc467cbdc7b29f33270d5940dc9ec44c3090a1b145cc4da5abd16a4521a908
                                                                                        • Instruction ID: 8e8acdf482942f8572f1493632268365c73d72d175ad212341fd37ff0ad6ebb8
                                                                                        • Opcode Fuzzy Hash: a4dc467cbdc7b29f33270d5940dc9ec44c3090a1b145cc4da5abd16a4521a908
                                                                                        • Instruction Fuzzy Hash: 76C1E233B68A4685EB10EFA4C4902AC7761FB4AB98FA10635DE1E5B7D5CF38E055C350
                                                                                        Function 00007FF780467900 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF78046154F), ref: 00007FF780467997
                                                                                          • Part of subcall function 00007FF780467B10: GetEnvironmentVariableW.KERNEL32(00007FF7804639CF), ref: 00007FF780467B4A
                                                                                          • Part of subcall function 00007FF780467B10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF780467B67
                                                                                          • Part of subcall function 00007FF780477C9C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780477CB5
                                                                                        • SetEnvironmentVariableW.KERNEL32 ref: 00007FF780467A51
                                                                                          • Part of subcall function 00007FF780462AD0: MessageBoxW.USER32 ref: 00007FF780462BA5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                        • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                        • API String ID: 3752271684-1116378104
                                                                                        • Opcode ID: ec6e7286e49048565400fd1184599ed04001d483b5e78c0037f6b9d02a947f95
                                                                                        • Instruction ID: b3f960d51a8d97abcaff1c223394bf4157f172c64ebadf16a0b9cfd3877282d6
                                                                                        • Opcode Fuzzy Hash: ec6e7286e49048565400fd1184599ed04001d483b5e78c0037f6b9d02a947f95
                                                                                        • Instruction Fuzzy Hash: B3518E95B8924741FE54BAA269152BAD2417F86BC0FF45435ED1E4BBC2EE2CF501C220
                                                                                        Function 00007FF78048649C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 766 7ff78048649c-7ff7804864d1 call 7ff780485ba8 call 7ff780485bb0 call 7ff780485c18 773 7ff7804864d7-7ff7804864e2 call 7ff780485bb8 766->773 774 7ff78048660f-7ff78048667d call 7ff78047ad74 call 7ff780481a98 766->774 773->774 780 7ff7804864e8-7ff7804864f3 call 7ff780485be8 773->780 785 7ff78048668b-7ff78048668e 774->785 786 7ff78048667f-7ff780486686 774->786 780->774 787 7ff7804864f9-7ff78048651c call 7ff78047adbc GetTimeZoneInformation 780->787 790 7ff7804866c5-7ff7804866d8 call 7ff78047da6c 785->790 791 7ff780486690 785->791 789 7ff78048671b-7ff78048671e 786->789 797 7ff7804865e4-7ff78048660e call 7ff780485ba0 call 7ff780485b90 call 7ff780485b98 787->797 798 7ff780486522-7ff780486543 787->798 794 7ff780486724-7ff78048672c call 7ff780486220 789->794 795 7ff780486693 789->795 802 7ff7804866da 790->802 803 7ff7804866e3-7ff7804866fe call 7ff780481a98 790->803 791->795 800 7ff780486698-7ff7804866c4 call 7ff78047adbc call 7ff78046bc70 794->800 795->800 801 7ff780486693 call 7ff78048649c 795->801 804 7ff78048654e-7ff780486555 798->804 805 7ff780486545-7ff78048654b 798->805 801->800 809 7ff7804866dc-7ff7804866e1 call 7ff78047adbc 802->809 824 7ff780486705-7ff780486717 call 7ff78047adbc 803->824 825 7ff780486700-7ff780486703 803->825 810 7ff780486569 804->810 811 7ff780486557-7ff78048655f 804->811 805->804 809->791 818 7ff78048656b-7ff7804865df call 7ff78046d090 * 4 call 7ff78048307c call 7ff780486734 * 2 810->818 811->810 816 7ff780486561-7ff780486567 811->816 816->818 818->797 824->789 825->809
                                                                                        APIs
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864CA
                                                                                          • Part of subcall function 00007FF780485C18: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780485C2C
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864DB
                                                                                          • Part of subcall function 00007FF780485BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780485BCC
                                                                                        • _get_daylight.LIBCMT ref: 00007FF7804864EC
                                                                                          • Part of subcall function 00007FF780485BE8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF780485BFC
                                                                                          • Part of subcall function 00007FF78047ADBC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADD2
                                                                                          • Part of subcall function 00007FF78047ADBC: GetLastError.KERNEL32(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADDC
                                                                                        • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78048672C), ref: 00007FF780486513
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                                                        • String ID: Eastern Standard Time$Eastern Summer Time
                                                                                        • API String ID: 2248164782-239921721
                                                                                        • Opcode ID: 01f53ec0730f848f3b94891690d7c75eea43e33e255622230833973c1efab838
                                                                                        • Instruction ID: fb1fc1f5df12f0620ba078fa3270dc4b9f75f9bae99894690af41fabe0e0a3bf
                                                                                        • Opcode Fuzzy Hash: 01f53ec0730f848f3b94891690d7c75eea43e33e255622230833973c1efab838
                                                                                        • Instruction Fuzzy Hash: 56519136A4864286E750FF22E8905A9E760BB4A784FE04535EA1D877E5DF3CF450C760
                                                                                        Function 00007FF780461710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 7ff780461710-7ff780461724 1 7ff78046173e-7ff780461742 0->1 2 7ff780461726-7ff78046173d call 7ff780462ad0 0->2 4 7ff780461768-7ff78046178b call 7ff780467bc0 1->4 5 7ff780461744-7ff78046174d call 7ff7804612b0 1->5 13 7ff78046178d-7ff7804617b8 call 7ff780462830 4->13 14 7ff7804617b9-7ff7804617d4 call 7ff780463f80 4->14 11 7ff78046175f-7ff780461767 5->11 12 7ff78046174f-7ff78046175a call 7ff780462ad0 5->12 12->11 20 7ff7804617ee-7ff780461801 call 7ff7804707c4 14->20 21 7ff7804617d6-7ff7804617e9 call 7ff780462ad0 14->21 26 7ff780461823-7ff780461827 20->26 27 7ff780461803-7ff78046181e call 7ff780462830 20->27 28 7ff78046192f-7ff780461932 call 7ff78047013c 21->28 31 7ff780461829-7ff780461835 call 7ff780461050 26->31 32 7ff780461841-7ff780461861 call 7ff780474f40 26->32 37 7ff780461927-7ff78046192a call 7ff78047013c 27->37 34 7ff780461937-7ff78046194e 28->34 38 7ff78046183a-7ff78046183c 31->38 41 7ff780461863-7ff78046187d call 7ff780462830 32->41 42 7ff780461882-7ff780461888 32->42 37->28 38->37 49 7ff78046191d-7ff780461922 41->49 43 7ff78046188e-7ff780461897 42->43 44 7ff780461915-7ff780461918 call 7ff780474f2c 42->44 47 7ff7804618a0-7ff7804618c2 call 7ff78047048c 43->47 44->49 52 7ff7804618c4-7ff7804618dc call 7ff780470bcc 47->52 53 7ff7804618f5-7ff7804618fc 47->53 49->37 58 7ff7804618de-7ff7804618e1 52->58 59 7ff7804618e5-7ff7804618f3 52->59 55 7ff780461903-7ff78046190b call 7ff780462830 53->55 62 7ff780461910 55->62 58->47 61 7ff7804618e3 58->61 59->55 61->62 62->44
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                                                        • API String ID: 2030045667-3833288071
                                                                                        • Opcode ID: 56d7aa811fbca5feca8ef37c82d0c319a1dae22a4ee3857acdf66dced49507f3
                                                                                        • Instruction ID: bee7efdbbf4f4d4db43b27b9c7ed7b68b4179cf2db7d342614393a1d8f67861d
                                                                                        • Opcode Fuzzy Hash: 56d7aa811fbca5feca8ef37c82d0c319a1dae22a4ee3857acdf66dced49507f3
                                                                                        • Instruction Fuzzy Hash: BF51C0A5B8864689FA10BB51E8502B9E350BF46784FE80431DE2E477E6EF3CF548C360
                                                                                        Function 00007FF780468900 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(0000000100000001,00007FF7804640FC,00007FF7804678C1,?,00007FF780467CD6,?,00007FF780461785), ref: 00007FF780468940
                                                                                        • OpenProcessToken.ADVAPI32(?,00007FF780467CD6,?,00007FF780461785), ref: 00007FF780468951
                                                                                        • GetTokenInformation.KERNELBASE(?,00007FF780467CD6(TokenIntegrityLevel),?,00007FF780461785), ref: 00007FF780468973
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00007FF780461785), ref: 00007FF78046897D
                                                                                        • GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,?,00007FF780461785), ref: 00007FF7804689BA
                                                                                        • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7804689CC
                                                                                        • FindCloseChangeNotification.KERNELBASE(?,00007FF780467CD6,?,00007FF780461785), ref: 00007FF7804689E4
                                                                                        • LocalFree.KERNEL32(?,00007FF780467CD6,?,00007FF780461785), ref: 00007FF780468A16
                                                                                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF780468A3D
                                                                                        • CreateDirectoryW.KERNELBASE(?,00007FF780467CD6,?,00007FF780461785), ref: 00007FF780468A4E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Token$ConvertDescriptorInformationProcessSecurityString$ChangeCloseCreateCurrentDirectoryErrorFindFreeLastLocalNotificationOpen
                                                                                        • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                        • API String ID: 2187719417-2855260032
                                                                                        • Opcode ID: 90ebf2f26be8beb1182b16197f792526db4e5563267f58c35507d236bbb67ebc
                                                                                        • Instruction ID: 53cfb324a2be4ce95bd9726a93feab89c0ef9124a5910fa48caee92736b7c188
                                                                                        • Opcode Fuzzy Hash: 90ebf2f26be8beb1182b16197f792526db4e5563267f58c35507d236bbb67ebc
                                                                                        • Instruction Fuzzy Hash: 6041B37264CA8682E710AF50E4446BAB360FF86794FA40635EA6E47BD5EF3CF448C750
                                                                                        Function 00007FF780461A40 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _fread_nolock$Message
                                                                                        • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                        • API String ID: 677216364-1384898525
                                                                                        • Opcode ID: e4112ef9884e2b94e2e59e1c675272ab3b687520ab98955ab63e378d82afa3a3
                                                                                        • Instruction ID: 3c4cf7573dde6f0d17bdc9321dc45dcc196dfe0b91488d3c880e0a8b1812950c
                                                                                        • Opcode Fuzzy Hash: e4112ef9884e2b94e2e59e1c675272ab3b687520ab98955ab63e378d82afa3a3
                                                                                        • Instruction Fuzzy Hash: 0551F1B5A896028AEB24EF68E44117DB3A0FF4AB44FA44535DA1D437E9EE3CF444C750
                                                                                        Function 00007FF780468030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                        • String ID: CreateProcessW$Error creating child process!
                                                                                        • API String ID: 2895956056-3524285272
                                                                                        • Opcode ID: fafdda5ddf50bf931e4371b54ee8bd5a967635855b06c6fad95867fb7cb72d2f
                                                                                        • Instruction ID: 22ee43fdeeae71dfd0ff9a1123fe57a2cf4a36bd8ef51da587942a381882cfd0
                                                                                        • Opcode Fuzzy Hash: fafdda5ddf50bf931e4371b54ee8bd5a967635855b06c6fad95867fb7cb72d2f
                                                                                        • Instruction Fuzzy Hash: 43416731A4878685EA20EB20F4592AAF350FF96364FA00739E6AD477D5DF7CE048CB50
                                                                                        Function 00007FF780461000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 381 7ff780461000-7ff780463986 call 7ff78046ff10 call 7ff78046ff08 call 7ff780468660 call 7ff78046ff08 call 7ff78046bc10 call 7ff780475100 call 7ff780475da4 call 7ff780461e50 399 7ff78046398c-7ff78046399c call 7ff780463e70 381->399 400 7ff780463a82 381->400 399->400 406 7ff7804639a2-7ff7804639b5 call 7ff780463d40 399->406 401 7ff780463a87-7ff780463aa7 call 7ff78046bc70 400->401 406->400 409 7ff7804639bb-7ff7804639e2 call 7ff780467b10 406->409 412 7ff780463a24-7ff780463a4c call 7ff780467ff0 call 7ff780461c50 409->412 413 7ff7804639e4-7ff7804639f3 call 7ff780467b10 409->413 424 7ff780463a52-7ff780463a68 call 7ff780461c50 412->424 425 7ff780463b21-7ff780463b32 412->425 413->412 418 7ff7804639f5-7ff7804639fb 413->418 420 7ff7804639fd-7ff780463a05 418->420 421 7ff780463a07-7ff780463a21 call 7ff780474f2c call 7ff780467ff0 418->421 420->421 421->412 435 7ff780463aa8-7ff780463aab 424->435 436 7ff780463a6a-7ff780463a7d call 7ff780462ad0 424->436 428 7ff780463b4e-7ff780463b51 425->428 429 7ff780463b34-7ff780463b3b 425->429 433 7ff780463b67-7ff780463b7f call 7ff780468a90 428->433 434 7ff780463b53-7ff780463b59 428->434 429->428 432 7ff780463b3d-7ff780463b40 call 7ff7804614f0 429->432 446 7ff780463b45-7ff780463b48 432->446 447 7ff780463b92-7ff780463b99 SetDllDirectoryW 433->447 448 7ff780463b81-7ff780463b8d call 7ff780462ad0 433->448 439 7ff780463b5b-7ff780463b65 434->439 440 7ff780463b9f-7ff780463bac call 7ff780466d90 434->440 435->425 445 7ff780463aad-7ff780463ac4 call 7ff780463f80 435->445 436->400 439->433 439->440 452 7ff780463bae-7ff780463bbb call 7ff780466a40 440->452 453 7ff780463bf7-7ff780463bfc call 7ff780466d10 440->453 458 7ff780463acb-7ff780463af7 call 7ff780468260 445->458 459 7ff780463ac6-7ff780463ac9 445->459 446->400 446->428 447->440 448->400 452->453 467 7ff780463bbd-7ff780463bcc call 7ff7804665a0 452->467 460 7ff780463c01-7ff780463c04 453->460 458->425 469 7ff780463af9-7ff780463b01 call 7ff78047013c 458->469 462 7ff780463b06-7ff780463b1c call 7ff780462ad0 459->462 465 7ff780463c0a-7ff780463c17 460->465 466 7ff780463cb6-7ff780463cc5 call 7ff780463470 460->466 462->400 471 7ff780463c20-7ff780463c2a 465->471 466->400 479 7ff780463ccb-7ff780463cfd call 7ff780467f80 call 7ff780467b10 call 7ff7804635d0 call 7ff780468030 466->479 483 7ff780463bce-7ff780463bda call 7ff780466520 467->483 484 7ff780463bed-7ff780463bf2 call 7ff7804667f0 467->484 469->462 475 7ff780463c2c-7ff780463c31 471->475 476 7ff780463c33-7ff780463c35 471->476 475->471 475->476 481 7ff780463c37-7ff780463c5a call 7ff780461e90 476->481 482 7ff780463c81-7ff780463cb1 call 7ff7804635d0 call 7ff780463410 call 7ff7804635c0 call 7ff7804667f0 call 7ff780466d10 476->482 509 7ff780463d02-7ff780463d1f call 7ff7804667f0 call 7ff780466d10 479->509 481->400 494 7ff780463c60-7ff780463c6a 481->494 482->401 483->484 495 7ff780463bdc-7ff780463beb call 7ff780466be0 483->495 484->453 498 7ff780463c70-7ff780463c7f 494->498 495->460 498->482 498->498 517 7ff780463d2d-7ff780463d37 call 7ff780461e20 509->517 518 7ff780463d21-7ff780463d28 call 7ff780467cf0 509->518 517->401 518->517
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF780463E70: GetModuleFileNameW.KERNEL32(?,00007FF78046399A), ref: 00007FF780463EA1
                                                                                        • SetDllDirectoryW.KERNEL32 ref: 00007FF780463B99
                                                                                          • Part of subcall function 00007FF780467B10: GetEnvironmentVariableW.KERNEL32(00007FF7804639CF), ref: 00007FF780467B4A
                                                                                          • Part of subcall function 00007FF780467B10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF780467B67
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                        • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                        • API String ID: 2344891160-3602715111
                                                                                        • Opcode ID: a137445b6cdc3ed0ebd60ad0c220470d7bf9d435245182f2f13a22363e9e844b
                                                                                        • Instruction ID: 565127699444b3045838f37df10a5aefe7ebd7db4a85cf3a2923d8adcca20632
                                                                                        • Opcode Fuzzy Hash: a137445b6cdc3ed0ebd60ad0c220470d7bf9d435245182f2f13a22363e9e844b
                                                                                        • Instruction Fuzzy Hash: AFB1D2A5B9C68740FA24BB2194522BDE350BF46B85FE00036EA6E477D6FE2CF505C720
                                                                                        Function 00007FF780461050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 522 7ff780461050-7ff7804610ab call 7ff78046b490 525 7ff7804610ad-7ff7804610d2 call 7ff780462ad0 522->525 526 7ff7804610d3-7ff7804610eb call 7ff780474f40 522->526 531 7ff7804610ed-7ff780461104 call 7ff780462830 526->531 532 7ff780461109-7ff780461119 call 7ff780474f40 526->532 537 7ff78046126c-7ff780461281 call 7ff78046b170 call 7ff780474f2c * 2 531->537 538 7ff78046111b-7ff780461132 call 7ff780462830 532->538 539 7ff780461137-7ff780461147 532->539 555 7ff780461286-7ff7804612a0 537->555 538->537 541 7ff780461150-7ff780461175 call 7ff78047048c 539->541 548 7ff78046117b-7ff780461185 call 7ff780470200 541->548 549 7ff78046125e 541->549 548->549 556 7ff78046118b-7ff780461197 548->556 551 7ff780461264 549->551 551->537 557 7ff7804611a0-7ff7804611c8 call 7ff780469940 556->557 560 7ff7804611ca-7ff7804611cd 557->560 561 7ff780461241-7ff78046125c call 7ff780462ad0 557->561 562 7ff78046123c 560->562 563 7ff7804611cf-7ff7804611d9 560->563 561->551 562->561 565 7ff7804611db-7ff7804611e8 call 7ff780470bcc 563->565 566 7ff780461203-7ff780461206 563->566 571 7ff7804611ed-7ff7804611f0 565->571 569 7ff780461208-7ff780461216 call 7ff78046c9f0 566->569 570 7ff780461219-7ff78046121e 566->570 569->570 570->557 573 7ff780461220-7ff780461223 570->573 576 7ff7804611fe-7ff780461201 571->576 577 7ff7804611f2-7ff7804611fc call 7ff780470200 571->577 574 7ff780461237-7ff78046123a 573->574 575 7ff780461225-7ff780461228 573->575 574->551 575->561 579 7ff78046122a-7ff780461232 575->579 576->561 577->570 577->576 579->541
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                        • API String ID: 2030045667-1655038675
                                                                                        • Opcode ID: 010d2da71d76f601e21c2517d108d9f89f1f02051c7f464661b87687c8278743
                                                                                        • Instruction ID: 5a6024e1ce49b4ea61003a156c4d17396340eccd22e7b7c83fd520921ad32563
                                                                                        • Opcode Fuzzy Hash: 010d2da71d76f601e21c2517d108d9f89f1f02051c7f464661b87687c8278743
                                                                                        • Instruction Fuzzy Hash: BF5106A6A4968289FA20BB91A4503BAE290FF86794FE80131DE5E577D5FF3CF444C350
                                                                                        Function 00007FF78047BECC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 653 7ff78047becc-7ff78047bef2 654 7ff78047bf0d-7ff78047bf11 653->654 655 7ff78047bef4-7ff78047bf08 call 7ff7804752b4 call 7ff7804752d4 653->655 657 7ff78047c2e7-7ff78047c2f3 call 7ff7804752b4 call 7ff7804752d4 654->657 658 7ff78047bf17-7ff78047bf1e 654->658 673 7ff78047c2fe 655->673 676 7ff78047c2f9 call 7ff78047ad54 657->676 658->657 659 7ff78047bf24-7ff78047bf52 658->659 659->657 662 7ff78047bf58-7ff78047bf5f 659->662 665 7ff78047bf78-7ff78047bf7b 662->665 666 7ff78047bf61-7ff78047bf73 call 7ff7804752b4 call 7ff7804752d4 662->666 671 7ff78047c2e3-7ff78047c2e5 665->671 672 7ff78047bf81-7ff78047bf87 665->672 666->676 674 7ff78047c301-7ff78047c318 671->674 672->671 677 7ff78047bf8d-7ff78047bf90 672->677 673->674 676->673 677->666 680 7ff78047bf92-7ff78047bfb7 677->680 682 7ff78047bfea-7ff78047bff1 680->682 683 7ff78047bfb9-7ff78047bfbb 680->683 684 7ff78047bfc6-7ff78047bfdd call 7ff7804752b4 call 7ff7804752d4 call 7ff78047ad54 682->684 685 7ff78047bff3-7ff78047c01b call 7ff78047da6c call 7ff78047adbc * 2 682->685 686 7ff78047bfbd-7ff78047bfc4 683->686 687 7ff78047bfe2-7ff78047bfe8 683->687 716 7ff78047c170 684->716 718 7ff78047c01d-7ff78047c033 call 7ff7804752d4 call 7ff7804752b4 685->718 719 7ff78047c038-7ff78047c063 call 7ff78047c6f4 685->719 686->684 686->687 688 7ff78047c068-7ff78047c07f 687->688 691 7ff78047c0fa-7ff78047c104 call 7ff780483e3c 688->691 692 7ff78047c081-7ff78047c089 688->692 703 7ff78047c18e 691->703 704 7ff78047c10a-7ff78047c11f 691->704 692->691 697 7ff78047c08b-7ff78047c08d 692->697 697->691 701 7ff78047c08f-7ff78047c0a5 697->701 701->691 706 7ff78047c0a7-7ff78047c0b3 701->706 712 7ff78047c193-7ff78047c1b3 ReadFile 703->712 704->703 708 7ff78047c121-7ff78047c133 GetConsoleMode 704->708 706->691 710 7ff78047c0b5-7ff78047c0b7 706->710 708->703 715 7ff78047c135-7ff78047c13d 708->715 710->691 717 7ff78047c0b9-7ff78047c0d1 710->717 713 7ff78047c2ad-7ff78047c2b6 GetLastError 712->713 714 7ff78047c1b9-7ff78047c1c1 712->714 723 7ff78047c2b8-7ff78047c2ce call 7ff7804752d4 call 7ff7804752b4 713->723 724 7ff78047c2d3-7ff78047c2d6 713->724 714->713 720 7ff78047c1c7 714->720 715->712 722 7ff78047c13f-7ff78047c161 ReadConsoleW 715->722 725 7ff78047c173-7ff78047c17d call 7ff78047adbc 716->725 717->691 726 7ff78047c0d3-7ff78047c0df 717->726 718->716 719->688 728 7ff78047c1ce-7ff78047c1e3 720->728 730 7ff78047c163 GetLastError 722->730 731 7ff78047c182-7ff78047c18c 722->731 723->716 735 7ff78047c2dc-7ff78047c2de 724->735 736 7ff78047c169-7ff78047c16b call 7ff780475248 724->736 725->674 726->691 734 7ff78047c0e1-7ff78047c0e3 726->734 728->725 739 7ff78047c1e5-7ff78047c1f0 728->739 730->736 731->728 734->691 743 7ff78047c0e5-7ff78047c0f5 734->743 735->725 736->716 745 7ff78047c217-7ff78047c21f 739->745 746 7ff78047c1f2-7ff78047c20b call 7ff78047bae4 739->746 743->691 749 7ff78047c29b-7ff78047c2a8 call 7ff78047b924 745->749 750 7ff78047c221-7ff78047c233 745->750 753 7ff78047c210-7ff78047c212 746->753 749->753 754 7ff78047c28e-7ff78047c296 750->754 755 7ff78047c235 750->755 753->725 754->725 757 7ff78047c23a-7ff78047c241 755->757 758 7ff78047c27d-7ff78047c288 757->758 759 7ff78047c243-7ff78047c247 757->759 758->754 760 7ff78047c249-7ff78047c250 759->760 761 7ff78047c263 759->761 760->761 763 7ff78047c252-7ff78047c256 760->763 762 7ff78047c269-7ff78047c279 761->762 762->757 764 7ff78047c27b 762->764 763->761 765 7ff78047c258-7ff78047c261 763->765 764->754 765->762
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 88e1c9a1ea80b03e63d62f335d46b43c455bbfab910beac512b62ca1cc935949
                                                                                        • Instruction ID: f6972bb0a52779bef75c06a612404cc8a20d3d9aa2af00b0f81e9dac6fe98d05
                                                                                        • Opcode Fuzzy Hash: 88e1c9a1ea80b03e63d62f335d46b43c455bbfab910beac512b62ca1cc935949
                                                                                        • Instruction Fuzzy Hash: 23C12622D4C78A81E620AB5594482BDB791FF82B80FF54139DA4E077D2CE7CF459C760
                                                                                        Function 00007FF78047D3D0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 876 7ff78047d3d0-7ff78047d3f5 877 7ff78047d3fb-7ff78047d3fe 876->877 878 7ff78047d6c3 876->878 880 7ff78047d437-7ff78047d463 877->880 881 7ff78047d400-7ff78047d432 call 7ff78047ac88 877->881 879 7ff78047d6c5-7ff78047d6d5 878->879 883 7ff78047d46e-7ff78047d474 880->883 884 7ff78047d465-7ff78047d46c 880->884 881->879 886 7ff78047d476-7ff78047d47f call 7ff78047c790 883->886 887 7ff78047d484-7ff78047d499 call 7ff780483e3c 883->887 884->881 884->883 886->887 891 7ff78047d5b3-7ff78047d5bc 887->891 892 7ff78047d49f-7ff78047d4a8 887->892 893 7ff78047d5be-7ff78047d5c4 891->893 894 7ff78047d610-7ff78047d635 WriteFile 891->894 892->891 895 7ff78047d4ae-7ff78047d4b2 892->895 898 7ff78047d5fc-7ff78047d60e call 7ff78047ce88 893->898 899 7ff78047d5c6-7ff78047d5c9 893->899 896 7ff78047d637-7ff78047d63d GetLastError 894->896 897 7ff78047d640 894->897 900 7ff78047d4b4-7ff78047d4bc call 7ff7804748b0 895->900 901 7ff78047d4c3-7ff78047d4ce 895->901 896->897 905 7ff78047d643 897->905 920 7ff78047d5a0-7ff78047d5a7 898->920 906 7ff78047d5cb-7ff78047d5ce 899->906 907 7ff78047d5e8-7ff78047d5fa call 7ff78047d0a8 899->907 900->901 902 7ff78047d4d0-7ff78047d4d9 901->902 903 7ff78047d4df-7ff78047d4f4 GetConsoleMode 901->903 902->891 902->903 909 7ff78047d5ac 903->909 910 7ff78047d4fa-7ff78047d500 903->910 912 7ff78047d648 905->912 913 7ff78047d654-7ff78047d65e 906->913 914 7ff78047d5d4-7ff78047d5e6 call 7ff78047cf8c 906->914 907->920 909->891 918 7ff78047d589-7ff78047d59b call 7ff78047ca10 910->918 919 7ff78047d506-7ff78047d509 910->919 921 7ff78047d64d 912->921 922 7ff78047d6bc-7ff78047d6c1 913->922 923 7ff78047d660-7ff78047d665 913->923 914->920 918->920 926 7ff78047d50b-7ff78047d50e 919->926 927 7ff78047d514-7ff78047d522 919->927 920->912 921->913 922->879 928 7ff78047d667-7ff78047d66a 923->928 929 7ff78047d693-7ff78047d69d 923->929 926->921 926->927 933 7ff78047d524 927->933 934 7ff78047d580-7ff78047d584 927->934 935 7ff78047d66c-7ff78047d67b 928->935 936 7ff78047d683-7ff78047d68e call 7ff780475290 928->936 931 7ff78047d6a4-7ff78047d6b3 929->931 932 7ff78047d69f-7ff78047d6a2 929->932 931->922 932->878 932->931 938 7ff78047d528-7ff78047d53f call 7ff780483f08 933->938 934->905 935->936 936->929 942 7ff78047d577-7ff78047d57d GetLastError 938->942 943 7ff78047d541-7ff78047d54d 938->943 942->934 944 7ff78047d56c-7ff78047d573 943->944 945 7ff78047d54f-7ff78047d561 call 7ff780483f08 943->945 944->934 946 7ff78047d575 944->946 945->942 949 7ff78047d563-7ff78047d56a 945->949 946->938 949->944
                                                                                        APIs
                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78047D3BB), ref: 00007FF78047D4EC
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78047D3BB), ref: 00007FF78047D577
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleErrorLastMode
                                                                                        • String ID:
                                                                                        • API String ID: 953036326-0
                                                                                        • Opcode ID: 813048f28f07144688fb23e83c74998d7ce6929819ff7ff72a59b30d9d7db0ba
                                                                                        • Instruction ID: 8ae2c2740972f638575ab2d3e7b299c7551c7186e5c3d288dd5136539b430aba
                                                                                        • Opcode Fuzzy Hash: 813048f28f07144688fb23e83c74998d7ce6929819ff7ff72a59b30d9d7db0ba
                                                                                        • Instruction Fuzzy Hash: D0910562E6865999F750AF2594482BDABB0BB46B88FB40139DE0E637C5CF39F441C720
                                                                                        Function 00007FF78047FB9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _get_daylight$_isindst
                                                                                        • String ID:
                                                                                        • API String ID: 4170891091-0
                                                                                        • Opcode ID: 81266db9261f470eac97443019771647f4442bde83bb1ca56588bed4861e4902
                                                                                        • Instruction ID: a871acddb1f6784d82c6691b5cdafb4f07bb7fd39c8a28eee31ab104b2ae68a1
                                                                                        • Opcode Fuzzy Hash: 81266db9261f470eac97443019771647f4442bde83bb1ca56588bed4861e4902
                                                                                        • Instruction Fuzzy Hash: 43510472F442198AFB34EF6499596BCA7A1BB0A358FA00135DE1E43BE5DB3CB401C610
                                                                                        Function 00007FF780475664 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                        • String ID:
                                                                                        • API String ID: 2780335769-0
                                                                                        • Opcode ID: 823bc4b7895e64041388563b137a53e79ea0458c6c4433e51eb2cabf685c1cf3
                                                                                        • Instruction ID: 65041617b052356e98e80e04cf00d901107fe605013c3c35cef7d2587bc8c849
                                                                                        • Opcode Fuzzy Hash: 823bc4b7895e64041388563b137a53e79ea0458c6c4433e51eb2cabf685c1cf3
                                                                                        • Instruction Fuzzy Hash: 61517B22E486458AFB14EFB194443BDA3A1BB4AB58FA48534DE0D4B789DF78E480C760
                                                                                        Function 00007FF78046C02C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                        • String ID:
                                                                                        • API String ID: 1452418845-0
                                                                                        • Opcode ID: 989d74823dce4e07038ae679384eaff95f144168f5a330d89d565e0032f8335b
                                                                                        • Instruction ID: b3fab96428c03301ceb8c7bfb5e2dae6e0761df49f976a0323e0827581265764
                                                                                        • Opcode Fuzzy Hash: 989d74823dce4e07038ae679384eaff95f144168f5a330d89d565e0032f8335b
                                                                                        • Instruction Fuzzy Hash: 36315A98ECD24685FA10BB659C123B99291BF47784FF44435DA2E473E3EE2CB804C630
                                                                                        Function 00007FF780475510 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 1279662727-0
                                                                                        • Opcode ID: 8330fbe86a8e64e3f91f5c5efae5bf7079270d6d2016f834dd7ca72263857405
                                                                                        • Instruction ID: fe8af34abbc62549dbef83d08ff1f2a00fc72e95157b965af1f459f2d83fc13f
                                                                                        • Opcode Fuzzy Hash: 8330fbe86a8e64e3f91f5c5efae5bf7079270d6d2016f834dd7ca72263857405
                                                                                        • Instruction Fuzzy Hash: CD41C262D5878683F750AB209508369A361FB967A4F608334E65C0BBD6DFACB4E0C750
                                                                                        Function 00007FF78047022C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 6b7680b3bcbb8eaaf0e877e0260c2ab7d77a5c93d054cda2ecea2d07a9930033
                                                                                        • Instruction ID: 73cc9a45452d1ca6d3f03c24f4d99e580b174b756a29c0624b8b961d9339f130
                                                                                        • Opcode Fuzzy Hash: 6b7680b3bcbb8eaaf0e877e0260c2ab7d77a5c93d054cda2ecea2d07a9930033
                                                                                        • Instruction Fuzzy Hash: 7B51E862B4A649C6FB64BA25940867AE281BF46BA8F744730DE6C477C7CE3CF401C620
                                                                                        Function 00007FF78047AFCC Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF78047AE49,?,?,00000000,00007FF78047AEFE), ref: 00007FF78047B03A
                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78047AE49,?,?,00000000,00007FF78047AEFE), ref: 00007FF78047B044
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeCloseErrorFindLastNotification
                                                                                        • String ID:
                                                                                        • API String ID: 1687624791-0
                                                                                        • Opcode ID: 6170cc4eb7f8a211f93c3058b2a6b96cbe2caf4abb4c03e26e4b27c932d2f390
                                                                                        • Instruction ID: 7a0a508efeaba3fb72fbf63f3c646b86a364ca0e22476a3655e7986a0765a750
                                                                                        • Opcode Fuzzy Hash: 6170cc4eb7f8a211f93c3058b2a6b96cbe2caf4abb4c03e26e4b27c932d2f390
                                                                                        • Instruction Fuzzy Hash: 2121F621B8868A40FAA0B731A54C37E92817F827A4FA44239DA2D473C6DEACF444C260
                                                                                        Function 00007FF78047C5A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastPointer
                                                                                        • String ID:
                                                                                        • API String ID: 2976181284-0
                                                                                        • Opcode ID: d2754895f39f4531699b063916d8cff08a38131cd30492f825c16e667bfad8ec
                                                                                        • Instruction ID: d99a362dc6af296160a2eb7d463aa39417cd018405817009c82e130916a4ad96
                                                                                        • Opcode Fuzzy Hash: d2754895f39f4531699b063916d8cff08a38131cd30492f825c16e667bfad8ec
                                                                                        • Instruction Fuzzy Hash: A0110162608B8585DA10AB25B448069A361BB46BF4FA40335EE7D0B7D9CF7CF051C740
                                                                                        Function 00007FF78047580C Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780475721), ref: 00007FF78047583F
                                                                                        • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF780475721), ref: 00007FF780475855
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$System$FileLocalSpecific
                                                                                        • String ID:
                                                                                        • API String ID: 1707611234-0
                                                                                        • Opcode ID: e169e446838a7aad007a8c0f6e6949338ca490429260dbb3519950af577c72df
                                                                                        • Instruction ID: 1d570a104741c9f1869b30086b70677fd25eea7ce0344f7f8eb8369334000b9b
                                                                                        • Opcode Fuzzy Hash: e169e446838a7aad007a8c0f6e6949338ca490429260dbb3519950af577c72df
                                                                                        • Instruction Fuzzy Hash: 0311A77164C616C2EB64AB11A41503FF760FB86771FA00335FA9D46AE8EF6CE054CB10
                                                                                        Function 00007FF78047ADBC Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADD2
                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADDC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                        • String ID:
                                                                                        • API String ID: 588628887-0
                                                                                        • Opcode ID: 92aa6fa4a4478f210322fde5844eda42a43ebcff71f72a5b298b127ef056a90d
                                                                                        • Instruction ID: 29bc21c0a82bac1461df468d623cebf470ef17a549783db3c45dbd4d3c2b3a48
                                                                                        • Opcode Fuzzy Hash: 92aa6fa4a4478f210322fde5844eda42a43ebcff71f72a5b298b127ef056a90d
                                                                                        • Instruction Fuzzy Hash: 45E04610E8920A46FB187BF25849076A192BF8AB01BE44834D91D4B3E2EE6C7899C660
                                                                                        Function 00007FF78047C31C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 0f81d7c0ab4aef1fc6aa925a0828f2714494c290b473dbacdd844052ec445c74
                                                                                        • Instruction ID: 19bddf2310f223dbe9875ac88de986c4311733b6926d0f054de28a945d91d95e
                                                                                        • Opcode Fuzzy Hash: 0f81d7c0ab4aef1fc6aa925a0828f2714494c290b473dbacdd844052ec445c74
                                                                                        • Instruction Fuzzy Hash: E741E33294820983FA34EB19A458279B3A0FB57B40FA40135DA8E837D1CF6CF406CB61
                                                                                        Function 00007FF780468260 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _fread_nolock
                                                                                        • String ID:
                                                                                        • API String ID: 840049012-0
                                                                                        • Opcode ID: b70e9e57c4df5ae086cffd89b02b965371bbc658e0ab03ac46021d6a7c41c4cb
                                                                                        • Instruction ID: 184fb4c5f01d093bf8c742c6f218f9c204bc47326bcb4d417c73208eedead426
                                                                                        • Opcode Fuzzy Hash: b70e9e57c4df5ae086cffd89b02b965371bbc658e0ab03ac46021d6a7c41c4cb
                                                                                        • Instruction Fuzzy Hash: DB21B465B8939586FA14BA5265043BAE741BF46FC4FE85034EE1C0B7C6EE3DF085C210
                                                                                        Function 00007FF78047BDAC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 4fc26fdc08108ed44d7d55adeff722dd0293d64556b497ec72aef404f0094ea5
                                                                                        • Instruction ID: 4a27b5d0c89e8d176b652bbe4d5d9bf6230a82ecb64acbb43e7d5bf8eee0702c
                                                                                        • Opcode Fuzzy Hash: 4fc26fdc08108ed44d7d55adeff722dd0293d64556b497ec72aef404f0094ea5
                                                                                        • Instruction Fuzzy Hash: 5031AE22E9860A85F7117B6588493B8A650BF42B60FB10175EA1D0B3D3DFBCB446C7B0
                                                                                        Function 00007FF780476358 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 2d9ead00eaff111a2746de835e460df0b27a55040472c8608b554fecfd086cef
                                                                                        • Instruction ID: 06fd30990bbad7dae98b9c4e6ceb4940da787bef8f001008799d1af6631947d0
                                                                                        • Opcode Fuzzy Hash: 2d9ead00eaff111a2746de835e460df0b27a55040472c8608b554fecfd086cef
                                                                                        • Instruction Fuzzy Hash: E4118421E4C68981FAA0BF519404279E261FF86B80FA44471EA4C5BBD7DF7DF440CB60
                                                                                        Function 00007FF780486B5C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 77e422677ed0f0292d92bddf94073a46de344efde8307fb90f807d340dc124d1
                                                                                        • Instruction ID: 0a8714ba10c5fd86533e0aa6cb9ce3ab3689d3d5fab8f0b7079f2ca11fd9f578
                                                                                        • Opcode Fuzzy Hash: 77e422677ed0f0292d92bddf94073a46de344efde8307fb90f807d340dc124d1
                                                                                        • Instruction Fuzzy Hash: 2521A772A0864187DB61AF18D440379B6A0FB85B94FB44634E66D877E6DF3CF400CB10
                                                                                        Function 00007FF7804704AC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: ee54c206e1a887ae3f5b6e147e49aa8ebcc01f78c4b161cd5f93b6e21ddd325d
                                                                                        • Instruction ID: a98e7ebb70bf053a17eb87350efa69aa6f58b3d5f1a2e337db765637cd78de0a
                                                                                        • Opcode Fuzzy Hash: ee54c206e1a887ae3f5b6e147e49aa8ebcc01f78c4b161cd5f93b6e21ddd325d
                                                                                        • Instruction Fuzzy Hash: 7101A161A4874980EA14EF66990416DE695BF87FE0FA84A30DE6C17BD7CE7CF401C710
                                                                                        Function 00007FF78047F008 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF78047B856,?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2), ref: 00007FF78047F05D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: d2154baaab5edae7bc7907bf5257eb9f528b57456f95640f52a2cb754ca5723e
                                                                                        • Instruction ID: b9a31763515d8d7ad2029653c743224a5fef439e3b17121f116477b966042f9e
                                                                                        • Opcode Fuzzy Hash: d2154baaab5edae7bc7907bf5257eb9f528b57456f95640f52a2cb754ca5723e
                                                                                        • Instruction Fuzzy Hash: 34F06D10B8928F80FE647BA259192B58280BF8AB80FEC4430C90E873D3DE5CF491C230
                                                                                        Function 00007FF78047DA6C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(?,?,?,00007FF780470CD4,?,?,?,00007FF7804721E6,?,?,?,?,?,00007FF7804737D9), ref: 00007FF78047DAAA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: ac7f90ef84a43579440295641893f664450049ee933c546221e404ff14d7af2e
                                                                                        • Instruction ID: 20a2f30cc104d4bd6944ad74f394b6128b8ff77adbe2491c47d55ef94a121ee0
                                                                                        • Opcode Fuzzy Hash: ac7f90ef84a43579440295641893f664450049ee933c546221e404ff14d7af2e
                                                                                        • Instruction Fuzzy Hash: 56F08210F9D34F44FE5476B158096B592A07F96760FA84630DD2E473C2DE9DB441C130

                                                                                        Non-executed Functions

                                                                                        Function 00007FF780465190 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                        • API String ID: 190572456-4266016200
                                                                                        • Opcode ID: 75da080be946a2cd8ba8e1b454c823e383fc18c1915e405073f2aaa9ec7d6da3
                                                                                        • Instruction ID: e3a74dc3332956e57b9d5799fb4fb17560e07898efa41f18fdb81616dd0d8924
                                                                                        • Opcode Fuzzy Hash: 75da080be946a2cd8ba8e1b454c823e383fc18c1915e405073f2aaa9ec7d6da3
                                                                                        • Instruction Fuzzy Hash: 68126EA8ACAB0390FA55BB09B860174A2A1BF17790FF45835C81E077E4FF7CB559D260
                                                                                        Function 00007FF780461EF0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                        • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                        • API String ID: 2446303242-1601438679
                                                                                        • Opcode ID: bd898f0db48e12eacbe359e455c65c9f86494896ecfc44a00e7b3fd1842e94f6
                                                                                        • Instruction ID: 0a112d8dcbf3433c51f3f1be4fee0f5a00cac68b9fd0c29beca16cb726d833a6
                                                                                        • Opcode Fuzzy Hash: bd898f0db48e12eacbe359e455c65c9f86494896ecfc44a00e7b3fd1842e94f6
                                                                                        • Instruction Fuzzy Hash: BCA1BB76208B858BE314DF21E45479AB370F789B84FA04529EB9D03B65DF3DE168CB50
                                                                                        Function 00007FF7804845CC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                        • API String ID: 808467561-2761157908
                                                                                        • Opcode ID: 0ccec4e05d241f6952ecbbf9a3ebe3f86c42949c8e32c68598c284628b963db6
                                                                                        • Instruction ID: 94187d1252ad054280e22d1832e0f6e7608209ab897720b06ad95c16f957b1b8
                                                                                        • Opcode Fuzzy Hash: 0ccec4e05d241f6952ecbbf9a3ebe3f86c42949c8e32c68598c284628b963db6
                                                                                        • Instruction Fuzzy Hash: 69B2E173E582828BE7649E64D4407FDB7A1FB96388FA05535DA0D5BBC8DB38B900CB50
                                                                                        Function 00007FF780468510 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,00007FF7804629FE,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF780468537
                                                                                        • FormatMessageW.KERNEL32 ref: 00007FF780468566
                                                                                        • WideCharToMultiByte.KERNEL32 ref: 00007FF7804685BC
                                                                                          • Part of subcall function 00007FF780462980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7804687A2,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804629B4
                                                                                          • Part of subcall function 00007FF780462980: MessageBoxW.USER32 ref: 00007FF780462A90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                        • API String ID: 2920928814-2573406579
                                                                                        • Opcode ID: bc7b3eaa85e9f8c684efbfb0abf8c740a9d6d3509a191f947940c97d6b2913ba
                                                                                        • Instruction ID: f89525cfcc0303fb8db6105936d432bec5fc9f25827e59e207e24cf034a9c404
                                                                                        • Opcode Fuzzy Hash: bc7b3eaa85e9f8c684efbfb0abf8c740a9d6d3509a191f947940c97d6b2913ba
                                                                                        • Instruction Fuzzy Hash: 9E2171B1A48A4292F760AB11E844665B3A1FF8A384FE40535D54D837E5FF3CF149C720
                                                                                        Function 00007FF78046C52C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 3140674995-0
                                                                                        • Opcode ID: bd7f2f980a7da6926a80c9d6d5668f96453f81ee33dc92f3020e8ba00438ebde
                                                                                        • Instruction ID: bbf055af7d00b960bb059d2aeec3f5a05e9de65aa8490b461b76b9eeb594636f
                                                                                        • Opcode Fuzzy Hash: bd7f2f980a7da6926a80c9d6d5668f96453f81ee33dc92f3020e8ba00438ebde
                                                                                        • Instruction Fuzzy Hash: AF318F76648B8189EB60AF60E8503FDB360FB45744F944439DA4E47B99EF3CE248C724
                                                                                        Function 00007FF78047AA88 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 1239891234-0
                                                                                        • Opcode ID: 7216508a44e270dbe74d940196730f6ae427e6a408c85f6a39dc9bb5e9d9eeec
                                                                                        • Instruction ID: c30c949fadac9cb4685878d7c6ab1e3c02d250ef7aef97d638832a5b1a4c6612
                                                                                        • Opcode Fuzzy Hash: 7216508a44e270dbe74d940196730f6ae427e6a408c85f6a39dc9bb5e9d9eeec
                                                                                        • Instruction Fuzzy Hash: D331A636648F8185E760DF25E8442AEB3A0FB8A754FA00135EB9D47B95DF3CE159CB10
                                                                                        Function 00007FF780481D94 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 2227656907-0
                                                                                        • Opcode ID: 5b08ba71cf53a859679ca3725f02dc9f6ff5d13e2ee69dd84dd7cfc9c3e683b4
                                                                                        • Instruction ID: 800a68a8d4b63578aaec7b965fe9e9d57a8fb9da6196e4c89174879291a57b0a
                                                                                        • Opcode Fuzzy Hash: 5b08ba71cf53a859679ca3725f02dc9f6ff5d13e2ee69dd84dd7cfc9c3e683b4
                                                                                        • Instruction Fuzzy Hash: D6B11622B6869641EA61EB21D9041B9E3A5FB46BE4FA44932EF4E07BD5DF3CF441C310
                                                                                        Function 00007FF78046C410 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                        • String ID:
                                                                                        • API String ID: 2933794660-0
                                                                                        • Opcode ID: a5550d9be1c0b415d16e930586c9cd762ba62d5a2847c086dd54dcf240d88082
                                                                                        • Instruction ID: 642dfb94ee785a167bd2b119023d45ec1a4d235561c815d83e0c7a6b082d5733
                                                                                        • Opcode Fuzzy Hash: a5550d9be1c0b415d16e930586c9cd762ba62d5a2847c086dd54dcf240d88082
                                                                                        • Instruction Fuzzy Hash: 51117322B54F0589FB00DF60E8552B973A4F71A758F540E31DA6D477A4DF78E168C390
                                                                                        Function 00007FF780484130 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 1502251526-0
                                                                                        • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                        • Instruction ID: d2a63ead5a4db1b25484aed9218ca2ed1d964962aae6fb3a79e1ae7b4d992faf
                                                                                        • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                        • Instruction Fuzzy Hash: 74C1DF72B5868687EB24DF19A04466EB7A1F7D5B84FA48535DB4E43B84DB3CF801CB40
                                                                                        Function 00007FF780489EA8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                        • String ID:
                                                                                        • API String ID: 15204871-0
                                                                                        • Opcode ID: 573902758330cef39c5d4c46541062d655f0f5807630df07073b8173e5cf79ed
                                                                                        • Instruction ID: 1c406c53b58a78467411b18a532db0377fdb2dd2df1b24b87af4075fe94c28d2
                                                                                        • Opcode Fuzzy Hash: 573902758330cef39c5d4c46541062d655f0f5807630df07073b8173e5cf79ed
                                                                                        • Instruction Fuzzy Hash: 9CB16C73604B898BFB19DF29C8463687BA0F745B48F688921DF5D837A4CB79E861C710
                                                                                        Function 00007FF780468880 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: bee6a5b65c38c73ae96c9afab633c03bfb21d8601624e0d1433da97daea3c534
                                                                                        • Instruction ID: 9364e52599f9e431c8e5a9c89ddc13eb115c51cc5658d6e09e4983da6b1d7df4
                                                                                        • Opcode Fuzzy Hash: bee6a5b65c38c73ae96c9afab633c03bfb21d8601624e0d1433da97daea3c534
                                                                                        • Instruction Fuzzy Hash: 24F0D166A1828586F7A0AF60A448766B350BB45724F900339D66D077D4EF3CE008CB10
                                                                                        Function 00007FF780473A94 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $
                                                                                        • API String ID: 0-227171996
                                                                                        • Opcode ID: eb253334f3b2123b75c41e14b25340356869d8081e136acde1c9d78a5cce5154
                                                                                        • Instruction ID: 85c3c88172adf4c88c99e61b22730d5d6517476bc7afd2b1b29d82795b765562
                                                                                        • Opcode Fuzzy Hash: eb253334f3b2123b75c41e14b25340356869d8081e136acde1c9d78a5cce5154
                                                                                        • Instruction Fuzzy Hash: 52E1E732A4864A85EB78AF25815A13DB3A0FF46B49FB48235DA4E077D5DF39F841C350
                                                                                        Function 00007FF78047E360 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: e+000$gfff
                                                                                        • API String ID: 0-3030954782
                                                                                        • Opcode ID: 0b170b41c43961ebac1ef0d609b29da04a4ec4d2605dd63797325ec0b21ead84
                                                                                        • Instruction ID: 3256ea08b978baad9e8ec99dba9f759e22139c3bc47d25232623944d106dbecc
                                                                                        • Opcode Fuzzy Hash: 0b170b41c43961ebac1ef0d609b29da04a4ec4d2605dd63797325ec0b21ead84
                                                                                        • Instruction Fuzzy Hash: 50516A62B182C986E7249E369908769A791F74AB94F988331CB6C47BC6DE3DF404C710
                                                                                        Function 00007FF780480DE8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentFeaturePresentProcessProcessor
                                                                                        • String ID:
                                                                                        • API String ID: 1010374628-0
                                                                                        • Opcode ID: c78a3ad8106a4f6fd8829ca6ef29acaccbba1427b6daa2e086abf7b549a3c77b
                                                                                        • Instruction ID: 0b8df8628012740bc4119d390dc9b66ddf1b1ff951d2e03491b73d42cf2d0e0e
                                                                                        • Opcode Fuzzy Hash: c78a3ad8106a4f6fd8829ca6ef29acaccbba1427b6daa2e086abf7b549a3c77b
                                                                                        • Instruction Fuzzy Hash: 7402C221AAD64744FAA1BB229404279E698BF47B90FF44935DE6E477E2DE7CF410C320
                                                                                        Function 00007FF78047DECC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gfffffff
                                                                                        • API String ID: 0-1523873471
                                                                                        • Opcode ID: 7688a012653018b8f058c6a29e93a84e120e5f9f036dc2bf3f255d77f4e3d626
                                                                                        • Instruction ID: b841833a30dccc31393d94ee06872629f39ebdb645168bc88dd254bfb28902fd
                                                                                        • Opcode Fuzzy Hash: 7688a012653018b8f058c6a29e93a84e120e5f9f036dc2bf3f255d77f4e3d626
                                                                                        • Instruction Fuzzy Hash: 3DA17622B083C986EB21DF26A4047A9B794FB5B784FA48231DE8D477C2DE3DE501C711
                                                                                        Function 00007FF780478580 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: TMP
                                                                                        • API String ID: 3215553584-3125297090
                                                                                        • Opcode ID: 4149db0e7fcf31724ccc868b6fbd30aa625f1ef4a7d76852b6d6b61c48ff7be4
                                                                                        • Instruction ID: 497ebd177f0755521220fea1265ac1c0c7f45c17db5754fff5052cf743b17141
                                                                                        • Opcode Fuzzy Hash: 4149db0e7fcf31724ccc868b6fbd30aa625f1ef4a7d76852b6d6b61c48ff7be4
                                                                                        • Instruction Fuzzy Hash: A651D821FC864A51FA68BB265A0917AD2917F86BC4FF84439DD0E57BD6EE7CF401C220
                                                                                        Function 00007FF7804839A0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapProcess
                                                                                        • String ID:
                                                                                        • API String ID: 54951025-0
                                                                                        • Opcode ID: fb5afa7e83816f87ad3bdb1e5bd3057140fa0dcd1efc4ce90fdbad9c247c2568
                                                                                        • Instruction ID: 018f9520c96d82a0814248acc865a11a4707fd0244e441fd9d907c51be8255c0
                                                                                        • Opcode Fuzzy Hash: fb5afa7e83816f87ad3bdb1e5bd3057140fa0dcd1efc4ce90fdbad9c247c2568
                                                                                        • Instruction Fuzzy Hash: 97B09220E4BA4ACAEB493B126C8A21462A4BF59B00FE84038C20D42370DE2C30B98720
                                                                                        Function 00007FF780473690 Relevance: .3, Instructions: 327COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0d3f78641df24769d705b0134685206bc5f9ca78e59f6fddb9ec423e4bd4151a
                                                                                        • Instruction ID: a5c2f52033bb26ff871d27c05f62c3aac5a04569ba6faa1931e544ba8857bfb1
                                                                                        • Opcode Fuzzy Hash: 0d3f78641df24769d705b0134685206bc5f9ca78e59f6fddb9ec423e4bd4151a
                                                                                        • Instruction Fuzzy Hash: 0BD1E9A2A4864A85E768AB29814A23DA7A0FF07B49FB4C235DE4D077D5CF3DF845C350
                                                                                        Function 00007FF780468F80 Relevance: .3, Instructions: 287COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 147d92bf8c69cf1b856be138069e08edad3a532e6dbae6759c0ef437899157f5
                                                                                        • Instruction ID: e73197cd1a08dea907ce979af5ab9d8ba1c14ea8fd1051825ac7f7887ac53f14
                                                                                        • Opcode Fuzzy Hash: 147d92bf8c69cf1b856be138069e08edad3a532e6dbae6759c0ef437899157f5
                                                                                        • Instruction Fuzzy Hash: A5C113722142F08BE698EB29E45947A73E5F7AA309BD5403AEB874B7C1C63CF404D760
                                                                                        Function 00007FF780472D00 Relevance: .2, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 14559cf246afd361d58dafe0d2584ab9f073efdfb6141b8081588b00c2cbc866
                                                                                        • Instruction ID: 1d1da20c73ba02b45b360a2abd568e1b4e0ac6fba7f4d0b6cb9c422baacfae8b
                                                                                        • Opcode Fuzzy Hash: 14559cf246afd361d58dafe0d2584ab9f073efdfb6141b8081588b00c2cbc866
                                                                                        • Instruction Fuzzy Hash: 2BB17B7294868989E7649F29C15822CBBF0F74AB48FB44136CB4E473D9CF39E441D721
                                                                                        Function 00007FF78047E9E0 Relevance: .2, Instructions: 198COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: de4e625d11443468839699302f6427928d225114e5d5e833cf81a80f5f4de726
                                                                                        • Instruction ID: 7d0fca836a5b84cf9ca012669cd92ae9b75150c8458a4d5507419f191c9a1569
                                                                                        • Opcode Fuzzy Hash: de4e625d11443468839699302f6427928d225114e5d5e833cf81a80f5f4de726
                                                                                        • Instruction Fuzzy Hash: 9B81D672A4878546E774DB1A948837AAB91FB4B794FA44335DA8D43BD9DE3CF400CB10
                                                                                        Function 00007FF780486C20 Relevance: .2, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID:
                                                                                        • API String ID: 3215553584-0
                                                                                        • Opcode ID: 1a48e4e85312c67aba91a178ee072bf1cdccc3188dd2029b0be407fa310ae48a
                                                                                        • Instruction ID: 1855ef9e2a9940ff3c412cbbc498b5c399f431a5271b5f8c2b66c429d194d6fa
                                                                                        • Opcode Fuzzy Hash: 1a48e4e85312c67aba91a178ee072bf1cdccc3188dd2029b0be407fa310ae48a
                                                                                        • Instruction Fuzzy Hash: 0361E522F9828246F7A4AA28C454779E6D1BF52360FB40A39DA7D477E1DE7DF840C720
                                                                                        Function 00007FF780471A34 Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a4ee5e20bab15de11e4dd18ca9e8a43eac167d7c0a0227fcc00f18b96ee599bc
                                                                                        • Instruction ID: 0515623ca0734d31e4f5a95eaa4f79e112b78251c9196462214464eb7ed29bab
                                                                                        • Opcode Fuzzy Hash: a4ee5e20bab15de11e4dd18ca9e8a43eac167d7c0a0227fcc00f18b96ee599bc
                                                                                        • Instruction Fuzzy Hash: B5518476A596598AE7249B2DC048238B3A0FB46B68F744131CE4E177E4DB3AF853C790
                                                                                        Function 00007FF780472254 Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52a02fcdcf92c0a2c9a35e836e6333fb64ecc70c5ed9b2f6572b25d33bf7c64b
                                                                                        • Instruction ID: f5b322dbd60952a8c8663a61d1fac9a7246c0ec4684f0948bdeec8e66ef9c541
                                                                                        • Opcode Fuzzy Hash: 52a02fcdcf92c0a2c9a35e836e6333fb64ecc70c5ed9b2f6572b25d33bf7c64b
                                                                                        • Instruction Fuzzy Hash: D251A436A58A5982E7649B29C14823CB3E0FB56B68FB44131CE8D177E5CB3AF853C750
                                                                                        Function 00007FF780471E44 Relevance: .1, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a148da24f8728c4afbbb5c35b1c62c1eac07cb27a590c1aedb906e23ad299329
                                                                                        • Instruction ID: fb636b0c9a38a161023afa611f7d762756b4819d14a3bac87bed2dcd6b4ba7ca
                                                                                        • Opcode Fuzzy Hash: a148da24f8728c4afbbb5c35b1c62c1eac07cb27a590c1aedb906e23ad299329
                                                                                        • Instruction Fuzzy Hash: 1751A336A5865A8AE7249F2DC048238B7A0FB46B58F744135CE4E477E5CB3AF843C750
                                                                                        Function 00007FF780471C40 Relevance: .1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1952aa752d02783d999143113e74aeee2381d9ff93f559de6217d8abf59dcb14
                                                                                        • Instruction ID: df9a2f591c16b4c78cd5eea7aa0ff6be40c69445eeb58ecc46978727bee61e95
                                                                                        • Opcode Fuzzy Hash: 1952aa752d02783d999143113e74aeee2381d9ff93f559de6217d8abf59dcb14
                                                                                        • Instruction Fuzzy Hash: F251A632A5865989E7359B2DC048638A7A1FB46F58FB44131CE4E577E4CB3AF842CB50
                                                                                        Function 00007FF780471830 Relevance: .1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: eb81ed943fb456c2e4fa8acab1bbbe5cf5c103c9e469554e3c1d350ff46cf94f
                                                                                        • Instruction ID: c31460dd054a3cca826d4676b9cb1b14d9fa80741a8dc8a38b9ab26cc7130567
                                                                                        • Opcode Fuzzy Hash: eb81ed943fb456c2e4fa8acab1bbbe5cf5c103c9e469554e3c1d350ff46cf94f
                                                                                        • Instruction Fuzzy Hash: 5251E676A586558AE724AB2DC05823CB3A1FB46B58F754132CE4E177E4CB3AF843C750
                                                                                        Function 00007FF780472050 Relevance: .1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9c17fc70a7b56fd02a5ca1026e37b800df55c6077b31342cc29fc41f29b3d3f7
                                                                                        • Instruction ID: 483098b9148194dcb47ac8cbe5f5e4bb73d0380d849b526eb7a38d2a185dcae6
                                                                                        • Opcode Fuzzy Hash: 9c17fc70a7b56fd02a5ca1026e37b800df55c6077b31342cc29fc41f29b3d3f7
                                                                                        • Instruction Fuzzy Hash: 1C51B136A5869986E7249B29C548238A7E0FB46B58FB44131CF4C177D9CF3AF882C760
                                                                                        Function 00007FF780475DE0 Relevance: .1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                        • Instruction ID: 0599e893d3b6da8fad7ca33ee05d98a5beb835493fc7a1eba810e1df3eb37f50
                                                                                        • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                        • Instruction Fuzzy Hash: EE41D662C8978E44E9A59A18050C6B8E684FF737A0DF856B4DD9D1F7C3CE4C7686C120
                                                                                        Function 00007FF78047A2E0 Relevance: .1, Instructions: 126COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                        • String ID:
                                                                                        • API String ID: 588628887-0
                                                                                        • Opcode ID: bfff0811a15a915023ab11670dca90bdc9fb1efc7219989930cac6f8d01bc8cb
                                                                                        • Instruction ID: 1d224ef5dc4ac2eca8d5e30934d7acf1630c3110583750369c7f10f6bd08aa63
                                                                                        • Opcode Fuzzy Hash: bfff0811a15a915023ab11670dca90bdc9fb1efc7219989930cac6f8d01bc8cb
                                                                                        • Instruction Fuzzy Hash: 4F415672B14A5881FF04DF2AD919569B3A1BB49FD0B989032EE0D87BA8DF7CE151C310
                                                                                        Function 00007FF780477B48 Relevance: .1, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3a1668db843464e793736d217dfa03c215875bb2177e782922b7e4574bfba185
                                                                                        • Instruction ID: 71ae00b2f3ce4f98d5be2ef8205f7177a30f67e42d1a7a61aff7853681d98712
                                                                                        • Opcode Fuzzy Hash: 3a1668db843464e793736d217dfa03c215875bb2177e782922b7e4574bfba185
                                                                                        • Instruction Fuzzy Hash: FB31F232B59B4642E764AB25644413EA695BF8AB90FB44238EE8D53BD6DF3CE001C710
                                                                                        Function 00007FF780489CF0 Relevance: .0, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 79c5c4b5da66e2686edcf107b1e8bea3b8f520f559de6c99910b1c64c117b8a4
                                                                                        • Instruction ID: 27fd7f981a2e791b4403c9f9b9c6ebad8a6887553e02f930688833be4021a11a
                                                                                        • Opcode Fuzzy Hash: 79c5c4b5da66e2686edcf107b1e8bea3b8f520f559de6c99910b1c64c117b8a4
                                                                                        • Instruction Fuzzy Hash: F3F06271B596958EFFA49F29A802629B7D0F7083C0F90C479EA8D83F54D63CA460CF14
                                                                                        Function 00007FF78046C710 Relevance: .0, Instructions: 2COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fdbee4fad9149f43b0549b24f63ddcf589465060abdbd2c7e422564efb120403
                                                                                        • Instruction ID: 65eead02054783680e9bb45ccba8ea0be43d6eb61ff97b735d1c6971c1df3c29
                                                                                        • Opcode Fuzzy Hash: fdbee4fad9149f43b0549b24f63ddcf589465060abdbd2c7e422564efb120403
                                                                                        • Instruction Fuzzy Hash: 14A00165988846D4EA44AB00AC64030A220FB56381BE00431D01D562E1EF2CB544C760
                                                                                        Function 00007FF780466EA0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc
                                                                                        • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                        • API String ID: 190572456-2208601799
                                                                                        • Opcode ID: e6820c89ffc797338b1e8a8d4cbcd85ec8fabaf342805483d76abf8d02486c55
                                                                                        • Instruction ID: 5d57dba02ac9c57ea5327c97674c7560fd68bee392c43d8831207dc37adc27d6
                                                                                        • Opcode Fuzzy Hash: e6820c89ffc797338b1e8a8d4cbcd85ec8fabaf342805483d76abf8d02486c55
                                                                                        • Instruction Fuzzy Hash: 93E1B3A8A8AB0790FA19BB05E850574A3A2BF07750FF45835C81E077E4FF7DB558D260
                                                                                        Function 00007FF7804612B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message_fread_nolock
                                                                                        • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                                                        • API String ID: 3065259568-2316137593
                                                                                        • Opcode ID: 0bdca8be25130bd961380e71568449d32b5074530f3fd5271a21786d80f2fcec
                                                                                        • Instruction ID: 768d8f30474685085afb14b866265a1ae3f82278a66d13688fe18df066b1738e
                                                                                        • Opcode Fuzzy Hash: 0bdca8be25130bd961380e71568449d32b5074530f3fd5271a21786d80f2fcec
                                                                                        • Instruction Fuzzy Hash: E951D0A5A8968789FA20B761A8502FAE354FF42784FE44031EE5E47BD6EE3CF445C350
                                                                                        Function 00007FF780462390 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                        • String ID: P%
                                                                                        • API String ID: 2147705588-2959514604
                                                                                        • Opcode ID: 3a5fe543bfe1b7b5f8464788b1726589a381fe5977aa523128c49ed64eb0cea2
                                                                                        • Instruction ID: c47bb49456b153ef8e50775acbc94ad6591e3f52a4fab3cc1b0c49d7c19083e6
                                                                                        • Opcode Fuzzy Hash: 3a5fe543bfe1b7b5f8464788b1726589a381fe5977aa523128c49ed64eb0cea2
                                                                                        • Instruction Fuzzy Hash: EC511626604BA186D634AF26E4181BAF7A1FB99B61F004131EFDE43795DF3CE085DB20
                                                                                        Function 00007FF780476654 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: -$:$f$p$p
                                                                                        • API String ID: 3215553584-2013873522
                                                                                        • Opcode ID: 91dceeff07302928ce321c951f00c79f44960f322cb111e7c2f38567437031ff
                                                                                        • Instruction ID: 803a7587350c2be04323c067cef17e8c66ed972e18933de1a294377e4d426599
                                                                                        • Opcode Fuzzy Hash: 91dceeff07302928ce321c951f00c79f44960f322cb111e7c2f38567437031ff
                                                                                        • Instruction Fuzzy Hash: 1B129F62E4814B86FB247A14E1582B9B6A3FB42754FE48135D68E577E4DF3CF880CB24
                                                                                        Function 00007FF7804710B8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: f$f$p$p$f
                                                                                        • API String ID: 3215553584-1325933183
                                                                                        • Opcode ID: 57be4d3235f3c7e7fe9cc3e0119ba00d32c026717cad99bda61a19a4716f3002
                                                                                        • Instruction ID: d95108d0cf24ceb160a5d362f5ffdee1e3ca4b9f0026152d206e05269847a014
                                                                                        • Opcode Fuzzy Hash: 57be4d3235f3c7e7fe9cc3e0119ba00d32c026717cad99bda61a19a4716f3002
                                                                                        • Instruction Fuzzy Hash: 2A127122E4C14B8AFB24BA18A04C6B9B252FB42754FE84135D69F477E4DB7CF584CB60
                                                                                        Function 00007FF7804615A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                        • API String ID: 2030045667-3659356012
                                                                                        • Opcode ID: ad89f77e0f7f72057ab9c0d45adbddcb4c208e9ebb155e74579fb8ffd2ce5e6c
                                                                                        • Instruction ID: 387e5adad22e5593abc4ab2c434f377ca80bb9b75b9236e75a20ebe312ef0f0d
                                                                                        • Opcode Fuzzy Hash: ad89f77e0f7f72057ab9c0d45adbddcb4c208e9ebb155e74579fb8ffd2ce5e6c
                                                                                        • Instruction Fuzzy Hash: 2A317D65B886468AFA24BB91E4401BAE360BF467C4FE85432DA5E07BE5EE3CF445C710
                                                                                        Function 00007FF78046EAB0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                        • String ID: csm$csm$csm
                                                                                        • API String ID: 849930591-393685449
                                                                                        • Opcode ID: 9909e2f83e20015404d87d33da3216204588829881f8faf41da18fa3cf6f00f4
                                                                                        • Instruction ID: c42bb74d20167381ac2545dede8872cf74bc046f42b39b828b330ebc82c81647
                                                                                        • Opcode Fuzzy Hash: 9909e2f83e20015404d87d33da3216204588829881f8faf41da18fa3cf6f00f4
                                                                                        • Instruction Fuzzy Hash: 55E171B6A4874186FB20AB66D4402ADB7E0FB47B88FA40135DE5D47B99EF38F491C710
                                                                                        Function 00007FF78047F080 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF78047F41A,?,?,00000291467F6C48,00007FF78047B1C7,?,?,?,00007FF78047B0BE,?,?,?,00007FF780476302), ref: 00007FF78047F1FC
                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF78047F41A,?,?,00000291467F6C48,00007FF78047B1C7,?,?,?,00007FF78047B0BE,?,?,?,00007FF780476302), ref: 00007FF78047F208
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeLibraryProc
                                                                                        • String ID: api-ms-$ext-ms-
                                                                                        • API String ID: 3013587201-537541572
                                                                                        • Opcode ID: 51859395d0e275caf5d2b073e71f005ee4f098fce477efb6989a4a0f7b6cb53b
                                                                                        • Instruction ID: 7922d3ee9cfa386f3cf3d3db13c45c57783e6171f8fb58646c6286b780ddaf59
                                                                                        • Opcode Fuzzy Hash: 51859395d0e275caf5d2b073e71f005ee4f098fce477efb6989a4a0f7b6cb53b
                                                                                        • Instruction Fuzzy Hash: AD412361B59A0A91FA22EB169C08575A391FF4BBA0FE84535DD0D577D4EE3CF808C320
                                                                                        Function 00007FF780468660 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804686F7
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF78046874E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide
                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                        • API String ID: 626452242-27947307
                                                                                        • Opcode ID: 5749f89c7029416268c3d0e42eb4d2d1c9b9e62a411aa48f15219c95a477a2c7
                                                                                        • Instruction ID: a68b68ab3c6764a7e73832aa8253fe7b1a67562a83bfba17c6d3d9dfa7d7d0a4
                                                                                        • Opcode Fuzzy Hash: 5749f89c7029416268c3d0e42eb4d2d1c9b9e62a411aa48f15219c95a477a2c7
                                                                                        • Instruction Fuzzy Hash: 1B418D76A49A8282E620EF15B84017AF7A1FF86790FB44639DA9D47BD4EF3CE045C710
                                                                                        Function 00007FF780468BA0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF78046399A), ref: 00007FF780468BE1
                                                                                          • Part of subcall function 00007FF780462980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7804687A2,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804629B4
                                                                                          • Part of subcall function 00007FF780462980: MessageBoxW.USER32 ref: 00007FF780462A90
                                                                                        • WideCharToMultiByte.KERNEL32(?,00007FF78046399A), ref: 00007FF780468C55
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                        • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                        • API String ID: 3723044601-27947307
                                                                                        • Opcode ID: 5cc98d4ac729e2a44be064eb6338f4f39fa46366f04c5a6894391fee9a74e26e
                                                                                        • Instruction ID: 1f1892df94f424a392abe69085e1570957a9aa8451da2dbcb70c9151cbd7633f
                                                                                        • Opcode Fuzzy Hash: 5cc98d4ac729e2a44be064eb6338f4f39fa46366f04c5a6894391fee9a74e26e
                                                                                        • Instruction Fuzzy Hash: 87218D75A4AB4285FB10AB16A840078F3A1FF86B90BA44635CA1D43BD4FF3CF405C360
                                                                                        Function 00007FF780467550 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                                                        • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                                                        • API String ID: 3231891352-3501660386
                                                                                        • Opcode ID: fe49ecacb114ebdaee0de0317fc4dad492db580d45f3c2ffc8202cb6cd430ec1
                                                                                        • Instruction ID: 3d7fbd877769f2dd7fb65252d8ef42b796becc35700a0a42631b6b14fff192dd
                                                                                        • Opcode Fuzzy Hash: fe49ecacb114ebdaee0de0317fc4dad492db580d45f3c2ffc8202cb6cd430ec1
                                                                                        • Instruction Fuzzy Hash: C0517CE9B8E64241FA10BB2599452B9E291BF47790FF40530E92D877D6FE6CF504C360
                                                                                        Function 00007FF7804673D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FF780468A90: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF780462A5B), ref: 00007FF780468ACA
                                                                                        • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF780467951,00000000,?,00000000,00000000,?,00007FF78046154F), ref: 00007FF78046742F
                                                                                          • Part of subcall function 00007FF780462AD0: MessageBoxW.USER32 ref: 00007FF780462BA5
                                                                                        Strings
                                                                                        • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF780467443
                                                                                        • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF780467406
                                                                                        • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF78046748A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                        • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                        • API String ID: 1662231829-3498232454
                                                                                        • Opcode ID: a1e1b639339be25aedeca638f111a5b9caffbdc10820e4ac38a9d972aed7186e
                                                                                        • Instruction ID: 33791089e968fbb6f025abe541f4c41f70cba65e24b3fd73dcc0b3a05c360fbb
                                                                                        • Opcode Fuzzy Hash: a1e1b639339be25aedeca638f111a5b9caffbdc10820e4ac38a9d972aed7186e
                                                                                        • Instruction Fuzzy Hash: FF31B395B5D68650FA24B721D9153BAD291BF9A780FF44432CA5E43BD6FE2CF104C620
                                                                                        Function 00007FF78046DD68 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF78046E01A,?,?,?,00007FF78046DD0C,?,?,00000001,00007FF78046D929), ref: 00007FF78046DDED
                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78046E01A,?,?,?,00007FF78046DD0C,?,?,00000001,00007FF78046D929), ref: 00007FF78046DDFB
                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF78046E01A,?,?,?,00007FF78046DD0C,?,?,00000001,00007FF78046D929), ref: 00007FF78046DE25
                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF78046E01A,?,?,?,00007FF78046DD0C,?,?,00000001,00007FF78046D929), ref: 00007FF78046DE6B
                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF78046E01A,?,?,?,00007FF78046DD0C,?,?,00000001,00007FF78046D929), ref: 00007FF78046DE77
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                        • String ID: api-ms-
                                                                                        • API String ID: 2559590344-2084034818
                                                                                        • Opcode ID: ac8a44a14b46c097b1296329a08db6903c175b988a0b8256de00bf94bd10a686
                                                                                        • Instruction ID: ae6e54e076e370d5277696c4bd2d3f0553699af6326f8dc02c5c347f9f460b60
                                                                                        • Opcode Fuzzy Hash: ac8a44a14b46c097b1296329a08db6903c175b988a0b8256de00bf94bd10a686
                                                                                        • Instruction Fuzzy Hash: 7231B2A5A5EA0284FE51BB02A800675A294BF56BA0FAA0535DD2D0B3D1EF3EF444C320
                                                                                        Function 00007FF780468A90 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF780462A5B), ref: 00007FF780468ACA
                                                                                          • Part of subcall function 00007FF780462980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7804687A2,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804629B4
                                                                                          • Part of subcall function 00007FF780462980: MessageBoxW.USER32 ref: 00007FF780462A90
                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF780462A5B), ref: 00007FF780468B50
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                        • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                        • API String ID: 3723044601-876015163
                                                                                        • Opcode ID: 2a735e5b85d5e13e5e47638b187f9891e8873de6bec16fd5de3a8c6174d16b99
                                                                                        • Instruction ID: a921c9ddec9a1222a0248d5b1be531b73501e075114198a0e96a7e2bdd4e34e0
                                                                                        • Opcode Fuzzy Hash: 2a735e5b85d5e13e5e47638b187f9891e8873de6bec16fd5de3a8c6174d16b99
                                                                                        • Instruction Fuzzy Hash: 96217366B09A4282EB50EB19F800069E3A1FF857C4FA84535DB5C83BA9FF2DF541C714
                                                                                        Function 00007FF78047B5C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 2506987500-0
                                                                                        • Opcode ID: e199b107e3d781d54393db83e9259abe557c4992d1fa4ec3e177ee31368a7776
                                                                                        • Instruction ID: 9830394e4bb6ca562153a00facb6c3c8ee848afb3578bc6d7117a872c74f2684
                                                                                        • Opcode Fuzzy Hash: e199b107e3d781d54393db83e9259abe557c4992d1fa4ec3e177ee31368a7776
                                                                                        • Instruction Fuzzy Hash: DD21C220A8C24E46FA6473215619239E142BF47BB0FB00734DA3E477D6DE6CB414C2A1
                                                                                        Function 00007FF78048846C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                        • String ID: CONOUT$
                                                                                        • API String ID: 3230265001-3130406586
                                                                                        • Opcode ID: a1e54ec175de851058e37af8a1d5e0fa141ee03ccab10034a8763fdf20805efa
                                                                                        • Instruction ID: cdc4dbfcaab99a6cfafc3576fe8a123933c3d4fdd825b10bcbb33983c6518e54
                                                                                        • Opcode Fuzzy Hash: a1e54ec175de851058e37af8a1d5e0fa141ee03ccab10034a8763fdf20805efa
                                                                                        • Instruction Fuzzy Hash: A911D621758A4286E750AB42F854729B3A0FB4AFE4FA00634D91D877E4CF3CF454C750
                                                                                        Function 00007FF78047B738 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B747
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B77D
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B7AA
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B7BB
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B7CC
                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF7804752DD,?,?,?,?,00007FF78047F06F,?,?,00000000,00007FF78047B856,?,?,?), ref: 00007FF78047B7E7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 2506987500-0
                                                                                        • Opcode ID: 2e3863e62d8401198506165df3ee82ec216887d25e60ae507c6920601b2bc551
                                                                                        • Instruction ID: 3dc90991044fdb5019ad94bd1e9eba50778cb65582c1c542808d13fb60b73616
                                                                                        • Opcode Fuzzy Hash: 2e3863e62d8401198506165df3ee82ec216887d25e60ae507c6920601b2bc551
                                                                                        • Instruction Fuzzy Hash: CF118120A8C24E42FA6873315649239E152BF877B0FF44734DC2E477D6DE6CB405C2A0
                                                                                        Function 00007FF78046D728 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                        • String ID: csm$f
                                                                                        • API String ID: 2395640692-629598281
                                                                                        • Opcode ID: fd8339915c2382beb504f92f2371690f4226147291c5d2cc73aac64d73f8b296
                                                                                        • Instruction ID: 3e2b6d88a5288f3cd4c1837948873751ee9776d3ab825cfe1d080ec0fd32ba61
                                                                                        • Opcode Fuzzy Hash: fd8339915c2382beb504f92f2371690f4226147291c5d2cc73aac64d73f8b296
                                                                                        • Instruction Fuzzy Hash: C651917AE4D6028AF714FB15E448A29A755FB46BC4FA08134DA3E47788EF3AF841C710
                                                                                        Function 00007FF7804625A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                        • String ID: Unhandled exception in script
                                                                                        • API String ID: 3081866767-2699770090
                                                                                        • Opcode ID: 0142ac56ac5069f80c51e44fa7144cff9339e53106db0ca49d133b3849e90575
                                                                                        • Instruction ID: 989954bcf8cb04b123e12e52e5cd0f8154f6464e49a1c168fcfe0bff45655335
                                                                                        • Opcode Fuzzy Hash: 0142ac56ac5069f80c51e44fa7144cff9339e53106db0ca49d133b3849e90575
                                                                                        • Instruction Fuzzy Hash: 4231B976A09A8589EB10FF61E8551F9B360FF8A784FA00135EA4D47B95DF3CE145C710
                                                                                        Function 00007FF780462980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7804687A2,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804629B4
                                                                                          • Part of subcall function 00007FF780468510: GetLastError.KERNEL32(00000000,00007FF7804629FE,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF780468537
                                                                                          • Part of subcall function 00007FF780468510: FormatMessageW.KERNEL32 ref: 00007FF780468566
                                                                                          • Part of subcall function 00007FF780468A90: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF780462A5B), ref: 00007FF780468ACA
                                                                                        • MessageBoxW.USER32 ref: 00007FF780462A90
                                                                                        • MessageBoxA.USER32 ref: 00007FF780462AAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                        • API String ID: 2806210788-2410924014
                                                                                        • Opcode ID: 99117b17f4c39fadc0b19c6ef7758edd010b836457af41afdf5b4f661e116906
                                                                                        • Instruction ID: 67266b450448a56c800e03c4a6eb1b1a3268edb42de27a3ddb037fb8b531ecad
                                                                                        • Opcode Fuzzy Hash: 99117b17f4c39fadc0b19c6ef7758edd010b836457af41afdf5b4f661e116906
                                                                                        • Instruction Fuzzy Hash: 4B31A872668A8691E630AB10E4416DAA364FF85784FD04136EA8D03BD9DF3CE345C750
                                                                                        Function 00007FF780479EC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                        • API String ID: 4061214504-1276376045
                                                                                        • Opcode ID: a7e00c60131c6f6b1755f0d1ae2fc89d44cde4883235dc6928da60d710fc640c
                                                                                        • Instruction ID: 19bdf9c563d1f6902a65ff5c4f82f2331d69dfb38ce296c702bf317c3843a43c
                                                                                        • Opcode Fuzzy Hash: a7e00c60131c6f6b1755f0d1ae2fc89d44cde4883235dc6928da60d710fc640c
                                                                                        • Instruction Fuzzy Hash: 65F0AF21A5AB0A81EB14AB24E44873AE360BF4A760FE40635C96E473E4CF2CE448C360
                                                                                        Function 00007FF780489AF0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _set_statfp
                                                                                        • String ID:
                                                                                        • API String ID: 1156100317-0
                                                                                        • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                        • Instruction ID: 1b681ba9ae06f8935dccbcfef1367e22c44d16dfce3024477367a0feffd046d7
                                                                                        • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                        • Instruction Fuzzy Hash: A3116D22E99E0352FA683168F94237591407F5A360EFC0E34EA6E077D6CFACBC40C120
                                                                                        Function 00007FF78047B800 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047B81F
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047B83E
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047B866
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047B877
                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78047AA17,?,?,00000000,00007FF78047ACB2,?,?,?,?,?,00007FF78047307C), ref: 00007FF78047B888
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value
                                                                                        • String ID:
                                                                                        • API String ID: 3702945584-0
                                                                                        • Opcode ID: 4a52f279c4c70f40341774d9d38f4c7ef3efdc7d6de5f8a4ffd0de3435e3d149
                                                                                        • Instruction ID: 7d2925459cd4dc1f57c283efbd03ead5467cb619c9559ff73bb63651019e2f67
                                                                                        • Opcode Fuzzy Hash: 4a52f279c4c70f40341774d9d38f4c7ef3efdc7d6de5f8a4ffd0de3435e3d149
                                                                                        • Instruction Fuzzy Hash: B6117F20E8C24A41FA6873225559279E156BF877A0FB84334E83D477D6DE6CF415C261
                                                                                        Function 00007FF78047B694 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value
                                                                                        • String ID:
                                                                                        • API String ID: 3702945584-0
                                                                                        • Opcode ID: f07c18343185c9512c79f52a9e3d22743ffb1aa97a260a04bff2f37faefd1685
                                                                                        • Instruction ID: 853ad4168e389f6c265125d0307594d16da92cabe6f23a6b4f990d5c4e77711d
                                                                                        • Opcode Fuzzy Hash: f07c18343185c9512c79f52a9e3d22743ffb1aa97a260a04bff2f37faefd1685
                                                                                        • Instruction Fuzzy Hash: 57112A20A8824F45F9687222441A67A9192BF87770FF40734D93E4B3D2DD6CB819C2B1
                                                                                        Function 00007FF780476364 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: verbose
                                                                                        • API String ID: 3215553584-579935070
                                                                                        • Opcode ID: 949f789820f60b9edc3b3d9021f3b8c6b6af15b8acf6f547bb3703cfae1424d0
                                                                                        • Instruction ID: 33765cf7814c2fb386cc7a37274e967dda6b9989cc38d7c68a05d5387a394292
                                                                                        • Opcode Fuzzy Hash: 949f789820f60b9edc3b3d9021f3b8c6b6af15b8acf6f547bb3703cfae1424d0
                                                                                        • Instruction Fuzzy Hash: 63910032A48A4A85F721AE25E45837DB792BB42B54FE44136DA8D473E9DF3CF805C320
                                                                                        Function 00007FF780480458 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                        • API String ID: 3215553584-1196891531
                                                                                        • Opcode ID: 0b870b3a3d649be6e4f6c0b612b8e25b541f8dcea366d64dcbc5d49be93c66d1
                                                                                        • Instruction ID: dac5ba7cb22dc0eedc9dafc27ed4458fdbef0d278b9eb9e5a95b154bfcd5173c
                                                                                        • Opcode Fuzzy Hash: 0b870b3a3d649be6e4f6c0b612b8e25b541f8dcea366d64dcbc5d49be93c66d1
                                                                                        • Instruction Fuzzy Hash: D9819272EA820285F7F5AF258150278A6A0FB53B44FF54831CA0D677D6EB2CF811D721
                                                                                        Function 00007FF78046EF88 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallEncodePointerTranslator
                                                                                        • String ID: MOC$RCC
                                                                                        • API String ID: 3544855599-2084237596
                                                                                        • Opcode ID: 59ac2c9e4a5220c2fa7bc6dcfd9cbcaf6d037ac2a111382551f8a72c0d17a11c
                                                                                        • Instruction ID: 610d01e7b89281c9b140570e227cd8f73bcc8b3746d864d6e5dba45da96fb4c6
                                                                                        • Opcode Fuzzy Hash: 59ac2c9e4a5220c2fa7bc6dcfd9cbcaf6d037ac2a111382551f8a72c0d17a11c
                                                                                        • Instruction Fuzzy Hash: BF61AEB7A08B45C6F7209F65D0403ADB7A0FB46B88F544225DFAD13B99EB38E445C710
                                                                                        Function 00007FF78046F2E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                        • String ID: csm$csm
                                                                                        • API String ID: 3896166516-3733052814
                                                                                        • Opcode ID: 1180bfda959e97f02d570b5dde1e1b48c1dd59e29b574f701b62c64f34128176
                                                                                        • Instruction ID: fc8f5ab1f6a0dc54e59f16145b28fd07ce93b31ae523a6046e31f40348f10d2c
                                                                                        • Opcode Fuzzy Hash: 1180bfda959e97f02d570b5dde1e1b48c1dd59e29b574f701b62c64f34128176
                                                                                        • Instruction Fuzzy Hash: EF51B0BA94834286FB34AF159440369B7A0FB56B88FA44135DAAD47BC6EF3CF490C710
                                                                                        Function 00007FF780462830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                        • String ID: %s%s: %s$Fatal error detected
                                                                                        • API String ID: 1878133881-2410924014
                                                                                        • Opcode ID: 38c4b4e2a01e1bb9762b054cdf89db1cb30aa17529e4998d71cfbd5aabc681da
                                                                                        • Instruction ID: d63f935e11bdf22755485b7c2c3a26e8089589a55d6151eb92587a26aec363c1
                                                                                        • Opcode Fuzzy Hash: 38c4b4e2a01e1bb9762b054cdf89db1cb30aa17529e4998d71cfbd5aabc681da
                                                                                        • Instruction Fuzzy Hash: E031A37266CA8691E620EB10E4516EAA364FF857C4FD04036EA8D47BD9DF3CE309CB50
                                                                                        Function 00007FF780463E70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF78046399A), ref: 00007FF780463EA1
                                                                                          • Part of subcall function 00007FF780462980: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7804687A2,?,?,?,?,?,?,?,?,?,?,?,00007FF78046101D), ref: 00007FF7804629B4
                                                                                          • Part of subcall function 00007FF780462980: MessageBoxW.USER32 ref: 00007FF780462A90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastMessageModuleName
                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                        • API String ID: 2581892565-1977442011
                                                                                        • Opcode ID: 884470a16d803e703ac994cbfd20ed5309a2f1ef6ebe04e4886aa8d96d26a44e
                                                                                        • Instruction ID: d05b638f6d53f47e340c207277936507089f613402c9fae7dd6130ed20cd8688
                                                                                        • Opcode Fuzzy Hash: 884470a16d803e703ac994cbfd20ed5309a2f1ef6ebe04e4886aa8d96d26a44e
                                                                                        • Instruction Fuzzy Hash: 70015295B5964290FA60B720E8163B59251BF5B7C5FE00436D85D873D2FE2DF149C730
                                                                                        Function 00007FF78047CA10 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                        • String ID:
                                                                                        • API String ID: 2718003287-0
                                                                                        • Opcode ID: 363851c63275ea675678f574e082c43441c16a767f927bd16495698a93953cb3
                                                                                        • Instruction ID: 83f904ff689eb5cefd992cd627ff2e37f313b3aef9cd6be54d57fe7a6a124eae
                                                                                        • Opcode Fuzzy Hash: 363851c63275ea675678f574e082c43441c16a767f927bd16495698a93953cb3
                                                                                        • Instruction Fuzzy Hash: 4FD14672B18A84C9E710DF75D4442AC77B1FB46B98BA0423ACE5DA7BD9DE38E406C350
                                                                                        Function 00007FF7804622D0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                        • String ID:
                                                                                        • API String ID: 1956198572-0
                                                                                        • Opcode ID: f1ca6ea12a98ff4eb48201161cb22c319a647daafa808267472dc2b63104d68a
                                                                                        • Instruction ID: f1c936fd2633c070fb54753da3744c45f2e22edb752d394bc6f24d934fd0a5a3
                                                                                        • Opcode Fuzzy Hash: f1ca6ea12a98ff4eb48201161cb22c319a647daafa808267472dc2b63104d68a
                                                                                        • Instruction Fuzzy Hash: 4B11E965E4864642F754AB79F6442799252FF86B80FE88030DE5D07BDADE2CF4C5C220
                                                                                        Function 00007FF78048613C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                        • String ID: ?
                                                                                        • API String ID: 1286766494-1684325040
                                                                                        • Opcode ID: bc1407dd43d3122c35a849997b1a72dd434e892508564f3f699446cbaa9e6a51
                                                                                        • Instruction ID: 15f392d39e8346971f8cb6553b39ed9c99189f090f4028659c228ee4c9c63002
                                                                                        • Opcode Fuzzy Hash: bc1407dd43d3122c35a849997b1a72dd434e892508564f3f699446cbaa9e6a51
                                                                                        • Instruction Fuzzy Hash: F3413822A5834242F7A5BB25A40537AE650FB82BA4FA44634EF6C07BE6DE3CF441C710
                                                                                        Function 00007FF780479454 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF780479486
                                                                                          • Part of subcall function 00007FF78047ADBC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADD2
                                                                                          • Part of subcall function 00007FF78047ADBC: GetLastError.KERNEL32(?,?,?,00007FF780483242,?,?,?,00007FF78048327F,?,?,00000000,00007FF780483745,?,?,00000000,00007FF780483677), ref: 00007FF78047ADDC
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF78046BF95), ref: 00007FF7804794A4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                                                        • String ID: C:\Users\user\Desktop\231210-10-Creal-33652f.exe
                                                                                        • API String ID: 2553983749-1526979004
                                                                                        • Opcode ID: 9fa3685a1bd0b725fed1ce90871433d4c2739ea64b9843da9ecd8f260f310b5b
                                                                                        • Instruction ID: 036aab0f20700274692c76efb1c93a01aff9be2f583ae31b7d3e030916dd0d16
                                                                                        • Opcode Fuzzy Hash: 9fa3685a1bd0b725fed1ce90871433d4c2739ea64b9843da9ecd8f260f310b5b
                                                                                        • Instruction Fuzzy Hash: 7E41A032A89B1A89EB55FF21D4440BCB3A5FB86794BA44035E90D43BC6DE3CF895C320
                                                                                        Function 00007FF78047D0A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastWrite
                                                                                        • String ID: U
                                                                                        • API String ID: 442123175-4171548499
                                                                                        • Opcode ID: cd97ba882cf61520808db9468f7ebffeb4fea8ab3a293baa5276c2e7e13191e0
                                                                                        • Instruction ID: 4ca49a3ac8cb85cd8a0a8c4a7c079307db0fc6dc269850754bea9c72c2c76d44
                                                                                        • Opcode Fuzzy Hash: cd97ba882cf61520808db9468f7ebffeb4fea8ab3a293baa5276c2e7e13191e0
                                                                                        • Instruction Fuzzy Hash: 3D41F662728B4585EB20EF25E4443A9B7A0FB89790FD04031EE4D87798DF3DE545C760
                                                                                        Function 00007FF78047F7C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory
                                                                                        • String ID: :
                                                                                        • API String ID: 1611563598-336475711
                                                                                        • Opcode ID: 5320ba42ee2e5215f9da7c10300fe33ece4bb6ef8ac96bbb243d63e0dc82f26d
                                                                                        • Instruction ID: 8aecabbb75b429960740cd90b99b463dce2769ed9193110be0246c84d18892bd
                                                                                        • Opcode Fuzzy Hash: 5320ba42ee2e5215f9da7c10300fe33ece4bb6ef8ac96bbb243d63e0dc82f26d
                                                                                        • Instruction Fuzzy Hash: 1821E322A5868981FB30BB11D40826DB3A1FB8AB84FE24035DA8C477C4DF7CF545C761
                                                                                        Function 00007FF780462AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                        • String ID: Fatal error detected
                                                                                        • API String ID: 1878133881-4025702859
                                                                                        • Opcode ID: 38ddc9f8031b6d28749fff208fae5418e08c87bb0529f444b5e3f442e23a2439
                                                                                        • Instruction ID: 2fefd0c4e150a0f2f42bd96f8bbd7a8e12eac551568b43c5218e01e070925768
                                                                                        • Opcode Fuzzy Hash: 38ddc9f8031b6d28749fff208fae5418e08c87bb0529f444b5e3f442e23a2439
                                                                                        • Instruction Fuzzy Hash: 2621D6B266CA8691FB20AB10F4506EAB364FF85784FD01135DA5D47BA9DF3CE208C750
                                                                                        Function 00007FF780462BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$ByteCharMultiWide
                                                                                        • String ID: Error detected
                                                                                        • API String ID: 1878133881-3513342764
                                                                                        • Opcode ID: 17a36bc69ed8b46b5b0e6c335e0ee94e3cbae77caabcd9ab1d2acf0b64b24cb0
                                                                                        • Instruction ID: 442059222a39e05022c7e2ec3ef36aeb5ffe6879093e0fcfdfee119cbe47fc72
                                                                                        • Opcode Fuzzy Hash: 17a36bc69ed8b46b5b0e6c335e0ee94e3cbae77caabcd9ab1d2acf0b64b24cb0
                                                                                        • Instruction Fuzzy Hash: 6021D6B266CA8691FB20AB10E4506EAA354FF85784FD01135DA9D47BA5DF3CE204C750
                                                                                        Function 00007FF78046FE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                        • String ID: csm
                                                                                        • API String ID: 2573137834-1018135373
                                                                                        • Opcode ID: 2743ad350869e21c422f749301da5554f395f0d0fe1937856bf46b82881aa8c6
                                                                                        • Instruction ID: 1f603a56cc6c0b2b1a4cf92cd7d9d59265c043859673e532f96e3461386ee368
                                                                                        • Opcode Fuzzy Hash: 2743ad350869e21c422f749301da5554f395f0d0fe1937856bf46b82881aa8c6
                                                                                        • Instruction Fuzzy Hash: 78116036618B4582EB609F15F440259BBE0FB89B84FA84230DECC07BA9EF3DD551C710
                                                                                        Function 00007FF7804802CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.3085053479.00007FF780461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF780460000, based on PE: true
                                                                                        • Associated: 00000001.00000002.3085004771.00007FF780460000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085119453.00007FF78048B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF78049E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085187459.00007FF7804A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000001.00000002.3085260744.00007FF7804A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_7ff780460000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                        • String ID: :
                                                                                        • API String ID: 2595371189-336475711
                                                                                        • Opcode ID: 5067e1b2263128f29cfa21414fa1e963a58bf13dbeb460b59c80c356ce3c83bf
                                                                                        • Instruction ID: af9ebb826729e932d4da8a43b8aee91b602116b72a06d02e077597ebab5de932
                                                                                        • Opcode Fuzzy Hash: 5067e1b2263128f29cfa21414fa1e963a58bf13dbeb460b59c80c356ce3c83bf
                                                                                        • Instruction Fuzzy Hash: E3018F6196C20686FB61BF61946627EA3A0FF46704FE00435D94D477D2DF6CF544CA24

                                                                                        Execution Graph

                                                                                        Execution Coverage:1.4%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:16.4%
                                                                                        Total number of Nodes:543
                                                                                        Total number of Limit Nodes:68
                                                                                        execution_graph 71342 7ffdfae1bff0 71343 7ffdfae1c01c 71342->71343 71353 7ffdfae1c021 71342->71353 71355 7ffdfae3e9f0 71343->71355 71345 7ffdfae1c119 71346 7ffdfae1c15f 71345->71346 71347 7ffdfae1c175 71345->71347 71351 7ffdfae1c11d 71345->71351 71361 7ffdfadc9310 13 API calls 71346->71361 71362 7ffdfadc9310 13 API calls 71347->71362 71350 7ffdfae1c106 71350->71345 71360 7ffdfae585d0 18 API calls new[] 71350->71360 71353->71345 71353->71350 71353->71351 71359 7ffdfae56820 15 API calls new[] 71353->71359 71356 7ffdfae3ea15 71355->71356 71357 7ffdfae3ea09 71355->71357 71356->71353 71363 7ffdfae3e920 71357->71363 71359->71350 71360->71345 71361->71351 71362->71351 71364 7ffdfae3e95a 71363->71364 71367 7ffdfae3e967 71363->71367 71369 7ffdfae3e490 71364->71369 71366 7ffdfae3e9bd 71366->71356 71367->71366 71368 7ffdfae3e490 87 API calls 71367->71368 71368->71367 71401 7ffdfae3e1b0 71369->71401 71371 7ffdfae3e573 71449 7ffdfaee6490 71371->71449 71372 7ffdfae3e8e7 71448 7ffdfae1c550 memset 71372->71448 71374 7ffdfae3e54c 71374->71371 71380 7ffdfae3e60e 71374->71380 71382 7ffdfae3e628 71374->71382 71430 7ffdfade1510 71374->71430 71379 7ffdfae3e5bd 71381 7ffdfae3e5c3 71379->71381 71379->71382 71380->71371 71380->71372 71447 7ffdfadc5de0 13 API calls 71380->71447 71381->71380 71439 7ffdfadc59e0 13 API calls new[] 71381->71439 71385 7ffdfae3e6b5 71382->71385 71388 7ffdfae3e692 71382->71388 71384 7ffdfae3e5f7 71384->71380 71386 7ffdfae3e5ff memcpy 71384->71386 71440 7ffdfadc59e0 13 API calls new[] 71385->71440 71386->71380 71389 7ffdfae3e78e 71388->71389 71390 7ffdfae3e7d4 71388->71390 71441 7ffdfadc59e0 13 API calls new[] 71389->71441 71442 7ffdfadc84c0 13 API calls 71390->71442 71393 7ffdfae3e80c 71443 7ffdfae37d80 85 API calls new[] 71393->71443 71395 7ffdfae3e6c2 71395->71380 71446 7ffdfade2850 58 API calls 71395->71446 71397 7ffdfae3e838 71398 7ffdfae3e866 71397->71398 71444 7ffdfae198a0 86 API calls 71397->71444 71398->71395 71445 7ffdfae1c860 memset 71398->71445 71402 7ffdfae3e1d6 71401->71402 71421 7ffdfae3e36c 71401->71421 71403 7ffdfae3e1df 71402->71403 71407 7ffdfae3e1fc 71402->71407 71458 7ffdfae3e0a0 13 API calls 71403->71458 71405 7ffdfae3e1ea 71405->71374 71408 7ffdfae3e3d0 71407->71408 71410 7ffdfae3e23b 71407->71410 71408->71421 71502 7ffdfae3e0a0 13 API calls 71408->71502 71409 7ffdfae3e288 71460 7ffdfae3ed10 memset 71409->71460 71410->71409 71459 7ffdfae3e0a0 13 API calls 71410->71459 71413 7ffdfae3e2f0 71414 7ffdfae3e335 71413->71414 71413->71421 71422 7ffdfae3e371 71413->71422 71498 7ffdfadc86b0 13 API calls 71414->71498 71417 7ffdfae3e2f2 71417->71413 71496 7ffdfae7b490 16 API calls 71417->71496 71418 7ffdfae3e2e8 71495 7ffdfadc5de0 13 API calls 71418->71495 71419 7ffdfae3e344 71499 7ffdfadc86b0 13 API calls 71419->71499 71421->71374 71428 7ffdfae3e3a5 71422->71428 71500 7ffdfadf2830 71 API calls 71422->71500 71426 7ffdfae3e303 71497 7ffdfae3e0a0 13 API calls 71426->71497 71501 7ffdfae79c00 53 API calls 71428->71501 71431 7ffdfade1547 71430->71431 71432 7ffdfade15a9 71431->71432 71438 7ffdfade1764 71431->71438 71551 7ffdfade10f0 71431->71551 71562 7ffdfadd8bd0 memcmp 71431->71562 71563 7ffdfade1440 14 API calls 71431->71563 71564 7ffdfadd5820 35 API calls 71431->71564 71432->71379 71438->71432 71565 7ffdfadd9880 memset memset new[] 71438->71565 71439->71384 71440->71395 71441->71395 71442->71393 71443->71397 71444->71398 71445->71395 71446->71380 71447->71372 71448->71371 71450 7ffdfaee6499 71449->71450 71451 7ffdfae3e907 71450->71451 71452 7ffdfaee64e4 IsProcessorFeaturePresent 71450->71452 71451->71367 71453 7ffdfaee64fc 71452->71453 71649 7ffdfaee66d8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 71453->71649 71455 7ffdfaee650f 71650 7ffdfaee64b0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 71455->71650 71458->71405 71459->71409 71461 7ffdfae3ede3 71460->71461 71463 7ffdfae3edf4 71460->71463 71521 7ffdfadc9310 13 API calls 71461->71521 71465 7ffdfae3eee8 71463->71465 71476 7ffdfae3eec3 71463->71476 71464 7ffdfae3efa4 71503 7ffdfae77890 71464->71503 71465->71464 71466 7ffdfae3ef14 71465->71466 71468 7ffdfae3ef1d 71466->71468 71469 7ffdfae3ef45 71466->71469 71523 7ffdfadc91f0 16 API calls 71468->71523 71470 7ffdfae3ef7d 71469->71470 71524 7ffdfadc59e0 13 API calls new[] 71469->71524 71491 7ffdfae3f023 71470->71491 71525 7ffdfadc59e0 13 API calls new[] 71470->71525 71473 7ffdfae3ef56 71473->71470 71474 7ffdfae3ef5e memcpy 71473->71474 71475 7ffdfae77890 14 API calls 71474->71475 71475->71470 71522 7ffdfadc91f0 16 API calls 71476->71522 71477 7ffdfae3f17c 71487 7ffdfae3eee3 71477->71487 71530 7ffdfadc91f0 16 API calls 71477->71530 71478 7ffdfae3f037 71478->71477 71529 7ffdfadf2830 71 API calls 71478->71529 71482 7ffdfae3f006 71486 7ffdfae3f00e memcpy 71482->71486 71482->71491 71483 7ffdfae3f256 71488 7ffdfaee6490 8 API calls 71483->71488 71486->71491 71531 7ffdfae3ea50 memset 71487->71531 71489 7ffdfae3e2c4 71488->71489 71489->71413 71489->71417 71489->71418 71490 7ffdfade1510 52 API calls 71490->71491 71491->71478 71491->71487 71491->71490 71526 7ffdfadc5de0 13 API calls 71491->71526 71527 7ffdfae1c550 memset 71491->71527 71528 7ffdfade2850 58 API calls 71491->71528 71495->71413 71496->71426 71497->71413 71498->71419 71499->71421 71500->71428 71501->71421 71502->71421 71506 7ffdfae778e1 71503->71506 71505 7ffdfae77cfb 71544 7ffdfadc86b0 13 API calls 71505->71544 71508 7ffdfae77ca4 71506->71508 71510 7ffdfae77bee 71506->71510 71532 7ffdfae76cc0 71506->71532 71542 7ffdfadc9310 13 API calls 71508->71542 71509 7ffdfae77d19 71513 7ffdfae77dba 71509->71513 71545 7ffdfae1cbe0 memset 71509->71545 71510->71505 71510->71509 71543 7ffdfadc84c0 13 API calls 71510->71543 71514 7ffdfae77e13 71513->71514 71546 7ffdfae4dec0 memset 71513->71546 71515 7ffdfaee6490 8 API calls 71514->71515 71518 7ffdfae77e5c 71515->71518 71518->71470 71519 7ffdfae77de1 71519->71514 71547 7ffdfae091d0 memset 71519->71547 71521->71463 71522->71487 71523->71487 71524->71473 71525->71482 71526->71491 71527->71491 71528->71491 71529->71477 71530->71487 71531->71483 71535 7ffdfae76d04 71532->71535 71533 7ffdfae76de2 71541 7ffdfae76e00 71533->71541 71548 7ffdfae73fc0 13 API calls 71533->71548 71534 7ffdfae76e27 71537 7ffdfae76e6e 71534->71537 71538 7ffdfae76e5b 71534->71538 71534->71541 71535->71533 71535->71534 71550 7ffdfadc9310 13 API calls 71537->71550 71549 7ffdfadc9310 13 API calls 71538->71549 71541->71506 71542->71510 71543->71505 71544->71509 71546->71519 71547->71514 71548->71541 71549->71541 71550->71541 71566 7ffdfadd8290 71551->71566 71554 7ffdfade12d9 71559 7ffdfade1224 71554->71559 71612 7ffdfadd5820 35 API calls 71554->71612 71558 7ffdfade1214 71558->71554 71558->71559 71611 7ffdfae7cfe0 13 API calls 71558->71611 71559->71431 71562->71431 71563->71431 71565->71432 71567 7ffdfadd8559 71566->71567 71574 7ffdfadd82c0 71566->71574 71569 7ffdfadd85fe 71567->71569 71619 7ffdfaddca40 24 API calls 71567->71619 71568 7ffdfadd8325 71572 7ffdfaee6490 8 API calls 71568->71572 71569->71568 71621 7ffdfadd5270 memset 71569->71621 71573 7ffdfadd8659 71572->71573 71573->71559 71591 7ffdfadd8670 71573->71591 71574->71567 71575 7ffdfadd832a 71574->71575 71580 7ffdfadd831d 71574->71580 71575->71569 71577 7ffdfadd8363 71575->71577 71582 7ffdfadd849a 71575->71582 71587 7ffdfadd8375 71575->71587 71614 7ffdfadd5270 memset 71577->71614 71578 7ffdfadd85bb 71578->71569 71578->71578 71620 7ffdfadd28f0 memset 71578->71620 71613 7ffdfadd5270 memset 71580->71613 71582->71567 71582->71569 71618 7ffdfadd9fd0 memset 71582->71618 71583 7ffdfadd8467 71583->71582 71585 7ffdfadd8486 71583->71585 71584 7ffdfadd8424 71584->71583 71584->71585 71616 7ffdfadd6070 20 API calls 71584->71616 71617 7ffdfadd5270 memset 71585->71617 71587->71569 71587->71584 71615 7ffdfae7d060 13 API calls 71587->71615 71592 7ffdfadd8692 71591->71592 71600 7ffdfadd86c5 71591->71600 71628 7ffdfadc86b0 13 API calls 71592->71628 71594 7ffdfadd86be 71594->71554 71594->71558 71594->71559 71610 7ffdfadd9fd0 memset 71594->71610 71595 7ffdfadd881b 71599 7ffdfadd884d 71595->71599 71602 7ffdfadd8833 71595->71602 71596 7ffdfadd87ed 71629 7ffdfadc86b0 13 API calls 71596->71629 71604 7ffdfadd8882 71599->71604 71606 7ffdfadd8798 71599->71606 71600->71594 71600->71595 71600->71596 71600->71606 71601 7ffdfadd88bd memset 71601->71594 71622 7ffdfadd6410 71602->71622 71604->71601 71605 7ffdfadd88a5 71604->71605 71631 7ffdfadd19e0 memset memset new[] 71604->71631 71632 7ffdfadd4f20 memset memset memset memset new[] 71605->71632 71606->71594 71630 7ffdfadd5820 35 API calls 71606->71630 71609 7ffdfadd88af 71609->71601 71610->71558 71611->71554 71613->71568 71614->71568 71615->71584 71616->71583 71617->71568 71618->71567 71619->71578 71620->71569 71621->71568 71623 7ffdfadd643f 71622->71623 71625 7ffdfadd644c 71622->71625 71646 7ffdfaddce20 15 API calls 71623->71646 71626 7ffdfadd645c 71625->71626 71633 7ffdfadcc000 71625->71633 71626->71606 71628->71594 71629->71606 71631->71605 71632->71609 71634 7ffdfadcc02d 71633->71634 71645 7ffdfadcc07b 71633->71645 71636 7ffdfadcc064 memcpy 71634->71636 71637 7ffdfadcc044 memcpy 71634->71637 71635 7ffdfadcc0a4 ReadFile 71638 7ffdfadcc13a 71635->71638 71635->71645 71636->71645 71644 7ffdfadcc049 71637->71644 71639 7ffdfadcc16a 71638->71639 71648 7ffdfadc86b0 13 API calls 71638->71648 71641 7ffdfadcc179 memset 71639->71641 71639->71644 71641->71644 71642 7ffdfadcc114 71647 7ffdfadcbe30 18 API calls 71642->71647 71644->71626 71645->71635 71645->71638 71645->71642 71646->71625 71647->71644 71648->71639 71649->71455 71651 7ffdfaf849c0 71652 7ffdfaf849d0 71651->71652 71655 7ffdfaf32347 71652->71655 71654 7ffdfaf84a09 71655->71654 71660 7ffdfaf3d370 71655->71660 71656 7ffdfaf3d4e5 71658 7ffdfaf3d84a 71656->71658 71662 7ffdfaf3d3f5 71656->71662 71663 7ffdfaf3d55b EVP_CIPHER_CTX_cipher EVP_CIPHER_flags 71656->71663 71659 7ffdfaf3d84f 71658->71659 71664 7ffdfaf3d817 71658->71664 71659->71662 71691 7ffdfaf316f9 CRYPTO_free 71659->71691 71660->71656 71660->71662 71683 7ffdfaf31253 71660->71683 71662->71654 71663->71658 71665 7ffdfaf3d579 71663->71665 71664->71662 71666 7ffdfaf3d8b4 EVP_CIPHER_CTX_cipher EVP_CIPHER_flags 71664->71666 71674 7ffdfaf3d8c7 71664->71674 71667 7ffdfaf3d5b8 71665->71667 71668 7ffdfaf3d5a0 71665->71668 71666->71674 71688 7ffdfaf316f9 CRYPTO_free 71667->71688 71668->71659 71677 7ffdfaf3d5a9 71668->71677 71670 7ffdfaf3d5c0 EVP_CIPHER_CTX_ctrl 71670->71677 71671 7ffdfaf3d80f 71690 7ffdfaf316f9 CRYPTO_free 71671->71690 71673 7ffdfaf3d652 EVP_CIPHER_CTX_ctrl 71673->71671 71673->71677 71674->71662 71692 7ffdfaf316f9 CRYPTO_free 71674->71692 71675 7ffdfaf3d6e8 EVP_CIPHER_CTX_ctrl 71675->71662 71675->71677 71676 7ffdfaf31253 2 API calls 71676->71677 71677->71662 71677->71671 71677->71673 71677->71674 71677->71675 71677->71676 71678 7ffdfaf3d7e1 71677->71678 71678->71662 71679 7ffdfaf3d7ee BIO_test_flags 71678->71679 71680 7ffdfaf3d7fc 71678->71680 71679->71662 71679->71680 71689 7ffdfaf316f9 CRYPTO_free 71680->71689 71683->71656 71686 7ffdfaf3dc10 71683->71686 71684 7ffdfaf3dc8e SetLastError 71685 7ffdfaf3dca3 BIO_write 71684->71685 71687 7ffdfaf3dce6 71684->71687 71685->71686 71686->71684 71686->71687 71687->71656 71688->71670 71689->71662 71690->71664 71691->71662 71692->71662 71693 7ffdfaf75fe0 71694 7ffdfaf312ee 71693->71694 71695 7ffdfaf75ff0 ERR_put_error 71694->71695 71696 7ffdfaf76021 71695->71696 71697 7ffdfaf31884 71700 7ffdfaf3e950 71697->71700 71698 7ffdfaf3ebbb 71699 7ffdfaf31497 memcpy memcpy SetLastError BIO_read 71699->71700 71700->71698 71700->71699 71701 7ffdfaf5eb80 71702 7ffdfaf5eb9a 71701->71702 71703 7ffdfaf5ebb0 ERR_put_error 71702->71703 71704 7ffdfaf5ebdc 71702->71704 71705 7ffdfaf5ebe2 71703->71705 71704->71705 71706 7ffdfaf5ec70 ERR_put_error 71704->71706 71707 7ffdfaf5ebfe 71704->71707 71706->71705 71708 7ffdfaf5ec11 ASYNC_get_current_job 71707->71708 71709 7ffdfaf5ec5b 71707->71709 71708->71709 71710 7ffdfaf5ec1b 71708->71710 71713 7ffdfaf3110e 71709->71713 71717 7ffdfaf5f150 ERR_put_error 71710->71717 71713->71705 71714 7ffdfaf47dc0 71713->71714 71718 7ffdfaf47df0 71714->71718 71716 7ffdfaf47dda 71716->71705 71717->71705 71719 7ffdfaf312ee 71718->71719 71720 7ffdfaf47e10 SetLastError 71719->71720 71721 7ffdfaf47e37 71720->71721 71721->71716 71722 7ffdfaf570c0 71723 7ffdfaf570d0 71722->71723 71724 7ffdfaf570e0 ERR_put_error 71723->71724 71725 7ffdfaf5710c 71723->71725 71726 7ffdfaf57146 ASYNC_get_current_job 71725->71726 71727 7ffdfaf57188 71725->71727 71729 7ffdfaf5718e 71725->71729 71726->71727 71728 7ffdfaf57150 71726->71728 71734 7ffdfaf3146a 71727->71734 71754 7ffdfaf31cf8 71727->71754 71774 7ffdfaf5f150 ERR_put_error 71728->71774 71731 7ffdfaf5717b 71734->71729 71735 7ffdfaf75e40 71734->71735 71736 7ffdfaf7667a ERR_clear_error SetLastError 71735->71736 71746 7ffdfaf769f9 71735->71746 71747 7ffdfaf76693 71736->71747 71737 7ffdfaf7676a ERR_put_error 71749 7ffdfaf76792 71737->71749 71740 7ffdfaf76966 71741 7ffdfaf76971 ERR_put_error 71740->71741 71744 7ffdfaf769c4 ERR_put_error 71740->71744 71745 7ffdfaf76999 71741->71745 71743 7ffdfaf769e9 BUF_MEM_free 71743->71746 71744->71749 71745->71744 71746->71729 71747->71737 71747->71746 71748 7ffdfaf766e1 71747->71748 71750 7ffdfaf76829 71747->71750 71752 7ffdfaf7680a BUF_MEM_grow 71747->71752 71748->71740 71748->71743 71748->71749 71775 7ffdfaf76140 71748->71775 71784 7ffdfaf76c10 71748->71784 71749->71743 71750->71748 71751 7ffdfaf7683c ERR_put_error 71750->71751 71751->71749 71752->71737 71752->71750 71754->71729 71755 7ffdfaf75f60 71754->71755 71756 7ffdfaf7667a ERR_clear_error SetLastError 71755->71756 71768 7ffdfaf769f9 71755->71768 71766 7ffdfaf76693 71756->71766 71757 7ffdfaf76140 16 API calls 71759 7ffdfaf766e1 71757->71759 71759->71757 71760 7ffdfaf76966 71759->71760 71761 7ffdfaf76792 71759->71761 71763 7ffdfaf76c10 36 API calls 71759->71763 71764 7ffdfaf769e9 BUF_MEM_free 71759->71764 71762 7ffdfaf76971 ERR_put_error 71760->71762 71765 7ffdfaf769c4 ERR_put_error 71760->71765 71761->71764 71767 7ffdfaf76999 71762->71767 71763->71759 71764->71768 71765->71761 71766->71759 71766->71768 71769 7ffdfaf76829 71766->71769 71771 7ffdfaf7676a ERR_put_error 71766->71771 71772 7ffdfaf7680a BUF_MEM_grow 71766->71772 71767->71765 71768->71729 71769->71759 71770 7ffdfaf7683c ERR_put_error 71769->71770 71770->71761 71771->71761 71772->71769 71772->71771 71774->71731 71776 7ffdfaf7615a 71775->71776 71779 7ffdfaf76401 71776->71779 71780 7ffdfaf764ac ERR_put_error 71776->71780 71781 7ffdfaf762d3 BUF_MEM_grow_clean 71776->71781 71782 7ffdfaf763df 71776->71782 71794 7ffdfaf78a7d 71776->71794 71797 7ffdfaf3119f memcmp 71776->71797 71778 7ffdfaf763e5 ERR_put_error 71778->71779 71779->71748 71780->71779 71781->71776 71781->71782 71782->71778 71782->71779 71790 7ffdfaf76c2c 71784->71790 71785 7ffdfaf76f87 ERR_put_error 71786 7ffdfaf76eba 71785->71786 71786->71748 71789 7ffdfaf76cc2 71789->71785 71789->71786 71790->71786 71790->71789 71813 7ffdfaf783f8 71790->71813 71819 7ffdfaf78654 71790->71819 71822 7ffdfaf31348 CRYPTO_zalloc ERR_put_error 71790->71822 71823 7ffdfaf31122 CRYPTO_free CRYPTO_free 71790->71823 71824 7ffdfaf31267 10 API calls 71790->71824 71798 7ffdfaf31393 71794->71798 71796 7ffdfaf78a85 71796->71776 71797->71776 71798->71796 71799 7ffdfaf7e9f0 71798->71799 71800 7ffdfaf7ea0a OPENSSL_sk_new_null 71799->71800 71807 7ffdfaf7ea29 71800->71807 71809 7ffdfaf7ea3d 71800->71809 71801 7ffdfaf7ef8e X509_free OPENSSL_sk_pop_free 71801->71796 71802 7ffdfaf7eb0d d2i_X509 71802->71807 71802->71809 71803 7ffdfaf7ec61 OPENSSL_sk_push 71803->71807 71803->71809 71804 7ffdfaf7ec8c 71805 7ffdfaf7ed0e ERR_clear_error 71804->71805 71804->71807 71806 7ffdfaf7ed43 OPENSSL_sk_value X509_get0_pubkey 71805->71806 71805->71807 71806->71807 71811 7ffdfaf7ed75 71806->71811 71807->71801 71808 7ffdfaf7ecdb CRYPTO_free 71808->71807 71809->71802 71809->71803 71809->71804 71809->71807 71809->71808 71810 7ffdfaf7ec4b CRYPTO_free 71809->71810 71810->71803 71811->71807 71812 7ffdfaf7ee27 X509_free X509_up_ref 71811->71812 71812->71807 71814 7ffdfaf7842b 71813->71814 71816 7ffdfaf78408 71813->71816 71825 7ffdfaf31c58 71814->71825 71818 7ffdfaf78421 71816->71818 71829 7ffdfaf31b40 20 API calls 71816->71829 71818->71790 71820 7ffdfaf31c58 BIO_ctrl 71819->71820 71821 7ffdfaf78456 71820->71821 71821->71790 71822->71790 71823->71790 71824->71790 71825->71818 71826 7ffdfaf76bb0 71825->71826 71827 7ffdfaf76bbc BIO_ctrl 71826->71827 71828 7ffdfaf76bdf 71827->71828 71828->71818 71829->71818 71830 7ffdfaddff20 71831 7ffdfaddff6c 71830->71831 71832 7ffdfaddff7e strcmp 71831->71832 71836 7ffdfaddff91 new[] 71831->71836 71832->71836 71833 7ffdfaee6490 8 API calls 71834 7ffdfade00bf 71833->71834 71838 7ffdfade00da memcpy 71836->71838 71840 7ffdfade00e5 new[] 71836->71840 71842 7ffdfade00a2 71836->71842 71837 7ffdfade0347 71841 7ffdfade03c8 71837->71841 71843 7ffdfadcc000 22 API calls 71837->71843 71838->71840 71840->71841 71840->71842 71844 7ffdfadd7850 71840->71844 71841->71842 71859 7ffdfadd6fa0 48 API calls 71841->71859 71842->71833 71843->71841 71845 7ffdfadd78e1 71844->71845 71855 7ffdfadd7a33 new[] 71844->71855 71849 7ffdfadd78fa new[] 71845->71849 71845->71855 71846 7ffdfadd7937 new[] 71847 7ffdfadd7995 memset 71846->71847 71857 7ffdfadd7b63 71846->71857 71848 7ffdfadd79fb memcpy 71847->71848 71854 7ffdfadd7c21 71847->71854 71850 7ffdfadd7bcc 71848->71850 71851 7ffdfadd7a1d memcpy 71848->71851 71853 7ffdfadd7921 memcpy 71849->71853 71849->71857 71852 7ffdfadd7bcf memcpy memcpy 71850->71852 71851->71852 71852->71854 71853->71846 71854->71857 71860 7ffdfadce600 71854->71860 71855->71846 71855->71855 71855->71857 71874 7ffdfae7d060 13 API calls 71855->71874 71857->71837 71859->71842 71866 7ffdfadce64e 71860->71866 71863 7ffdfaee6490 8 API calls 71864 7ffdfadcec79 71863->71864 71864->71857 71865 7ffdfadce9d5 71865->71863 71866->71865 71867 7ffdfadce820 CreateFileW 71866->71867 71870 7ffdfadceaa2 71866->71870 71875 7ffdfadcb580 71866->71875 71879 7ffdfadce040 24 API calls new[] 71866->71879 71880 7ffdfadcee50 19 API calls 71866->71880 71881 7ffdfadc86b0 13 API calls 71866->71881 71867->71866 71882 7ffdfadcbe30 18 API calls 71870->71882 71872 7ffdfadceacd 71883 7ffdfae7d060 13 API calls 71872->71883 71874->71846 71876 7ffdfadcb5be new[] 71875->71876 71877 7ffdfadcb5db memset 71876->71877 71878 7ffdfadcb607 71876->71878 71877->71878 71878->71866 71879->71866 71880->71866 71881->71866 71882->71872 71883->71865 71884 7ffdfaf3b370 71886 7ffdfaf3b38f 71884->71886 71885 7ffdfaf31253 2 API calls 71900 7ffdfaf3b4f2 71885->71900 71887 7ffdfaf3b573 71886->71887 71888 7ffdfaf3b513 EVP_MD_CTX_md 71886->71888 71886->71900 71901 7ffdfaf3b490 71886->71901 71889 7ffdfaf3b686 71887->71889 71893 7ffdfaf3b5a3 71887->71893 71888->71887 71890 7ffdfaf3b524 EVP_MD_CTX_md EVP_MD_size 71888->71890 71908 7ffdfaf311ea CRYPTO_zalloc ERR_put_error BUF_MEM_grow CRYPTO_free 71889->71908 71890->71887 71890->71900 71896 7ffdfaf3b647 71893->71896 71893->71900 71907 7ffdfaf311ea CRYPTO_zalloc ERR_put_error BUF_MEM_grow CRYPTO_free 71893->71907 71895 7ffdfaf3b842 memset 71904 7ffdfaf3bc0e 71895->71904 71905 7ffdfaf3b868 71895->71905 71897 7ffdfaf3b66f 71896->71897 71896->71900 71909 7ffdfaf311ea CRYPTO_zalloc ERR_put_error BUF_MEM_grow CRYPTO_free 71896->71909 71897->71895 71898 7ffdfaf3b7df EVP_CIPHER_CTX_cipher EVP_CIPHER_flags 71897->71898 71899 7ffdfaf3b7fc EVP_CIPHER_CTX_iv_length 71898->71899 71902 7ffdfaf3b80d 71898->71902 71899->71895 71899->71902 71901->71885 71902->71895 71904->71900 71904->71901 71911 7ffdfaf31122 CRYPTO_free CRYPTO_free 71904->71911 71905->71900 71905->71904 71910 7ffdfaf321ee BUF_MEM_grow memset 71905->71910 71907->71896 71908->71896 71909->71896 71910->71905 71911->71904 71912 7ffdfaf3dff0 71913 7ffdfaf3e00e 71912->71913 71914 7ffdfaf3e058 CRYPTO_malloc 71913->71914 71917 7ffdfaf3e08a 71913->71917 71915 7ffdfaf3e07c 71914->71915 71914->71917 71916 7ffdfaf3e123 CRYPTO_malloc 71916->71915 71916->71917 71917->71915 71917->71916 71918 7ffdfaf3e112 CRYPTO_free 71917->71918 71918->71916 71919 7ffdfae3f280 71920 7ffdfae3f303 71919->71920 71922 7ffdfae3f2b0 71919->71922 71921 7ffdfae3f325 71920->71921 71920->71922 71923 7ffdfae3f2c8 71921->71923 71929 7ffdfae3f32a 71921->71929 71931 7ffdfadc86b0 13 API calls 71922->71931 71932 7ffdfadc86b0 13 API calls 71923->71932 71926 7ffdfae3f2f2 71927 7ffdfae3ed10 81 API calls 71927->71929 71928 7ffdfae3f3df 71929->71927 71929->71928 71933 7ffdfae1c550 memset 71929->71933 71931->71923 71932->71926 71933->71929 71934 7ffdfaf31073 71935 7ffdfaf533c0 71934->71935 71936 7ffdfaf533dc 71935->71936 71937 7ffdfaf5341c 71935->71937 71938 7ffdfaf5340f 71936->71938 71939 7ffdfaf533e5 ERR_put_error 71936->71939 71937->71938 71940 7ffdfaf5343b CRYPTO_THREAD_run_once 71937->71940 71939->71938 71940->71938 71941 7ffdfaf5345f 71940->71941 71942 7ffdfaf53466 CRYPTO_THREAD_run_once 71941->71942 71943 7ffdfaf53488 71941->71943 71942->71938 71942->71943 71944 7ffdfaf5348f CRYPTO_THREAD_run_once 71943->71944 71945 7ffdfaf534c0 71943->71945 71946 7ffdfaf5f790 71947 7ffdfaf5f7aa 71946->71947 71948 7ffdfaf5f7c0 ERR_put_error 71947->71948 71949 7ffdfaf5f7ec 71947->71949 71954 7ffdfaf5f8bd 71948->71954 71950 7ffdfaf5f7f2 ERR_put_error 71949->71950 71951 7ffdfaf5f827 71949->71951 71950->71954 71952 7ffdfaf5f862 71951->71952 71953 7ffdfaf5f83c ERR_put_error 71951->71953 71952->71954 71955 7ffdfaf5f87b ASYNC_get_current_job 71952->71955 71953->71954 71955->71954 71956 7ffdfaf5f885 71955->71956 71958 7ffdfaf5f150 ERR_put_error 71956->71958 71958->71954 71959 7ffdfaf57990 71960 7ffdfaf57999 71959->71960 71961 7ffdfaf57d00 71959->71961 71960->71961 71962 7ffdfaf579c0 X509_VERIFY_PARAM_free 71960->71962 71983 7ffdfaf5caa0 71962->71983 71964 7ffdfaf579d8 CRYPTO_free_ex_data 71965 7ffdfaf57a0e 7 API calls 71964->71965 71966 7ffdfaf579f0 BIO_pop BIO_free 71964->71966 71967 7ffdfaf57a6e 71965->71967 71968 7ffdfaf57a66 71965->71968 71966->71965 71970 7ffdfaf57a86 CRYPTO_free 71967->71970 72012 7ffdfaf32171 CRYPTO_THREAD_write_lock OPENSSL_LH_retrieve OPENSSL_LH_delete CRYPTO_THREAD_unlock 71968->72012 71971 7ffdfaf57aa7 71970->71971 71986 7ffdfaf311b3 71971->71986 71973 7ffdfaf57ab3 CRYPTO_free CRYPTO_free 71994 7ffdfaf32153 71973->71994 71975 7ffdfaf57af1 11 API calls 71976 7ffdfaf57c10 6 API calls 71975->71976 71977 7ffdfaf57bf7 CRYPTO_free 71975->71977 71978 7ffdfaf57c90 71976->71978 71979 7ffdfaf57c96 71976->71979 71977->71976 72004 7ffdfaf475d0 71978->72004 71980 7ffdfaf32153 33 API calls 71979->71980 71981 7ffdfaf57cae ASYNC_WAIT_CTX_free CRYPTO_free OPENSSL_sk_free CRYPTO_THREAD_lock_free CRYPTO_free 71980->71981 71981->71961 71984 7ffdfaf312ee 71983->71984 71985 7ffdfaf5cab0 OPENSSL_sk_pop_free OPENSSL_sk_pop_free X509_free 71984->71985 71985->71964 71986->71973 71988 7ffdfaf4bf10 71986->71988 71987 7ffdfaf4c06f 71987->71973 71988->71987 71989 7ffdfaf4bf40 EVP_PKEY_free 71988->71989 71990 7ffdfaf4bf63 X509_free EVP_PKEY_free OPENSSL_sk_pop_free CRYPTO_free 71989->71990 71990->71990 71991 7ffdfaf4bfb7 CRYPTO_free CRYPTO_free CRYPTO_free X509_STORE_free X509_STORE_free 71990->71991 71992 7ffdfaf31852 71991->71992 71993 7ffdfaf4c026 CRYPTO_free CRYPTO_THREAD_lock_free CRYPTO_free 71992->71993 71993->71987 71994->71975 71996 7ffdfaf548b0 71994->71996 71995 7ffdfaf54a8e 71995->71975 71996->71995 71997 7ffdfaf548ec CRYPTO_free CRYPTO_free 71996->71997 71998 7ffdfaf54942 71997->71998 71999 7ffdfaf5494c 7 API calls 71997->71999 71998->71999 72000 7ffdfaf311b3 13 API calls 71999->72000 72001 7ffdfaf549a5 OPENSSL_sk_pop_free OPENSSL_sk_pop_free OPENSSL_sk_pop_free OPENSSL_sk_free 72000->72001 72002 7ffdfaf31523 72001->72002 72003 7ffdfaf549fd 7 API calls 72002->72003 72003->71995 72005 7ffdfaf47781 72004->72005 72006 7ffdfaf475d9 72004->72006 72005->71979 72006->72005 72007 7ffdfaf475fd 8 API calls 72006->72007 72013 7ffdfaf320a4 72007->72013 72009 7ffdfaf47710 CRYPTO_free CRYPTO_free 72016 7ffdfaf31b81 10 API calls 72009->72016 72011 7ffdfaf47758 CRYPTO_clear_free 72011->72005 72012->71967 72013->72009 72014 7ffdfaf44980 72013->72014 72015 7ffdfaf4498c BIO_free EVP_MD_CTX_free 72014->72015 72015->72009 72016->72011 72017 7ffdfaf53550 72018 7ffdfaf5355a 72017->72018 72021 7ffdfaf31866 72018->72021 72020 7ffdfaf53562 72021->72020 72023 7ffdfaf53370 72021->72023 72022 7ffdfaf533a4 72022->72020 72023->72022 72024 7ffdfaf53398 ERR_load_strings_const 72023->72024 72024->72022 72025 7ffdfaf31e38 72026 7ffdfaf48fa0 72025->72026 72027 7ffdfaf49009 72026->72027 72028 7ffdfaf49025 BIO_ctrl 72026->72028 72029 7ffdfaf49044 72028->72029

                                                                                        Executed Functions

                                                                                        Function 00007FFDFAF57990 Relevance: 66.7, APIs: 37, Strings: 1, Instructions: 159COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$L_sk_pop_free$L_sk_free$M_freeO_free_allX_free$D_lock_freeO_free_ex_dataO_popT_freeX509_X509_free
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1751156600-1080266419
                                                                                        • Opcode ID: 66effeca4af8bc309c9fa7ba4f70d266762fb6157de4aff1ce2c5e9746c60f99
                                                                                        • Instruction ID: 1b9d61dd5e9101c55687898645aabf6564df7db5c418a32e5ae09a8c61063d35
                                                                                        • Opcode Fuzzy Hash: 66effeca4af8bc309c9fa7ba4f70d266762fb6157de4aff1ce2c5e9746c60f99
                                                                                        • Instruction Fuzzy Hash: B781E265B1864780EB48AF21C861BB82321EF84BACF1452B2FE5D4F2DEDE6CE545C750
                                                                                        Function 00007FFDFAF32153 Relevance: 36.8, APIs: 20, Strings: 1, Instructions: 89COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$L_sk_free$L_sk_pop_free$E_free$D_lock_freeE_finishH_freeO_free_ex_dataO_secure_freeX509_
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 4271332762-1080266419
                                                                                        • Opcode ID: 4229b67528dd6073842fc3be38c5445f3dd18c07764e2f1eaaf0ba2b8f8282d9
                                                                                        • Instruction ID: 2caa3339038355aa8e4b9e891cec632bc1444d28682e275215a6a48a8564e7b7
                                                                                        • Opcode Fuzzy Hash: 4229b67528dd6073842fc3be38c5445f3dd18c07764e2f1eaaf0ba2b8f8282d9
                                                                                        • Instruction Fuzzy Hash: 1D41C161B1864280FB58AB35D861BF81321EF89BACF1442B1FD2D4F2DEDE68E545C350
                                                                                        Function 00007FFDFAF31393 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 347COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 50 7ffdfaf31393-7ffdfaf7ea27 call 7ffdfaf312ee OPENSSL_sk_new_null 54 7ffdfaf7ea3d-7ffdfaf7ea4c 50->54 55 7ffdfaf7ea29-7ffdfaf7ea38 50->55 57 7ffdfaf7ea84-7ffdfaf7ea8c 54->57 58 7ffdfaf7ea4e-7ffdfaf7ea55 54->58 56 7ffdfaf7ef6c 55->56 61 7ffdfaf7ef73-7ffdfaf7ef81 call 7ffdfaf31c94 56->61 59 7ffdfaf7ea92-7ffdfaf7eab9 57->59 60 7ffdfaf7ef5b-7ffdfaf7ef68 57->60 58->57 62 7ffdfaf7ea57-7ffdfaf7ea5c 58->62 59->60 64 7ffdfaf7eabf-7ffdfaf7eac2 59->64 60->56 68 7ffdfaf7ef86 61->68 62->57 63 7ffdfaf7ea5e-7ffdfaf7ea65 62->63 63->60 66 7ffdfaf7ea6b-7ffdfaf7ea7e 63->66 64->60 67 7ffdfaf7eac8-7ffdfaf7eacb 64->67 66->57 66->60 69 7ffdfaf7ead2-7ffdfaf7ead6 67->69 70 7ffdfaf7ef8e-7ffdfaf7efbe X509_free OPENSSL_sk_pop_free 68->70 71 7ffdfaf7ef32-7ffdfaf7ef59 call 7ffdfaf31c94 69->71 72 7ffdfaf7eadc-7ffdfaf7eb07 69->72 71->68 72->71 74 7ffdfaf7eb0d-7ffdfaf7eb34 d2i_X509 72->74 76 7ffdfaf7ef1f-7ffdfaf7ef30 74->76 77 7ffdfaf7eb3a-7ffdfaf7eb43 74->77 76->61 78 7ffdfaf7ef0c-7ffdfaf7ef1d 77->78 79 7ffdfaf7eb49-7ffdfaf7eb58 77->79 78->61 80 7ffdfaf7ec61-7ffdfaf7ec76 OPENSSL_sk_push 79->80 81 7ffdfaf7eb5e-7ffdfaf7eb65 79->81 82 7ffdfaf7eee3-7ffdfaf7ef07 call 7ffdfaf31c94 80->82 83 7ffdfaf7ec7c-7ffdfaf7ec86 80->83 81->80 84 7ffdfaf7eb6b-7ffdfaf7eb70 81->84 82->70 83->69 86 7ffdfaf7ec8c-7ffdfaf7ec9f call 7ffdfaf323ba 83->86 84->80 87 7ffdfaf7eb76-7ffdfaf7eb94 84->87 95 7ffdfaf7eca1-7ffdfaf7eca3 86->95 96 7ffdfaf7ed0e-7ffdfaf7ed16 ERR_clear_error 86->96 90 7ffdfaf7eb9a-7ffdfaf7ebba 87->90 91 7ffdfaf7ecf6-7ffdfaf7ed09 87->91 90->91 93 7ffdfaf7ebc0-7ffdfaf7ec13 call 7ffdfaf3174e 90->93 91->61 101 7ffdfaf7ecdb-7ffdfaf7ecf1 CRYPTO_free 93->101 102 7ffdfaf7ec19-7ffdfaf7ec45 call 7ffdfaf32419 93->102 95->96 100 7ffdfaf7eca5-7ffdfaf7ecce call 7ffdfaf32220 call 7ffdfaf31c94 95->100 98 7ffdfaf7ed43-7ffdfaf7ed6f OPENSSL_sk_value X509_get0_pubkey 96->98 99 7ffdfaf7ed18-7ffdfaf7ed3e call 7ffdfaf31c94 96->99 104 7ffdfaf7eeb5-7ffdfaf7eede call 7ffdfaf31c94 98->104 105 7ffdfaf7ed75-7ffdfaf7ed7f call 7ffdfaf9e453 98->105 99->70 116 7ffdfaf7ecd3-7ffdfaf7ecd6 100->116 101->68 102->101 117 7ffdfaf7ec4b-7ffdfaf7ec5c CRYPTO_free 102->117 104->70 105->104 118 7ffdfaf7ed85-7ffdfaf7ed98 call 7ffdfaf31de3 105->118 116->70 117->80 121 7ffdfaf7edc4-7ffdfaf7edd3 118->121 122 7ffdfaf7ed9a-7ffdfaf7edbf call 7ffdfaf31c94 118->122 123 7ffdfaf7ede5-7ffdfaf7edf9 121->123 124 7ffdfaf7edd5-7ffdfaf7eddc 121->124 122->70 128 7ffdfaf7edfb-7ffdfaf7ee22 call 7ffdfaf31c94 123->128 129 7ffdfaf7ee27-7ffdfaf7ee75 X509_free X509_up_ref 123->129 124->123 127 7ffdfaf7edde-7ffdfaf7ede3 124->127 127->123 127->129 128->70 131 7ffdfaf7eeab-7ffdfaf7eeb0 129->131 132 7ffdfaf7ee77-7ffdfaf7ee7e 129->132 131->70 132->131 134 7ffdfaf7ee80-7ffdfaf7ee85 132->134 134->131 135 7ffdfaf7ee87-7ffdfaf7eea5 call 7ffdfaf3248c 134->135 135->70 135->131
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: L_sk_new_nullL_sk_pop_freeX509X509_freed2i_
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 1068509327-1507966698
                                                                                        • Opcode ID: 868516490e95769e0788fa70a196ffa069195a7dcaf6ecd55dd26213b306ddab
                                                                                        • Instruction ID: 7b78fa20f7e6fb6b9190d6c7d275815782bd6bdf6c584c0dcc540a9b652d55a9
                                                                                        • Opcode Fuzzy Hash: 868516490e95769e0788fa70a196ffa069195a7dcaf6ecd55dd26213b306ddab
                                                                                        • Instruction Fuzzy Hash: 08E1A332B0868186E7249B15E860BA97791EF44BA8F144276FEAD4FBC9DF3CD591C700
                                                                                        Function 00007FFDFAF475D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$O_clear_free$Y_free$L_sk_pop_freeX_free
                                                                                        • String ID: ..\s\ssl\s3_lib.c
                                                                                        • API String ID: 3200038428-4238427508
                                                                                        • Opcode ID: 294818e364efe624e0db6ca17f54369707037d20baed8c3b97bd75ce40d36a7b
                                                                                        • Instruction ID: b00cb1e5d04f59d8444ac151649be07666bccc937e25cef2ada65c981d47f089
                                                                                        • Opcode Fuzzy Hash: 294818e364efe624e0db6ca17f54369707037d20baed8c3b97bd75ce40d36a7b
                                                                                        • Instruction Fuzzy Hash: BE416E31B0568794EB44EF16D8A4BE82321EF85F9CF144272EE5D4F3A9CE39D54A8310
                                                                                        Function 00007FFDFAF3B370 Relevance: 16.5, APIs: 7, Strings: 2, Instructions: 765COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_md$D_sizeR_flagsX_cipherX_iv_lengthmemset
                                                                                        • String ID: ..\s\ssl\record\rec_layer_s3.c$U
                                                                                        • API String ID: 1973736355-793286794
                                                                                        • Opcode ID: 13e838a1fedfadcda5e305d49063177028b3a8f834937c0215118e3ddde47129
                                                                                        • Instruction ID: 6a47ad99ebb559cc80615a2efddde23bd9b0a126b68b954d64ef3830f0808fd5
                                                                                        • Opcode Fuzzy Hash: 13e838a1fedfadcda5e305d49063177028b3a8f834937c0215118e3ddde47129
                                                                                        • Instruction Fuzzy Hash: 4D727E22B0874685EB689A25D470BBD67A0FF44BA8F5442B5EE9D4B7CCDF38E581C700
                                                                                        Function 00007FFDFAE3ED10 Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 358COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1076 7ffdfae3ed10-7ffdfae3ede1 memset 1077 7ffdfae3edf4-7ffdfae3edfa 1076->1077 1078 7ffdfae3ede3-7ffdfae3edef call 7ffdfadc9310 1076->1078 1080 7ffdfae3ee0d-7ffdfae3ee1c 1077->1080 1081 7ffdfae3edfc-7ffdfae3ee06 1077->1081 1078->1077 1082 7ffdfae3eef2-7ffdfae3eefd call 7ffdfae56d40 1080->1082 1083 7ffdfae3ee22-7ffdfae3ee28 1080->1083 1081->1080 1089 7ffdfae3efa4-7ffdfae3efac call 7ffdfae77890 1082->1089 1090 7ffdfae3ef03-7ffdfae3ef06 1082->1090 1085 7ffdfae3ee2e 1083->1085 1086 7ffdfae3eeed 1083->1086 1088 7ffdfae3ee31-7ffdfae3ee3d 1085->1088 1086->1082 1091 7ffdfae3eeaf-7ffdfae3eeba 1088->1091 1092 7ffdfae3ee3f-7ffdfae3ee43 1088->1092 1103 7ffdfae3efb1-7ffdfae3efb4 1089->1103 1095 7ffdfae3ef14-7ffdfae3ef1b 1090->1095 1096 7ffdfae3ef08-7ffdfae3ef0e 1090->1096 1093 7ffdfae3eee8 1091->1093 1094 7ffdfae3eebc-7ffdfae3eebe 1091->1094 1098 7ffdfae3ee58-7ffdfae3ee60 1092->1098 1099 7ffdfae3ee45-7ffdfae3ee4c 1092->1099 1093->1086 1094->1088 1101 7ffdfae3ef1d-7ffdfae3ef40 call 7ffdfadc91f0 call 7ffdfadc5ec0 1095->1101 1102 7ffdfae3ef45-7ffdfae3ef48 1095->1102 1096->1089 1096->1095 1098->1091 1100 7ffdfae3ee62-7ffdfae3ee69 1098->1100 1099->1098 1104 7ffdfae3ee4e-7ffdfae3ee56 call 7ffdfadddc00 1099->1104 1107 7ffdfae3ee78-7ffdfae3ee7f 1100->1107 1108 7ffdfae3ee6b-7ffdfae3ee6f 1100->1108 1139 7ffdfae3f24c-7ffdfae3f27a call 7ffdfae3ea50 call 7ffdfaee6490 1101->1139 1105 7ffdfae3ef97-7ffdfae3efa2 1102->1105 1106 7ffdfae3ef4a-7ffdfae3ef5c call 7ffdfadc5a20 1102->1106 1110 7ffdfae3efc0-7ffdfae3efcc 1103->1110 1111 7ffdfae3efb6-7ffdfae3efbd 1103->1111 1104->1098 1105->1103 1106->1105 1132 7ffdfae3ef5e-7ffdfae3ef95 memcpy call 7ffdfae77890 call 7ffdfadc5600 1106->1132 1118 7ffdfae3ee81-7ffdfae3ee84 1107->1118 1119 7ffdfae3ee9b 1107->1119 1108->1107 1117 7ffdfae3ee71-7ffdfae3ee76 1108->1117 1113 7ffdfae3efce-7ffdfae3efda 1110->1113 1114 7ffdfae3f031-7ffdfae3f035 1110->1114 1111->1110 1113->1114 1121 7ffdfae3efdc-7ffdfae3efe6 1113->1121 1126 7ffdfae3f037-7ffdfae3f044 1114->1126 1127 7ffdfae3f049-7ffdfae3f04f 1114->1127 1123 7ffdfae3ee9d-7ffdfae3eea1 1117->1123 1124 7ffdfae3ee92-7ffdfae3ee99 1118->1124 1125 7ffdfae3ee86-7ffdfae3ee8a 1118->1125 1119->1123 1130 7ffdfae3eff2-7ffdfae3eff8 1121->1130 1131 7ffdfae3efe8 1121->1131 1134 7ffdfae3eea3-7ffdfae3eea6 call 7ffdfadddbd0 1123->1134 1135 7ffdfae3eeab-7ffdfae3eead 1123->1135 1124->1118 1124->1119 1125->1124 1133 7ffdfae3ee8c-7ffdfae3ee90 1125->1133 1136 7ffdfae3f166-7ffdfae3f169 1126->1136 1137 7ffdfae3f1e3-7ffdfae3f201 1127->1137 1138 7ffdfae3f055-7ffdfae3f058 1127->1138 1142 7ffdfae3f023 1130->1142 1143 7ffdfae3effa-7ffdfae3f00c call 7ffdfadc5a20 1130->1143 1131->1130 1132->1103 1133->1117 1133->1124 1134->1135 1135->1091 1147 7ffdfae3eec3-7ffdfae3eee3 call 7ffdfadc91f0 1135->1147 1148 7ffdfae3f184-7ffdfae3f190 1136->1148 1149 7ffdfae3f16b-7ffdfae3f172 1136->1149 1140 7ffdfae3f203-7ffdfae3f20c 1137->1140 1141 7ffdfae3f221-7ffdfae3f228 1137->1141 1138->1137 1146 7ffdfae3f05e-7ffdfae3f063 1138->1146 1153 7ffdfae3f20e-7ffdfae3f216 call 7ffdfaded7a0 1140->1153 1154 7ffdfae3f218-7ffdfae3f21d 1140->1154 1141->1139 1159 7ffdfae3f22a 1141->1159 1160 7ffdfae3f025-7ffdfae3f02c 1142->1160 1143->1160 1177 7ffdfae3f00e-7ffdfae3f021 memcpy 1143->1177 1146->1136 1162 7ffdfae3f069-7ffdfae3f070 1146->1162 1147->1139 1156 7ffdfae3f192-7ffdfae3f1ab call 7ffdfadc91f0 1148->1156 1157 7ffdfae3f1b7-7ffdfae3f1c0 1148->1157 1150 7ffdfae3f174-7ffdfae3f177 call 7ffdfadf2830 1149->1150 1151 7ffdfae3f17c-7ffdfae3f17f call 7ffdfadf29a0 1149->1151 1150->1151 1151->1148 1153->1141 1154->1141 1156->1141 1188 7ffdfae3f1ad-7ffdfae3f1b5 call 7ffdfadc5600 1156->1188 1173 7ffdfae3f1c2-7ffdfae3f1ca 1157->1173 1174 7ffdfae3f1d5-7ffdfae3f1e1 call 7ffdfadc9110 1157->1174 1166 7ffdfae3f230-7ffdfae3f24a call 7ffdfadc5600 1159->1166 1160->1114 1162->1136 1168 7ffdfae3f076-7ffdfae3f082 1162->1168 1166->1139 1168->1136 1175 7ffdfae3f088-7ffdfae3f08b 1168->1175 1173->1174 1181 7ffdfae3f1cc-7ffdfae3f1d3 1173->1181 1174->1141 1187 7ffdfae3f090-7ffdfae3f09f 1175->1187 1177->1160 1181->1141 1189 7ffdfae3f150-7ffdfae3f15b 1187->1189 1190 7ffdfae3f0a5-7ffdfae3f0a9 1187->1190 1188->1141 1189->1187 1192 7ffdfae3f161 1189->1192 1193 7ffdfae3f0e4-7ffdfae3f0ec 1190->1193 1194 7ffdfae3f0ab-7ffdfae3f0be call 7ffdfade1510 1190->1194 1192->1136 1197 7ffdfae3f0ff-7ffdfae3f112 1193->1197 1198 7ffdfae3f0ee-7ffdfae3f0f5 1193->1198 1207 7ffdfae3f0c0-7ffdfae3f0c5 1194->1207 1208 7ffdfae3f0c7-7ffdfae3f0cf call 7ffdfadc5de0 1194->1208 1199 7ffdfae3f114-7ffdfae3f118 1197->1199 1200 7ffdfae3f122-7ffdfae3f12e 1197->1200 1198->1197 1202 7ffdfae3f0f7-7ffdfae3f0fa call 7ffdfadddc00 1198->1202 1199->1200 1204 7ffdfae3f11a-7ffdfae3f11d call 7ffdfadddbd0 1199->1204 1205 7ffdfae3f130-7ffdfae3f13b call 7ffdfae1c550 1200->1205 1206 7ffdfae3f143-7ffdfae3f146 1200->1206 1202->1197 1204->1200 1205->1206 1206->1189 1211 7ffdfae3f148-7ffdfae3f14b call 7ffdfade2850 1206->1211 1207->1208 1212 7ffdfae3f0d7-7ffdfae3f0da 1207->1212 1208->1212 1211->1189 1212->1192 1217 7ffdfae3f0e0 1212->1217 1217->1193
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                        • API String ID: 438689982-1046679716
                                                                                        • Opcode ID: dc2c9f4b53b71ecb6b2b67f22703fcd1e9056f372b51521d86d73d78d5e95529
                                                                                        • Instruction ID: 5afa2c26f898bb26aa421b61428cbb2170bbb37c5a7f2cb2f2e2faae1e1754c1
                                                                                        • Opcode Fuzzy Hash: dc2c9f4b53b71ecb6b2b67f22703fcd1e9056f372b51521d86d73d78d5e95529
                                                                                        • Instruction Fuzzy Hash: D4F19422B0878285FB28AB25D460BBA6BA0FF45B44F054175DEAE0B6D9DF7DE4808700
                                                                                        Function 00007FFDFAF31073 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: D_run_once$R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_init.c
                                                                                        • API String ID: 511881677-1166085723
                                                                                        • Opcode ID: 1bca9e55bd04cdeeae422c06fdc6cc5753a75a716b466175590d89777040c048
                                                                                        • Instruction ID: 15a5eedb91f12c47c83b216768e09302811b320aa0f5eddc7bae8eb2a4cb747b
                                                                                        • Opcode Fuzzy Hash: 1bca9e55bd04cdeeae422c06fdc6cc5753a75a716b466175590d89777040c048
                                                                                        • Instruction Fuzzy Hash: 9B213221B1C2034BFB1D8719E970AB96391AF843A8F4947B5F92D4F1DDDE3CEA418610
                                                                                        Function 00007FFDFAF3DFF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_malloc$O_free
                                                                                        • String ID: ..\s\ssl\record\ssl3_buffer.c
                                                                                        • API String ID: 2640950527-837614940
                                                                                        • Opcode ID: f1b77ace9d9dd82af41e0db575673082139ea61af12e4d7c2110246f9413e625
                                                                                        • Instruction ID: b9159654ffe47e7672040ccf2917e299da7df17ac8d91c3d824c12e8ac3d9fe7
                                                                                        • Opcode Fuzzy Hash: f1b77ace9d9dd82af41e0db575673082139ea61af12e4d7c2110246f9413e625
                                                                                        • Instruction Fuzzy Hash: 2D419C72B09B8186FB249B21D9507A962E0FF44BA8F0442B4EE9D4BBC9CF3CD5918744
                                                                                        Function 00007FFDFADDFF20 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 590stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpystrcmp
                                                                                        • String ID: :memory:
                                                                                        • API String ID: 4075415522-2920599690
                                                                                        • Opcode ID: 5cfa9b87bf22c0b71d83b990a23c3283cccc8473c49670050d3fe6a80dec848e
                                                                                        • Instruction ID: 66c22da427f9794ea153ebe28da6f4e79deabb8bdd6f77be0b8a17615c06cf4d
                                                                                        • Opcode Fuzzy Hash: 5cfa9b87bf22c0b71d83b990a23c3283cccc8473c49670050d3fe6a80dec848e
                                                                                        • Instruction Fuzzy Hash: 0642A322B4D78286EB688F2598A0B7927B0FF95B54F044275DA6E477D8EF3CE844C740
                                                                                        Function 00007FFDFADCF820 Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemInfo.KERNEL32(?,?,?,?,00007FFDFAE7890C,?,?,?,?,00007FFDFADC85DD,?,?,?,?,00007FFDFADF4567), ref: 00007FFDFADCF848
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystem
                                                                                        • String ID:
                                                                                        • API String ID: 31276548-0
                                                                                        • Opcode ID: 75f1db212b269ba8466c8530d3d4b3f45e34fba6d528fb4c6e7acba09ac25192
                                                                                        • Instruction ID: d93b0899db879570607874e891ec8950b2603979922ea381a790b1fd92bdb1d2
                                                                                        • Opcode Fuzzy Hash: 75f1db212b269ba8466c8530d3d4b3f45e34fba6d528fb4c6e7acba09ac25192
                                                                                        • Instruction Fuzzy Hash: 5DA15621B09B43A1FF5C8B41AC70AB822B4FF48B54F9506B5D92E4B3E8EF2CE5458350
                                                                                        Function 00007FFDFAF32347 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 414COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 426 7ffdfaf32347-7ffdfaf3d3d2 call 7ffdfaf312ee 430 7ffdfaf3d3d4-7ffdfaf3d3e8 426->430 431 7ffdfaf3d3f5-7ffdfaf3d425 call 7ffdfaf31c94 426->431 432 7ffdfaf3d42a 430->432 433 7ffdfaf3d3ea-7ffdfaf3d3f3 430->433 437 7ffdfaf3d882-7ffdfaf3d8a2 call 7ffdfaf3191f 431->437 435 7ffdfaf3d42f-7ffdfaf3d43e 432->435 433->431 433->435 438 7ffdfaf3d440-7ffdfaf3d456 call 7ffdfaf322b1 435->438 439 7ffdfaf3d45c-7ffdfaf3d46f 435->439 438->439 448 7ffdfaf3da45 438->448 442 7ffdfaf3d471-7ffdfaf3d478 439->442 443 7ffdfaf3d487-7ffdfaf3d491 call 7ffdfaf31c85 439->443 442->443 446 7ffdfaf3d47a-7ffdfaf3d482 call 7ffdfaf317f3 442->446 451 7ffdfaf3d493-7ffdfaf3d49d call 7ffdfaf314bf 443->451 452 7ffdfaf3d4bc-7ffdfaf3d4c4 443->452 446->443 451->452 462 7ffdfaf3d49f-7ffdfaf3d4a6 451->462 454 7ffdfaf3d4f2-7ffdfaf3d4f5 452->454 455 7ffdfaf3d4c6-7ffdfaf3d4e7 call 7ffdfaf31253 452->455 458 7ffdfaf3d4fb-7ffdfaf3d511 call 7ffdfaf323ab 454->458 459 7ffdfaf3d84a-7ffdfaf3d84d 454->459 470 7ffdfaf3da10 455->470 471 7ffdfaf3d4ed 455->471 458->459 472 7ffdfaf3d517-7ffdfaf3d51f 458->472 460 7ffdfaf3d84f-7ffdfaf3d856 459->460 461 7ffdfaf3d817-7ffdfaf3d83b call 7ffdfaf323ab call 7ffdfaf3236f 459->461 466 7ffdfaf3d871-7ffdfaf3d875 460->466 467 7ffdfaf3d858-7ffdfaf3d867 460->467 486 7ffdfaf3d83d-7ffdfaf3d845 461->486 487 7ffdfaf3d8a3-7ffdfaf3d8a6 461->487 462->452 468 7ffdfaf3d4a8-7ffdfaf3d4b0 462->468 474 7ffdfaf3d87a 466->474 467->466 473 7ffdfaf3d869-7ffdfaf3d86c call 7ffdfaf316f9 467->473 468->474 482 7ffdfaf3d4b6 468->482 480 7ffdfaf3da1c 470->480 471->454 472->459 476 7ffdfaf3d525-7ffdfaf3d52d 472->476 473->466 474->437 476->459 481 7ffdfaf3d533-7ffdfaf3d540 476->481 484 7ffdfaf3da24-7ffdfaf3da40 call 7ffdfaf31c94 480->484 481->459 485 7ffdfaf3d546-7ffdfaf3d555 481->485 482->448 482->452 484->448 485->459 489 7ffdfaf3d55b-7ffdfaf3d573 EVP_CIPHER_CTX_cipher EVP_CIPHER_flags 485->489 486->484 490 7ffdfaf3d8d8 487->490 491 7ffdfaf3d8a8-7ffdfaf3d8b2 487->491 489->459 492 7ffdfaf3d579-7ffdfaf3d594 489->492 494 7ffdfaf3d8de-7ffdfaf3d8e1 490->494 491->490 493 7ffdfaf3d8b4-7ffdfaf3d8c5 EVP_CIPHER_CTX_cipher EVP_CIPHER_flags 491->493 496 7ffdfaf3d5b8-7ffdfaf3d606 call 7ffdfaf316f9 EVP_CIPHER_CTX_ctrl call 7ffdfaf31e7e 492->496 497 7ffdfaf3d596-7ffdfaf3d59e 492->497 493->490 498 7ffdfaf3d8c7-7ffdfaf3d8d6 493->498 494->480 495 7ffdfaf3d8e7-7ffdfaf3d8ea 494->495 495->480 499 7ffdfaf3d8f0-7ffdfaf3d8f3 495->499 496->448 506 7ffdfaf3d60c-7ffdfaf3d621 496->506 497->496 500 7ffdfaf3d5a0-7ffdfaf3d5a3 497->500 498->490 498->494 499->480 502 7ffdfaf3d8f9 499->502 500->473 503 7ffdfaf3d5a9-7ffdfaf3d5b6 500->503 505 7ffdfaf3d900-7ffdfaf3d903 502->505 503->506 510 7ffdfaf3d905-7ffdfaf3d909 505->510 511 7ffdfaf3d90b-7ffdfaf3d914 505->511 508 7ffdfaf3d80f-7ffdfaf3d812 call 7ffdfaf316f9 506->508 509 7ffdfaf3d627 506->509 508->461 513 7ffdfaf3d630-7ffdfaf3d63e 509->513 514 7ffdfaf3d917-7ffdfaf3d92f 510->514 511->514 516 7ffdfaf3d640-7ffdfaf3d64c 513->516 517 7ffdfaf3d652-7ffdfaf3d6d5 EVP_CIPHER_CTX_ctrl 513->517 518 7ffdfaf3d931-7ffdfaf3d934 514->518 519 7ffdfaf3d945-7ffdfaf3d952 514->519 516->470 516->517 517->508 520 7ffdfaf3d6db-7ffdfaf3d6e2 517->520 521 7ffdfaf3d96f-7ffdfaf3d999 call 7ffdfaf32059 518->521 522 7ffdfaf3d936-7ffdfaf3d943 518->522 519->521 523 7ffdfaf3d954-7ffdfaf3d95c 519->523 520->508 525 7ffdfaf3d6e8-7ffdfaf3d721 EVP_CIPHER_CTX_ctrl 520->525 530 7ffdfaf3d99e-7ffdfaf3d9a0 521->530 522->521 526 7ffdfaf3d95e-7ffdfaf3d962 523->526 527 7ffdfaf3d967-7ffdfaf3d96d 523->527 525->448 529 7ffdfaf3d727-7ffdfaf3d73b 525->529 526->527 527->521 527->523 532 7ffdfaf3d73d-7ffdfaf3d74e 529->532 533 7ffdfaf3d765-7ffdfaf3d7b8 call 7ffdfaf31253 529->533 530->470 531 7ffdfaf3d9a2-7ffdfaf3d9aa 530->531 534 7ffdfaf3d9c7-7ffdfaf3d9db 531->534 535 7ffdfaf3d9ac-7ffdfaf3d9b1 531->535 536 7ffdfaf3d750-7ffdfaf3d757 532->536 545 7ffdfaf3d7e1-7ffdfaf3d7e3 533->545 546 7ffdfaf3d7ba-7ffdfaf3d7c2 533->546 540 7ffdfaf3d9ff-7ffdfaf3da08 534->540 541 7ffdfaf3d9dd-7ffdfaf3d9e4 534->541 538 7ffdfaf3d9b3-7ffdfaf3d9ba 535->538 539 7ffdfaf3d9bc-7ffdfaf3d9c2 535->539 536->533 542 7ffdfaf3d759-7ffdfaf3d763 536->542 538->534 538->539 539->505 540->470 541->540 544 7ffdfaf3d9e6-7ffdfaf3d9f5 541->544 542->533 542->536 544->540 548 7ffdfaf3d9f7-7ffdfaf3d9fa call 7ffdfaf316f9 544->548 549 7ffdfaf3d804-7ffdfaf3d80d 545->549 550 7ffdfaf3d7e5-7ffdfaf3d7ec 545->550 547 7ffdfaf3d7c8-7ffdfaf3d7d5 546->547 546->548 547->508 551 7ffdfaf3d7d7-7ffdfaf3d7dc 547->551 548->540 549->474 552 7ffdfaf3d7ee-7ffdfaf3d7fa BIO_test_flags 550->552 553 7ffdfaf3d7fc-7ffdfaf3d7ff call 7ffdfaf316f9 550->553 551->513 552->549 552->553 553->549
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_ctrl$R_flagsX_cipher$O_test_flags
                                                                                        • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                        • API String ID: 307562122-2209325370
                                                                                        • Opcode ID: 90755eefb288737f54214bc6ac1bf5c7d7980956b94152ac84f1c32af5ddc3b4
                                                                                        • Instruction ID: 7e47a404fdff76d38ca57d2fb4f897700381ad534e7173486e3628b72d90b9c7
                                                                                        • Opcode Fuzzy Hash: 90755eefb288737f54214bc6ac1bf5c7d7980956b94152ac84f1c32af5ddc3b4
                                                                                        • Instruction Fuzzy Hash: B002A022B0978285EB588F65D420BB927A4FF40BA8F1846B5EE5D4B7DDDF78E485C300
                                                                                        Function 00007FFDFAF3146A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 251COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 556 7ffdfaf3146a-7ffdfaf76674 call 7ffdfaf312ee * 2 563 7ffdfaf76a10-7ffdfaf76a2a 556->563 564 7ffdfaf7667a-7ffdfaf76691 ERR_clear_error SetLastError 556->564 565 7ffdfaf76693-7ffdfaf7669a 564->565 566 7ffdfaf766a1-7ffdfaf766a8 564->566 565->566 567 7ffdfaf766aa-7ffdfaf766ae 566->567 568 7ffdfaf766b6-7ffdfaf766c3 566->568 569 7ffdfaf766b0-7ffdfaf766b4 567->569 570 7ffdfaf766d5-7ffdfaf766da 567->570 568->570 571 7ffdfaf766c5-7ffdfaf766cf call 7ffdfaf3188e 568->571 569->568 569->570 573 7ffdfaf766dc-7ffdfaf766df 570->573 574 7ffdfaf766e6 570->574 571->563 571->570 575 7ffdfaf766ea-7ffdfaf766f1 573->575 577 7ffdfaf766e1 573->577 574->575 578 7ffdfaf766f3-7ffdfaf76701 575->578 579 7ffdfaf7673b-7ffdfaf76750 575->579 580 7ffdfaf76901 577->580 582 7ffdfaf76703-7ffdfaf7670a 578->582 583 7ffdfaf7672d-7ffdfaf76735 578->583 584 7ffdfaf76752-7ffdfaf7675c 579->584 585 7ffdfaf767af-7ffdfaf767b9 579->585 581 7ffdfaf76905-7ffdfaf76908 580->581 586 7ffdfaf7690a-7ffdfaf7690d call 7ffdfaf76140 581->586 587 7ffdfaf76927-7ffdfaf7692a 581->587 582->583 590 7ffdfaf7670c-7ffdfaf7671b 582->590 583->579 589 7ffdfaf767c5-7ffdfaf767db call 7ffdfaf31faa 584->589 591 7ffdfaf7675e-7ffdfaf76761 584->591 588 7ffdfaf767bb-7ffdfaf767c3 585->588 585->589 602 7ffdfaf76912-7ffdfaf76915 586->602 596 7ffdfaf7692c-7ffdfaf7692f call 7ffdfaf76c10 587->596 597 7ffdfaf76966-7ffdfaf7696a 587->597 593 7ffdfaf76772-7ffdfaf76790 ERR_put_error 588->593 614 7ffdfaf767dd-7ffdfaf767e5 589->614 615 7ffdfaf767e7-7ffdfaf767ee 589->615 590->583 595 7ffdfaf7671d-7ffdfaf76724 590->595 598 7ffdfaf76763-7ffdfaf76768 591->598 599 7ffdfaf7676a 591->599 600 7ffdfaf76792-7ffdfaf76796 593->600 601 7ffdfaf7679c-7ffdfaf767aa 593->601 595->583 606 7ffdfaf76726-7ffdfaf7672b 595->606 616 7ffdfaf76934-7ffdfaf76937 596->616 603 7ffdfaf76971-7ffdfaf76997 ERR_put_error 597->603 604 7ffdfaf7696c-7ffdfaf7696f 597->604 598->589 598->599 599->593 600->601 608 7ffdfaf769e9-7ffdfaf769f7 BUF_MEM_free 600->608 601->608 609 7ffdfaf7691b-7ffdfaf76925 602->609 610 7ffdfaf769e6 602->610 612 7ffdfaf7699f-7ffdfaf769b1 603->612 613 7ffdfaf76999-7ffdfaf7699d 603->613 604->603 611 7ffdfaf769c4-7ffdfaf769e1 ERR_put_error 604->611 606->579 606->583 608->563 619 7ffdfaf769f9-7ffdfaf76a07 608->619 617 7ffdfaf76956-7ffdfaf7695c 609->617 610->608 611->610 612->611 618 7ffdfaf769b3-7ffdfaf769bf call 7ffdfaf32176 612->618 613->611 613->612 614->593 620 7ffdfaf76830-7ffdfaf76833 call 7ffdfaf31f5f 615->620 621 7ffdfaf767f0-7ffdfaf767fb call 7ffdfaf9e519 615->621 622 7ffdfaf76939-7ffdfaf76944 616->622 623 7ffdfaf76946-7ffdfaf76949 616->623 617->581 626 7ffdfaf7695e-7ffdfaf76961 617->626 618->611 628 7ffdfaf76a0e 619->628 629 7ffdfaf76a09 619->629 631 7ffdfaf76838-7ffdfaf7683a 620->631 635 7ffdfaf767fd-7ffdfaf76805 621->635 636 7ffdfaf7680a-7ffdfaf7681a BUF_MEM_grow 621->636 622->617 623->610 624 7ffdfaf7694f 623->624 624->617 626->610 628->563 629->628 633 7ffdfaf76881-7ffdfaf768a0 call 7ffdfaf31ee2 631->633 634 7ffdfaf7683c 631->634 644 7ffdfaf768a2-7ffdfaf768aa 633->644 645 7ffdfaf768ac-7ffdfaf768b0 633->645 637 7ffdfaf76844-7ffdfaf76862 ERR_put_error 634->637 635->593 639 7ffdfaf7681c-7ffdfaf76824 636->639 640 7ffdfaf76829 636->640 641 7ffdfaf76864-7ffdfaf76868 637->641 642 7ffdfaf7686e-7ffdfaf7687c 637->642 639->593 640->620 641->610 641->642 642->610 644->637 646 7ffdfaf768b2-7ffdfaf768b6 645->646 647 7ffdfaf768b8-7ffdfaf768bf 645->647 646->647 648 7ffdfaf768c1-7ffdfaf768ce call 7ffdfaf317df 646->648 647->648 649 7ffdfaf768f4-7ffdfaf768fc 647->649 648->608 652 7ffdfaf768d4-7ffdfaf768e2 648->652 649->580 653 7ffdfaf768e4-7ffdfaf768eb 652->653 654 7ffdfaf768ed 652->654 653->649 653->654 654->649
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$ErrorLastM_freeM_growR_clear_error
                                                                                        • String ID: ..\s\ssl\statem\statem.c
                                                                                        • API String ID: 2562538362-2512360314
                                                                                        • Opcode ID: 74aed97eb6ed51bbc3e8b4852e612b17663dd049e2952ec33d8a97f7a39d9bc2
                                                                                        • Instruction ID: f139ef1b40e37a40416f17ebedbd4bd15f967cd0f5b2ac40022811c5e72759aa
                                                                                        • Opcode Fuzzy Hash: 74aed97eb6ed51bbc3e8b4852e612b17663dd049e2952ec33d8a97f7a39d9bc2
                                                                                        • Instruction Fuzzy Hash: 32B16672B0824286FFA89F15E460B7936A1EF40B68F1442B5EA5C4E6DDDF3DE885C701
                                                                                        Function 00007FFDFADD7850 Relevance: 14.0, APIs: 6, Strings: 3, Instructions: 514COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 655 7ffdfadd7850-7ffdfadd78db 656 7ffdfadd78e1-7ffdfadd78eb 655->656 657 7ffdfadd7a33-7ffdfadd7a49 655->657 656->657 658 7ffdfadd78f1-7ffdfadd78f4 656->658 659 7ffdfadd7946-7ffdfadd798f call 7ffdfadc5330 657->659 660 7ffdfadd7a4f-7ffdfadd7a55 657->660 658->660 661 7ffdfadd78fa 658->661 669 7ffdfadd800b-7ffdfadd800e 659->669 670 7ffdfadd7995-7ffdfadd79f5 memset 659->670 660->659 662 7ffdfadd7a5b-7ffdfadd7a71 call 7ffdfadc5330 660->662 664 7ffdfadd7901-7ffdfadd790a 661->664 674 7ffdfadd806b 662->674 675 7ffdfadd7a77-7ffdfadd7a93 662->675 664->664 667 7ffdfadd790c-7ffdfadd791b call 7ffdfadc5330 664->667 667->674 686 7ffdfadd7921-7ffdfadd7930 memcpy 667->686 669->674 676 7ffdfadd8010-7ffdfadd8017 669->676 671 7ffdfadd79fb-7ffdfadd7a17 memcpy 670->671 672 7ffdfadd7c21-7ffdfadd7c3c 670->672 677 7ffdfadd7bcc 671->677 678 7ffdfadd7a1d-7ffdfadd7a2e memcpy 671->678 683 7ffdfadd7c9e-7ffdfadd7cb8 672->683 684 7ffdfadd7c3e-7ffdfadd7c41 672->684 680 7ffdfadd8070-7ffdfadd8080 674->680 694 7ffdfadd7aa9 675->694 695 7ffdfadd7a95-7ffdfadd7aa2 675->695 681 7ffdfadd8019-7ffdfadd8023 676->681 682 7ffdfadd8062 676->682 685 7ffdfadd7bcf-7ffdfadd7c1f memcpy * 2 677->685 678->685 688 7ffdfadd802b-7ffdfadd8058 681->688 689 7ffdfadd8025 681->689 682->674 690 7ffdfadd7dd5 683->690 691 7ffdfadd7cbe-7ffdfadd7cc3 683->691 684->683 692 7ffdfadd7c43-7ffdfadd7c4a 684->692 685->684 693 7ffdfadd7937-7ffdfadd793e 686->693 688->674 721 7ffdfadd805a-7ffdfadd8060 688->721 689->688 696 7ffdfadd7dda-7ffdfadd7de8 690->696 691->690 697 7ffdfadd7cc9-7ffdfadd7cf5 call 7ffdfadce600 691->697 698 7ffdfadd7c4c-7ffdfadd7c56 692->698 699 7ffdfadd7c95 692->699 693->693 703 7ffdfadd7940 693->703 704 7ffdfadd7ab0-7ffdfadd7ab7 694->704 695->694 705 7ffdfadd7deb-7ffdfadd7dee 696->705 706 7ffdfadd7cf8-7ffdfadd7d18 697->706 700 7ffdfadd7c58 698->700 701 7ffdfadd7c5e-7ffdfadd7c8b 698->701 699->683 700->701 701->683 738 7ffdfadd7c8d-7ffdfadd7c93 701->738 703->659 704->704 707 7ffdfadd7ab9-7ffdfadd7ac0 704->707 708 7ffdfadd7e9a-7ffdfadd7ea4 705->708 709 7ffdfadd7df4-7ffdfadd7e0d call 7ffdfadd6dc0 705->709 710 7ffdfadd7d1e-7ffdfadd7d28 706->710 711 7ffdfadd7dd0-7ffdfadd7dd3 706->711 716 7ffdfadd7ac7-7ffdfadd7ace 707->716 714 7ffdfadd7ea6-7ffdfadd7eaf 708->714 715 7ffdfadd7eb2-7ffdfadd7ec5 call 7ffdfadd2d40 708->715 709->708 726 7ffdfadd7e13-7ffdfadd7e94 709->726 719 7ffdfadd7d2a-7ffdfadd7d2c 710->719 720 7ffdfadd7d2e-7ffdfadd7d31 710->720 711->705 714->715 739 7ffdfadd7ecb-7ffdfadd7ed5 715->739 740 7ffdfadd7ffd-7ffdfadd8009 715->740 716->716 723 7ffdfadd7ad0-7ffdfadd7ae7 716->723 727 7ffdfadd7d33-7ffdfadd7d3b 719->727 720->727 721->674 724 7ffdfadd7ae9 723->724 725 7ffdfadd7b37-7ffdfadd7b3e 723->725 731 7ffdfadd7af0-7ffdfadd7af7 724->731 734 7ffdfadd7b63-7ffdfadd7b6a 725->734 735 7ffdfadd7b40-7ffdfadd7b48 725->735 751 7ffdfadd7e96 726->751 752 7ffdfadd7ef8-7ffdfadd7efe 726->752 736 7ffdfadd7d3d-7ffdfadd7d51 call 7ffdfadd5ff0 727->736 737 7ffdfadd7d5f-7ffdfadd7d75 call 7ffdfae7deb0 727->737 741 7ffdfadd7b00-7ffdfadd7b09 731->741 745 7ffdfadd7bbb 734->745 746 7ffdfadd7b6c-7ffdfadd7b76 734->746 735->659 743 7ffdfadd7b4e-7ffdfadd7b5d call 7ffdfae7d060 735->743 736->737 761 7ffdfadd7d53-7ffdfadd7d58 736->761 762 7ffdfadd7d77-7ffdfadd7d8b call 7ffdfae38cf0 737->762 763 7ffdfadd7d8d 737->763 738->683 748 7ffdfadd7ed7 739->748 749 7ffdfadd7edd-7ffdfadd7ef0 739->749 740->680 741->741 750 7ffdfadd7b0b-7ffdfadd7b19 741->750 743->659 743->734 760 7ffdfadd7bc4-7ffdfadd7bc7 745->760 757 7ffdfadd7b78 746->757 758 7ffdfadd7b7e-7ffdfadd7bab 746->758 748->749 749->752 765 7ffdfadd7b20-7ffdfadd7b29 750->765 751->708 766 7ffdfadd7f27-7ffdfadd7f37 752->766 767 7ffdfadd7f00-7ffdfadd7f23 752->767 757->758 758->760 781 7ffdfadd7bad-7ffdfadd7bb6 758->781 760->680 761->737 770 7ffdfadd7d8f-7ffdfadd7d94 762->770 763->770 765->765 771 7ffdfadd7b2b-7ffdfadd7b35 765->771 779 7ffdfadd7f39 766->779 780 7ffdfadd7f3f-7ffdfadd7f74 766->780 767->766 774 7ffdfadd7d96-7ffdfadd7dac call 7ffdfae7deb0 770->774 775 7ffdfadd7dc8-7ffdfadd7dce 770->775 771->725 771->731 774->711 785 7ffdfadd7dae-7ffdfadd7dc6 call 7ffdfae38cf0 774->785 775->696 779->780 783 7ffdfadd7f76 780->783 784 7ffdfadd7f7d-7ffdfadd7f9e call 7ffdfadd5ff0 780->784 781->680 783->784 791 7ffdfadd7fa6-7ffdfadd7fa9 784->791 792 7ffdfadd7fa0-7ffdfadd7fa4 784->792 785->711 785->775 794 7ffdfadd7fab-7ffdfadd7fae 791->794 795 7ffdfadd7fb0 791->795 793 7ffdfadd7fb4-7ffdfadd7fc6 792->793 796 7ffdfadd7fc8-7ffdfadd7fcf 793->796 797 7ffdfadd7fd1-7ffdfadd7fe3 793->797 794->793 794->795 795->793 798 7ffdfadd7fe7-7ffdfadd7ffb 796->798 797->798 798->680
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: -journal$immutable$nolock
                                                                                        • API String ID: 438689982-4201244970
                                                                                        • Opcode ID: 0ab6c9b58668e852555d603f0925113aaf625630ebd3e1bbbf2ca3e2b323c2c4
                                                                                        • Instruction ID: b94b4a490f99c17b23148a057e160b8b4a0d882013bf120898a42ec106ea1659
                                                                                        • Opcode Fuzzy Hash: 0ab6c9b58668e852555d603f0925113aaf625630ebd3e1bbbf2ca3e2b323c2c4
                                                                                        • Instruction Fuzzy Hash: EC32B262B0978286EB698F25D860B7937A5FF44BA4F4442B4DA6E077D8EF3CE455C300
                                                                                        Function 00007FFDFAE3E490 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 319COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 941 7ffdfae3e490-7ffdfae3e554 call 7ffdfae3e1b0 944 7ffdfae3e8d2-7ffdfae3e8d5 941->944 945 7ffdfae3e55a-7ffdfae3e571 941->945 946 7ffdfae3e8df-7ffdfae3e8e2 call 7ffdfadc5de0 944->946 947 7ffdfae3e8d7-7ffdfae3e8dd 944->947 948 7ffdfae3e573-7ffdfae3e586 945->948 949 7ffdfae3e58b-7ffdfae3e58f 945->949 950 7ffdfae3e8e7-7ffdfae3e8ed call 7ffdfae1c550 946->950 947->946 947->950 951 7ffdfae3e8fb-7ffdfae3e91a call 7ffdfaee6490 948->951 953 7ffdfae3e59f-7ffdfae3e5ab 949->953 954 7ffdfae3e591-7ffdfae3e598 949->954 961 7ffdfae3e8f2-7ffdfae3e8f4 950->961 957 7ffdfae3e5ad-7ffdfae3e5b1 953->957 958 7ffdfae3e5b3-7ffdfae3e5b8 call 7ffdfade1510 953->958 954->953 955 7ffdfae3e59a call 7ffdfadddc00 954->955 955->953 957->958 962 7ffdfae3e62b-7ffdfae3e636 957->962 966 7ffdfae3e5bd-7ffdfae3e5c1 958->966 961->951 965 7ffdfae3e640-7ffdfae3e657 call 7ffdfadeaac0 962->965 972 7ffdfae3e659-7ffdfae3e661 965->972 968 7ffdfae3e5c3-7ffdfae3e5d0 call 7ffdfae7a170 966->968 969 7ffdfae3e628 966->969 976 7ffdfae3e60e-7ffdfae3e615 968->976 977 7ffdfae3e5d2-7ffdfae3e5d9 968->977 969->962 974 7ffdfae3e663-7ffdfae3e66f 972->974 975 7ffdfae3e671 972->975 978 7ffdfae3e674-7ffdfae3e682 974->978 975->978 980 7ffdfae3e61f-7ffdfae3e623 976->980 981 7ffdfae3e617-7ffdfae3e61a call 7ffdfadc5600 976->981 979 7ffdfae3e5e0-7ffdfae3e5e9 977->979 983 7ffdfae3e71d 978->983 984 7ffdfae3e688-7ffdfae3e68a 978->984 979->979 982 7ffdfae3e5eb-7ffdfae3e5fd call 7ffdfadc5a20 979->982 986 7ffdfae3e8b5-7ffdfae3e8bd 980->986 981->980 982->976 1002 7ffdfae3e5ff-7ffdfae3e609 memcpy 982->1002 987 7ffdfae3e722-7ffdfae3e735 983->987 989 7ffdfae3e6ad-7ffdfae3e6b3 984->989 990 7ffdfae3e68c-7ffdfae3e690 984->990 991 7ffdfae3e8bf-7ffdfae3e8c3 986->991 992 7ffdfae3e8ca-7ffdfae3e8d0 986->992 994 7ffdfae3e737-7ffdfae3e73c 987->994 995 7ffdfae3e76b-7ffdfae3e77e 987->995 989->983 998 7ffdfae3e6b5-7ffdfae3e6c8 call 7ffdfadc5a20 989->998 990->989 997 7ffdfae3e692-7ffdfae3e6ab call 7ffdfae25950 990->997 991->992 993 7ffdfae3e8c5 call 7ffdfadddbd0 991->993 992->944 992->961 993->992 1000 7ffdfae3e74e-7ffdfae3e755 994->1000 1001 7ffdfae3e73e-7ffdfae3e743 994->1001 1005 7ffdfae3e780 995->1005 1006 7ffdfae3e784-7ffdfae3e78c 995->1006 997->987 1017 7ffdfae3e6fe-7ffdfae3e705 998->1017 1018 7ffdfae3e6ca-7ffdfae3e6fb 998->1018 1010 7ffdfae3e758-7ffdfae3e766 call 7ffdfade0b40 1000->1010 1007 7ffdfae3e745-7ffdfae3e74a 1001->1007 1008 7ffdfae3e74c 1001->1008 1002->976 1005->1006 1012 7ffdfae3e78e-7ffdfae3e7a1 call 7ffdfadc5a20 1006->1012 1013 7ffdfae3e7d4-7ffdfae3e7d6 1006->1013 1007->1010 1008->1000 1010->995 1026 7ffdfae3e7a3-7ffdfae3e7b5 1012->1026 1027 7ffdfae3e7ba-7ffdfae3e7c1 1012->1027 1014 7ffdfae3e7e3-7ffdfae3e84a call 7ffdfadc84c0 call 7ffdfae37d80 1013->1014 1015 7ffdfae3e7d8-7ffdfae3e7dc 1013->1015 1037 7ffdfae3e857-7ffdfae3e859 1014->1037 1038 7ffdfae3e84c-7ffdfae3e852 call 7ffdfadc5600 1014->1038 1015->1014 1021 7ffdfae3e7de 1015->1021 1023 7ffdfae3e70f-7ffdfae3e718 1017->1023 1024 7ffdfae3e707-7ffdfae3e70a call 7ffdfadc5600 1017->1024 1018->1017 1021->1014 1028 7ffdfae3e8a6-7ffdfae3e8aa 1023->1028 1024->1023 1026->1027 1030 7ffdfae3e7c3-7ffdfae3e7c6 call 7ffdfadc5600 1027->1030 1031 7ffdfae3e7cb-7ffdfae3e7cf 1027->1031 1028->986 1032 7ffdfae3e8ac-7ffdfae3e8b0 call 7ffdfade2850 1028->1032 1030->1031 1031->1028 1032->986 1039 7ffdfae3e866-7ffdfae3e86a 1037->1039 1040 7ffdfae3e85b-7ffdfae3e861 call 7ffdfae198a0 1037->1040 1038->1037 1043 7ffdfae3e882-7ffdfae3e884 1039->1043 1044 7ffdfae3e86c-7ffdfae3e880 call 7ffdfae1c860 1039->1044 1040->1039 1046 7ffdfae3e886-7ffdfae3e88e 1043->1046 1047 7ffdfae3e895-7ffdfae3e8a1 1043->1047 1044->1028 1046->1028 1049 7ffdfae3e890-7ffdfae3e893 1046->1049 1047->1028 1049->1028 1049->1047
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                                                        • API String ID: 3510742995-879093740
                                                                                        • Opcode ID: 516ce45246d5942d30bdf2ee32ea86cf6b6ecf4c4c028c056249a3fb30f35a52
                                                                                        • Instruction ID: 153b1fbcc56e9c97493405c91afbdb669f1ccc6dbfacb9c20a929b9595f4f862
                                                                                        • Opcode Fuzzy Hash: 516ce45246d5942d30bdf2ee32ea86cf6b6ecf4c4c028c056249a3fb30f35a52
                                                                                        • Instruction Fuzzy Hash: D5E1CE22F0879286EB18EB258460ABC3BE5FB44758F0542B5CEAE177D9DF39E491C340
                                                                                        Function 00007FFDFADCC000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1050 7ffdfadcc000-7ffdfadcc02b 1051 7ffdfadcc07b-7ffdfadcc09f 1050->1051 1052 7ffdfadcc02d-7ffdfadcc042 1050->1052 1053 7ffdfadcc0a4-7ffdfadcc0c8 ReadFile 1051->1053 1054 7ffdfadcc064-7ffdfadcc078 memcpy 1052->1054 1055 7ffdfadcc044 memcpy 1052->1055 1057 7ffdfadcc13a-7ffdfadcc13c 1053->1057 1058 7ffdfadcc0ca-7ffdfadcc0d3 1053->1058 1054->1051 1056 7ffdfadcc049 1055->1056 1059 7ffdfadcc04b-7ffdfadcc063 1056->1059 1060 7ffdfadcc16a-7ffdfadcc173 1057->1060 1061 7ffdfadcc13e-7ffdfadcc165 call 7ffdfadc86b0 1057->1061 1058->1057 1065 7ffdfadcc0d5-7ffdfadcc0e3 1058->1065 1060->1056 1064 7ffdfadcc179-7ffdfadcc18e memset 1060->1064 1061->1060 1064->1059 1067 7ffdfadcc0e5-7ffdfadcc0eb 1065->1067 1068 7ffdfadcc114-7ffdfadcc135 call 7ffdfadcbe30 1065->1068 1070 7ffdfadcc0f3-7ffdfadcc0f6 1067->1070 1071 7ffdfadcc0ed-7ffdfadcc0f1 1067->1071 1068->1059 1073 7ffdfadcc100-7ffdfadcc112 1070->1073 1074 7ffdfadcc0f8-7ffdfadcc0fe 1070->1074 1071->1070 1071->1073 1073->1053 1074->1068 1074->1073
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$FileReadmemset
                                                                                        • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                        • API String ID: 2051157613-1843600136
                                                                                        • Opcode ID: c42462ee678e96c825723e9381acb87a1b22cd2c90639cf46ca189585d33ef91
                                                                                        • Instruction ID: 908db153ed6547c0db18003edbfb47d065d45047548a3cd7db55d5ff545429f5
                                                                                        • Opcode Fuzzy Hash: c42462ee678e96c825723e9381acb87a1b22cd2c90639cf46ca189585d33ef91
                                                                                        • Instruction Fuzzy Hash: 36411532B08A0251E3189F15E850DA9B7A5FF44BC0F860172EB6E477D8EF3CE8468740
                                                                                        Function 00007FFDFADCE600 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1218 7ffdfadce600-7ffdfadce649 1219 7ffdfadce64e-7ffdfadce6c2 1218->1219 1220 7ffdfadce6ec-7ffdfadce6fc call 7ffdfadcb580 1219->1220 1221 7ffdfadce6c4-7ffdfadce6d3 call 7ffdfadce040 1219->1221 1228 7ffdfadce702-7ffdfadce72b 1220->1228 1229 7ffdfadcec04-7ffdfadcec07 1220->1229 1226 7ffdfadcec69-7ffdfadcec8c call 7ffdfaee6490 1221->1226 1227 7ffdfadce6d9-7ffdfadce6e4 1221->1227 1227->1220 1230 7ffdfadce730-7ffdfadce745 1228->1230 1232 7ffdfadcec09-7ffdfadcec10 1229->1232 1233 7ffdfadcec64 1229->1233 1240 7ffdfadce747-7ffdfadce753 1230->1240 1241 7ffdfadce782-7ffdfadce78c 1230->1241 1235 7ffdfadcec5b 1232->1235 1236 7ffdfadcec12-7ffdfadcec1c 1232->1236 1233->1226 1235->1233 1237 7ffdfadcec24-7ffdfadcec51 1236->1237 1238 7ffdfadcec1e 1236->1238 1237->1233 1257 7ffdfadcec53-7ffdfadcec59 1237->1257 1238->1237 1243 7ffdfadce796-7ffdfadce7b3 1240->1243 1249 7ffdfadce755-7ffdfadce75b 1240->1249 1241->1243 1244 7ffdfadce78e-7ffdfadce790 1241->1244 1247 7ffdfadce7bb-7ffdfadce7c4 1243->1247 1248 7ffdfadce7b5-7ffdfadce7b9 1243->1248 1244->1243 1246 7ffdfadce9d5-7ffdfadce9dc 1244->1246 1251 7ffdfadcea27 1246->1251 1252 7ffdfadce9de-7ffdfadce9e8 1246->1252 1253 7ffdfadce7c7-7ffdfadce7d9 call 7ffdfae7deb0 1247->1253 1248->1253 1255 7ffdfadce763-7ffdfadce766 1249->1255 1256 7ffdfadce75d-7ffdfadce761 1249->1256 1263 7ffdfadcea30 1251->1263 1258 7ffdfadce9ea 1252->1258 1259 7ffdfadce9f0-7ffdfadcea1d 1252->1259 1264 7ffdfadce7db-7ffdfadce7f4 call 7ffdfae38cf0 1253->1264 1265 7ffdfadce7f6 1253->1265 1261 7ffdfadce76f-7ffdfadce780 1255->1261 1262 7ffdfadce768-7ffdfadce76d 1255->1262 1256->1255 1256->1261 1257->1233 1258->1259 1266 7ffdfadcea37-7ffdfadcea3a 1259->1266 1279 7ffdfadcea1f-7ffdfadcea25 1259->1279 1261->1230 1262->1243 1262->1261 1263->1266 1270 7ffdfadce7f8-7ffdfadce81a 1264->1270 1265->1270 1271 7ffdfadcea3c-7ffdfadcea43 1266->1271 1272 7ffdfadcea98-7ffdfadcea9d 1266->1272 1276 7ffdfadce820-7ffdfadce847 CreateFileW 1270->1276 1277 7ffdfadcea45-7ffdfadcea48 1271->1277 1278 7ffdfadcea8f 1271->1278 1272->1226 1280 7ffdfadce84d-7ffdfadce84f 1276->1280 1281 7ffdfadce8f0 1276->1281 1282 7ffdfadcea4a 1277->1282 1283 7ffdfadcea50-7ffdfadcea7d 1277->1283 1278->1272 1279->1263 1285 7ffdfadce851-7ffdfadce863 1280->1285 1286 7ffdfadce89f-7ffdfadce8ac 1280->1286 1284 7ffdfadce8f4-7ffdfadce8f7 1281->1284 1282->1283 1283->1272 1305 7ffdfadcea7f-7ffdfadcea8a 1283->1305 1287 7ffdfadce8f9-7ffdfadce922 call 7ffdfadc86b0 1284->1287 1288 7ffdfadce927-7ffdfadce92b 1284->1288 1290 7ffdfadce865 1285->1290 1291 7ffdfadce867-7ffdfadce88d call 7ffdfadcee50 1285->1291 1300 7ffdfadce8ec-7ffdfadce8ee 1286->1300 1301 7ffdfadce8ae-7ffdfadce8b4 1286->1301 1287->1288 1294 7ffdfadceadc-7ffdfadceaea 1288->1294 1295 7ffdfadce931-7ffdfadce941 call 7ffdfadc5520 1288->1295 1290->1291 1310 7ffdfadce891-7ffdfadce893 1291->1310 1311 7ffdfadce88f 1291->1311 1302 7ffdfadceafa-7ffdfadceb13 call 7ffdfadc5520 1294->1302 1303 7ffdfadceaec-7ffdfadceaf8 1294->1303 1315 7ffdfadce943-7ffdfadce94a 1295->1315 1316 7ffdfadce99e-7ffdfadce9a3 1295->1316 1300->1284 1307 7ffdfadce8c6-7ffdfadce8c9 1301->1307 1308 7ffdfadce8b6-7ffdfadce8c4 1301->1308 1319 7ffdfadceb15-7ffdfadceb1c 1302->1319 1320 7ffdfadceb70-7ffdfadceb73 1302->1320 1303->1302 1305->1226 1317 7ffdfadce8d2-7ffdfadce8e7 1307->1317 1318 7ffdfadce8cb-7ffdfadce8d0 1307->1318 1308->1307 1308->1317 1313 7ffdfadce89b 1310->1313 1314 7ffdfadce895-7ffdfadce899 1310->1314 1311->1310 1313->1286 1314->1281 1314->1313 1324 7ffdfadce94c-7ffdfadce956 1315->1324 1325 7ffdfadce995 1315->1325 1322 7ffdfadce9a9-7ffdfadce9ae 1316->1322 1323 7ffdfadceaa2-7ffdfadcead7 call 7ffdfadcbe30 call 7ffdfae7d060 1316->1323 1317->1276 1318->1300 1318->1317 1328 7ffdfadceb67 1319->1328 1329 7ffdfadceb1e-7ffdfadceb28 1319->1329 1326 7ffdfadceb7a 1320->1326 1327 7ffdfadceb75-7ffdfadceb78 1320->1327 1322->1323 1330 7ffdfadce9b4-7ffdfadce9d0 1322->1330 1323->1226 1332 7ffdfadce958 1324->1332 1333 7ffdfadce95e-7ffdfadce98b 1324->1333 1325->1316 1335 7ffdfadceb81-7ffdfadceb96 1326->1335 1327->1335 1328->1320 1336 7ffdfadceb2a 1329->1336 1337 7ffdfadceb30-7ffdfadceb5d 1329->1337 1330->1219 1332->1333 1333->1316 1349 7ffdfadce98d-7ffdfadce993 1333->1349 1339 7ffdfadceb9c-7ffdfadceba4 1335->1339 1340 7ffdfadceb98 1335->1340 1336->1337 1337->1320 1354 7ffdfadceb5f-7ffdfadceb65 1337->1354 1343 7ffdfadcebdc-7ffdfadcec02 1339->1343 1344 7ffdfadceba6-7ffdfadcebba call 7ffdfae7deb0 1339->1344 1340->1339 1343->1226 1352 7ffdfadcebbc-7ffdfadcebd6 call 7ffdfae38cf0 1344->1352 1353 7ffdfadcebd8 1344->1353 1349->1316 1352->1343 1352->1353 1353->1343 1354->1320
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$CreateFile
                                                                                        • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                        • API String ID: 333288564-3829269058
                                                                                        • Opcode ID: 1cbe12d56cef0f119561059075aa3d753634518a2eae817565c62add8e6b7c00
                                                                                        • Instruction ID: 724b4c98336a8230ee1529cd0c4d75e98172a76a1f213f21e761dd401b00e163
                                                                                        • Opcode Fuzzy Hash: 1cbe12d56cef0f119561059075aa3d753634518a2eae817565c62add8e6b7c00
                                                                                        • Instruction Fuzzy Hash: ED02E261B0D78286FB5C8B11E8A0A7973A4FF84B64F4502B5ED6E576E8EF3CE4408700
                                                                                        Function 00007FFDFAF31497 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 190COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1359 7ffdfaf31497-7ffdfaf3cfb4 call 7ffdfaf312ee 1363 7ffdfaf3cfba-7ffdfaf3cfc2 1359->1363 1364 7ffdfaf3d0b9 1359->1364 1365 7ffdfaf3cfc4-7ffdfaf3cfcb call 7ffdfaf317d0 1363->1365 1366 7ffdfaf3cfd1-7ffdfaf3cff1 1363->1366 1367 7ffdfaf3d0bb-7ffdfaf3d0d7 1364->1367 1365->1366 1378 7ffdfaf3d14d-7ffdfaf3d152 1365->1378 1369 7ffdfaf3d05d-7ffdfaf3d072 1366->1369 1370 7ffdfaf3cff3-7ffdfaf3cff6 1366->1370 1374 7ffdfaf3d074-7ffdfaf3d07c 1369->1374 1375 7ffdfaf3d09c-7ffdfaf3d0ad 1369->1375 1372 7ffdfaf3d033 1370->1372 1373 7ffdfaf3cff8-7ffdfaf3cffb 1370->1373 1380 7ffdfaf3d03a-7ffdfaf3d056 1372->1380 1379 7ffdfaf3cffd-7ffdfaf3d001 1373->1379 1373->1380 1374->1375 1381 7ffdfaf3d07e-7ffdfaf3d095 memcpy 1374->1381 1376 7ffdfaf3d0af-7ffdfaf3d0b2 1375->1376 1377 7ffdfaf3d0e2-7ffdfaf3d0e5 1375->1377 1382 7ffdfaf3d0b4-7ffdfaf3d0b7 1376->1382 1383 7ffdfaf3d0d8-7ffdfaf3d0db 1376->1383 1384 7ffdfaf3d111-7ffdfaf3d122 1377->1384 1385 7ffdfaf3d0e7-7ffdfaf3d10f 1377->1385 1378->1367 1379->1380 1386 7ffdfaf3d003-7ffdfaf3d010 1379->1386 1380->1369 1381->1375 1382->1364 1382->1377 1383->1385 1387 7ffdfaf3d0dd-7ffdfaf3d0e0 1383->1387 1389 7ffdfaf3d124-7ffdfaf3d148 call 7ffdfaf31c94 1384->1389 1390 7ffdfaf3d157-7ffdfaf3d15e 1384->1390 1385->1367 1386->1380 1388 7ffdfaf3d012-7ffdfaf3d025 1386->1388 1387->1385 1388->1380 1391 7ffdfaf3d027-7ffdfaf3d02e memcpy 1388->1391 1389->1378 1393 7ffdfaf3d160-7ffdfaf3d162 1390->1393 1394 7ffdfaf3d169-7ffdfaf3d16c 1390->1394 1391->1372 1393->1394 1397 7ffdfaf3d164-7ffdfaf3d167 1393->1397 1395 7ffdfaf3d16e-7ffdfaf3d171 1394->1395 1396 7ffdfaf3d173-7ffdfaf3d17a 1394->1396 1398 7ffdfaf3d180-7ffdfaf3d192 SetLastError 1395->1398 1396->1398 1397->1398 1399 7ffdfaf3d218-7ffdfaf3d243 call 7ffdfaf31c94 1398->1399 1400 7ffdfaf3d198-7ffdfaf3d1b6 BIO_read 1398->1400 1405 7ffdfaf3d248-7ffdfaf3d256 1399->1405 1401 7ffdfaf3d1b8 1400->1401 1402 7ffdfaf3d1bb 1400->1402 1401->1402 1404 7ffdfaf3d1c1-7ffdfaf3d1d3 1402->1404 1402->1405 1409 7ffdfaf3d1d5-7ffdfaf3d1d8 1404->1409 1410 7ffdfaf3d1da-7ffdfaf3d1dd 1404->1410 1407 7ffdfaf3d258-7ffdfaf3d267 1405->1407 1408 7ffdfaf3d27a-7ffdfaf3d27c 1405->1408 1407->1408 1411 7ffdfaf3d269-7ffdfaf3d270 1407->1411 1408->1367 1409->1410 1412 7ffdfaf3d1e1 1409->1412 1410->1398 1413 7ffdfaf3d1df 1410->1413 1411->1408 1414 7ffdfaf3d272-7ffdfaf3d275 call 7ffdfaf318e3 1411->1414 1415 7ffdfaf3d1e4-7ffdfaf3d213 1412->1415 1413->1415 1414->1408 1415->1367
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$ErrorLastO_read
                                                                                        • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                        • API String ID: 1958097105-2209325370
                                                                                        • Opcode ID: a0ad00169d8610e4f6a8572f508db620e7534931c9619d3e0bdf9395d606371b
                                                                                        • Instruction ID: d4ced726941abdc2eaf4c72ee9a9370a03560f551b4a4e4f5ee25beccf007bb0
                                                                                        • Opcode Fuzzy Hash: a0ad00169d8610e4f6a8572f508db620e7534931c9619d3e0bdf9395d606371b
                                                                                        • Instruction Fuzzy Hash: 98818171B0978186FB549E61D4647A962A0FF40FA8F1886B5EE6C0B7CCDF38D486C340
                                                                                        Function 00007FFDFAF5F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1767461275-1080266419
                                                                                        • Opcode ID: 4631420c3dc9954702de5197bb381589f1dd3fe6c05f3d2ff672c28d7b1c86c1
                                                                                        • Instruction ID: cac86674f446e6178922cfa184b9c610695314eb5f4de2929d8e9bff466f66a6
                                                                                        • Opcode Fuzzy Hash: 4631420c3dc9954702de5197bb381589f1dd3fe6c05f3d2ff672c28d7b1c86c1
                                                                                        • Instruction Fuzzy Hash: 12317F31B0C6428AE7189B15E414BA97360EF84BA8F2443B6FA6D4B7D9CF3DE445C710
                                                                                        Function 00007FFDFAF76140 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 213COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ..\s\ssl\statem\statem.c
                                                                                        • API String ID: 0-2512360314
                                                                                        • Opcode ID: fb66d44e37301280235bd46d38aac8bf1c4ed33a725bc277046205dab9185611
                                                                                        • Instruction ID: 900905c5eebdf7f37d0e4389faa1932ccd3e6fb5e4c4af857d1a43c398f2d946
                                                                                        • Opcode Fuzzy Hash: fb66d44e37301280235bd46d38aac8bf1c4ed33a725bc277046205dab9185611
                                                                                        • Instruction Fuzzy Hash: 60A1BF32B0868281EFA88F25E464B7927A0EF44B68F4442B5EA6D4B7DDCF3DD485C700
                                                                                        Function 00007FFDFAF5EB80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1767461275-1080266419
                                                                                        • Opcode ID: 476e6c8ea6d19319fa02b3d30600d231bb7aa5fe37639d274de62f31573b31cb
                                                                                        • Instruction ID: 52dd539ea6e355cebc867576ba73f0838494868430745a81063a9936a98c01f4
                                                                                        • Opcode Fuzzy Hash: 476e6c8ea6d19319fa02b3d30600d231bb7aa5fe37639d274de62f31573b31cb
                                                                                        • Instruction Fuzzy Hash: 4D317C31B0C64189E7288B15E554AA97760FF85BA4F1406B6FAAE8B7E9CF3CE451C700
                                                                                        Function 00007FFDFADD8670 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 0-481979681
                                                                                        • Opcode ID: 1eedd298c97080c16f1be0e5adbc717ca0ae1a2951dbec36216f3e95c1df864e
                                                                                        • Instruction ID: f5b51c370cd75ed5d7d53a396d8233be2361bcf8cabeaec477449fec1e40ca2e
                                                                                        • Opcode Fuzzy Hash: 1eedd298c97080c16f1be0e5adbc717ca0ae1a2951dbec36216f3e95c1df864e
                                                                                        • Instruction Fuzzy Hash: AF713F66B0864291FB6A9B15E860BBD67A1FF84B84F1440B5CA6E177EDEF3CF4418340
                                                                                        Function 00007FFDFAF31253 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastO_write
                                                                                        • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                        • API String ID: 186964608-2209325370
                                                                                        • Opcode ID: dc2361f74e1a2633e42d3706bc4e27c906c389b107ad8c140e4d821b3cd0318b
                                                                                        • Instruction ID: 46b7aa93a509c663b8475a465f3661332a6dff7d8d95693152e029263cb9837a
                                                                                        • Opcode Fuzzy Hash: dc2361f74e1a2633e42d3706bc4e27c906c389b107ad8c140e4d821b3cd0318b
                                                                                        • Instruction Fuzzy Hash: 7441B232B09B4182EB288F15D4546A973A4FF44BA8F1446B5EBAC0BBD8DF7DE491C740
                                                                                        Function 00007FFDFAF570C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: C_get_current_jobR_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 4281227279-1080266419
                                                                                        • Opcode ID: e227a2b945972b0983b15e26908c29fd1e5b18981b506ffed2e6ad63fb2dc330
                                                                                        • Instruction ID: 2ef87d7772c394fdc9299d63fcf910887174e9b52464f8f03038e9dd06fe0528
                                                                                        • Opcode Fuzzy Hash: e227a2b945972b0983b15e26908c29fd1e5b18981b506ffed2e6ad63fb2dc330
                                                                                        • Instruction Fuzzy Hash: 2221B522F1874246EB54DB25E4506A96360EFC87A4F580371FE694B3C9EF3CD0918A40
                                                                                        Function 00007FFDFAF31CF8 Relevance: 4.6, APIs: 3, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastM_freeR_clear_error
                                                                                        • String ID:
                                                                                        • API String ID: 1231514297-0
                                                                                        • Opcode ID: c6d810e0a92dfab2f57800588eaa3bba5a0c0cbf05fe10e2817728c59d1b6220
                                                                                        • Instruction ID: 7a58d40e9c071acc3c7cf2da3dce7da5696617228dd5dafdca31ae476a33fe77
                                                                                        • Opcode Fuzzy Hash: c6d810e0a92dfab2f57800588eaa3bba5a0c0cbf05fe10e2817728c59d1b6220
                                                                                        • Instruction Fuzzy Hash: 43316E32B0820286FFA89E15A56093963A1EF40B64F5446B1FD5D5F7CDDF3CE8918700
                                                                                        Function 00007FFDFAF76C10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\statem\statem.c
                                                                                        • API String ID: 1767461275-2512360314
                                                                                        • Opcode ID: 26070a851bc5fec5e0ac0af166cc9bccace918524719dc3056e362111579dbb8
                                                                                        • Instruction ID: f2a3a7774aa5497a833cc943177d1558ffa75b8fa9885b476f1c1354cc442dc3
                                                                                        • Opcode Fuzzy Hash: 26070a851bc5fec5e0ac0af166cc9bccace918524719dc3056e362111579dbb8
                                                                                        • Instruction Fuzzy Hash: 42918032B1864286EFA89F25E464BB97360EF44B68F4402B6FA5D4B6D8DF3DD845C700
                                                                                        Function 00007FFDFAE78620 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.VCRUNTIME140(?,?,?,?,00007FFDFADC85DD,?,?,?,?,00007FFDFADF4567,?,?,?,?,?,00007FFDFADC207B), ref: 00007FFDFAE787B8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: gfff
                                                                                        • API String ID: 2221118986-1553575800
                                                                                        • Opcode ID: fc0083de08274c5edd80eb5e96a5d3d50a5f3cba4e7f9cce6d4ea1fa2268eea6
                                                                                        • Instruction ID: e9c3f8ee096f9bb2a2515f70296ab19d83139a68853cdda17c437cec8d193180
                                                                                        • Opcode Fuzzy Hash: fc0083de08274c5edd80eb5e96a5d3d50a5f3cba4e7f9cce6d4ea1fa2268eea6
                                                                                        • Instruction Fuzzy Hash: 91F14B64F0D643A5FB5DAB51B870E3426B8AF64764F4402B9E83E4B6E8DF7DB4808740
                                                                                        Function 00007FFDFAF31E38 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_ctrl
                                                                                        • String ID:
                                                                                        • API String ID: 3605655398-0
                                                                                        • Opcode ID: 7b0348fa33806901f87612a88dc387fa96327ae15897c9e8c58ea98c324f5f81
                                                                                        • Instruction ID: dd2de85cefb1bdc6d160d988418ad77f25cc84318d127041f75c94e59862a6d9
                                                                                        • Opcode Fuzzy Hash: 7b0348fa33806901f87612a88dc387fa96327ae15897c9e8c58ea98c324f5f81
                                                                                        • Instruction Fuzzy Hash: A531B132708B8686D7548F65E450FED77A0FB88B98F084176EE9C4B789CF79C1858B10
                                                                                        Function 00007FFDFAF75FE0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID:
                                                                                        • API String ID: 1767461275-0
                                                                                        • Opcode ID: 2d199d9f4f108162e85cd4e5c396f18b2cf9314a5d4872b565a6e1705a2e1dcc
                                                                                        • Instruction ID: f1d7abeefec17fc0743d62bc7f1ded85cab11ecf85ccd9902e528319acfe98d8
                                                                                        • Opcode Fuzzy Hash: 2d199d9f4f108162e85cd4e5c396f18b2cf9314a5d4872b565a6e1705a2e1dcc
                                                                                        • Instruction Fuzzy Hash: A101A93271824186DBA85F29E414B7D66A0FF8579CF144275FA6D4B7EEDA3DD880CB00
                                                                                        Function 00007FFDFAF31C58 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_ctrl
                                                                                        • String ID:
                                                                                        • API String ID: 3605655398-0
                                                                                        • Opcode ID: f4131392175719c438ed488a19d1fc1fcc4e07cb41d610f49d78df00bfd42c06
                                                                                        • Instruction ID: 8239da6d322662cdf052b8aa6e970fb093d3c36ff75d614f36cf6694c3ebfb67
                                                                                        • Opcode Fuzzy Hash: f4131392175719c438ed488a19d1fc1fcc4e07cb41d610f49d78df00bfd42c06
                                                                                        • Instruction Fuzzy Hash: B9E0D8B2F0410242FB644BA89856F681290EF4C728F640170FE1CCA7C6E66DD8D28604
                                                                                        Function 00007FFDFAF31866 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_load_strings_const
                                                                                        • String ID:
                                                                                        • API String ID: 78401305-0
                                                                                        • Opcode ID: 33a6480efc82d753cbb41765d5dcd2d98fe309442d507135d5e18d1d828c105b
                                                                                        • Instruction ID: f9c13b263cb972fdf5669260e6e99fbf621bdf24d7db13c08b54a42a8f32efa4
                                                                                        • Opcode Fuzzy Hash: 33a6480efc82d753cbb41765d5dcd2d98fe309442d507135d5e18d1d828c105b
                                                                                        • Instruction Fuzzy Hash: FCE0EC10F1D10256FB5C7358DCB2AB811505F58368F8447F1F52E892DAEE0CA9544200
                                                                                        Function 00007FFDFAF47DF0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1452528299-0
                                                                                        • Opcode ID: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
                                                                                        • Instruction ID: 9915cbdafdcf6c786e82f02bab9bbddb44d248ccf4ca009a52d7ef05bfb21782
                                                                                        • Opcode Fuzzy Hash: 8e011317cca6565eb200d0702bfa620ad3ccf4c4be6080c5c317d346bd03422b
                                                                                        • Instruction Fuzzy Hash: 10216B32B0878086D758DB26E5906A9B7A0FB88BA0F144275FF9C47B98CF78D595CB04

                                                                                        Non-executed Functions

                                                                                        Function 00007FFDFAF64B90 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$R_put_error$D_lock_freeD_read_lockD_unlockL_cleanse$D_lock_newL_sk_pop_freeO_clear_freeO_free_ex_dataO_new_ex_dataO_zallocX509_free_time64memcpymemset
                                                                                        • String ID: $..\s\ssl\ssl_sess.c$T
                                                                                        • API String ID: 1939687532-2024727245
                                                                                        • Opcode ID: 22f609dfbdebc8434127fb413c710d0950d9b5b966a6cb4afa361dbc6bc6465f
                                                                                        • Instruction ID: bf6177778778b7c545cc05032a2c0cfcad6960cfe6605203f3131962178dcafc
                                                                                        • Opcode Fuzzy Hash: 22f609dfbdebc8434127fb413c710d0950d9b5b966a6cb4afa361dbc6bc6465f
                                                                                        • Instruction Fuzzy Hash: F3C18D32B0868282E758AA21D964BF96391FF84BA9F044275EE6D4F7D9CF3CE541C700
                                                                                        Function 00007FFDFAF4CA00 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X509_$R_put_error$L_sk_numX_free$D_run_onceL_sk_pop_freeL_sk_valueM_move_peernameM_set1X509_verify_certX_get0_chainX_get1_chainX_get_errorX_initX_newX_set0_daneX_set_defaultX_set_ex_dataX_set_flagsX_set_verify_cb
                                                                                        • String ID: ..\s\ssl\ssl_cert.c$ssl_client$ssl_server
                                                                                        • API String ID: 4052934069-2466788060
                                                                                        • Opcode ID: e5a63deeb9ed644362519aa71a0db490a5c3fb46815aa37c28aab51d0a6b8712
                                                                                        • Instruction ID: 633037af7dfd29b6e13a27eb8cacf76b6c236c3d737310b1064fa5cece12a1ff
                                                                                        • Opcode Fuzzy Hash: e5a63deeb9ed644362519aa71a0db490a5c3fb46815aa37c28aab51d0a6b8712
                                                                                        • Instruction Fuzzy Hash: 80615021B0864345EB48EB22D960BB96351AF88BE8F4442B5FD6D4F7DEDE3DE5028700
                                                                                        Function 00007FFDFAF90F80 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 398COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: L_sk_new_nullL_sk_pop_freeX509X509_freed2i_
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c
                                                                                        • API String ID: 1068509327-348624464
                                                                                        • Opcode ID: cffed164cf5a7e25a2e0dd7264a229707529278bcad714ee8c96ce2197dad380
                                                                                        • Instruction ID: abfbf9737533d9200a1ddf1671857f9a7424de54b7951cc44e29d5f8977ae20d
                                                                                        • Opcode Fuzzy Hash: cffed164cf5a7e25a2e0dd7264a229707529278bcad714ee8c96ce2197dad380
                                                                                        • Instruction Fuzzy Hash: 2F02D432F0868185E7A88B15D864BBA76A0FF49B98F144274EA9D4BBCDDF3CD181C704
                                                                                        Function 00007FFDFAF31929 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: N_copyN_free$N_dup$O_freeO_strdup
                                                                                        • String ID: ..\s\ssl\tls_srp.c
                                                                                        • API String ID: 3070725730-1778748169
                                                                                        • Opcode ID: 7e3ffa57fc727cf251fe7fc8124dfcfd989a36d3635b1eba85b1f6462a52d03f
                                                                                        • Instruction ID: 397ba21ef2f09590b3456082e71b5a480816168be11fa5d10b268fb48baabf9d
                                                                                        • Opcode Fuzzy Hash: 7e3ffa57fc727cf251fe7fc8124dfcfd989a36d3635b1eba85b1f6462a52d03f
                                                                                        • Instruction Fuzzy Hash: 99413321B0EB8180EB989E51D860B7823A5EF48BACF2846B5FD6D4F6CDDF6CE4414750
                                                                                        Function 00007FFDFAF31951 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 270COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$memcpy$N1_item_free$O_strndupR_put_errorX509_free_time64
                                                                                        • String ID: ..\s\ssl\ssl_asn1.c
                                                                                        • API String ID: 3876440904-3659835543
                                                                                        • Opcode ID: 293b106eaef68aad3a8e7656dd2f366dd6e1c3a3ab103314ff238196f7a83d73
                                                                                        • Instruction ID: 16dabda9036724266b4131507acf61feeb733f3b7104e0af3d20546c740b9282
                                                                                        • Opcode Fuzzy Hash: 293b106eaef68aad3a8e7656dd2f366dd6e1c3a3ab103314ff238196f7a83d73
                                                                                        • Instruction Fuzzy Hash: C1D13C36709B8691EB68DF25D4A4AA823A0FF44B64F088275EF6D4B7D9DF38E550C310
                                                                                        Function 00007FFDFAE7BBA0 Relevance: 19.9, APIs: 2, Strings: 11, Instructions: 428COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmpmemcpy
                                                                                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
                                                                                        • API String ID: 1784268899-684317951
                                                                                        • Opcode ID: 11b38933470bd397fb6baf514f3ca7c973354a5f1cb37294be3f88cfcb312d8a
                                                                                        • Instruction ID: c4228ebe2936b1d2d688939691b15a408ac3bd37c9ce85840818637b31e1feba
                                                                                        • Opcode Fuzzy Hash: 11b38933470bd397fb6baf514f3ca7c973354a5f1cb37294be3f88cfcb312d8a
                                                                                        • Instruction Fuzzy Hash: D8022572B0C28645FB789B14E460B797AA1EB41BA4F4442B1DABF477C9DF3EE8458700
                                                                                        Function 00007FFDFAF31A8C Relevance: 19.8, APIs: 10, Strings: 1, Instructions: 558COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$memcmp$X_free
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 2968887233-1507966698
                                                                                        • Opcode ID: 271d30375eb39a92b913575a27ba843720d2f0dc718c3320b99d8732a795e72b
                                                                                        • Instruction ID: 9f5517416263bfd9ce9ecbaa26fa7760d3be06a8b358a2a964335547ecc7397a
                                                                                        • Opcode Fuzzy Hash: 271d30375eb39a92b913575a27ba843720d2f0dc718c3320b99d8732a795e72b
                                                                                        • Instruction Fuzzy Hash: DE425C72B08A4285EB688F15E860BAD27A1FF44BA8F144275EE9D5B7C8DF3CD581C710
                                                                                        Function 00007FFDFAF31B81 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: N_free$O_free
                                                                                        • String ID: ..\s\ssl\tls_srp.c
                                                                                        • API String ID: 3506937590-1778748169
                                                                                        • Opcode ID: 60cc7465e656b1b0ad6faf24ee8e72f03e6eeb3f218f3f0c38f93e14b5d55591
                                                                                        • Instruction ID: e049e16cba53254903c2aad67d2b6755168226a9eb919b3b3b6ce83222353714
                                                                                        • Opcode Fuzzy Hash: 60cc7465e656b1b0ad6faf24ee8e72f03e6eeb3f218f3f0c38f93e14b5d55591
                                                                                        • Instruction Fuzzy Hash: C0214F52F1868280EB44EF21C8607F81361FFA8B5CF486371FE6D8E29AEF58A5D14750
                                                                                        Function 00007FFDFAF319F1 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 288COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$O_memdup
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c$D:\_w\1\s\ssl\packet_local.h
                                                                                        • API String ID: 3545228654-3043411186
                                                                                        • Opcode ID: df057cfaeeaa9908a7ba7f6d18f6bd8991137feb4b7c6e63f61da0d878989c12
                                                                                        • Instruction ID: 933018516ea1d935de9eafc2c270697d9f90d27c57dfc78d1e066da2cc2c923b
                                                                                        • Opcode Fuzzy Hash: df057cfaeeaa9908a7ba7f6d18f6bd8991137feb4b7c6e63f61da0d878989c12
                                                                                        • Instruction Fuzzy Hash: E5D1AD72B1879185EB148F15E854BAC37A4FF48BA8F444276EE9C5B799DF3CE1818B00
                                                                                        Function 00007FFDFAF81860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_mallocR_put_error$O_free
                                                                                        • String ID: ..\s\ssl\statem\statem_dtls.c$R
                                                                                        • API String ID: 1091011155-469809446
                                                                                        • Opcode ID: d40fc1e8920b1c7cce11feef57c892b5a1bc5a66315881aa6d5ea8f4a862d543
                                                                                        • Instruction ID: b5b0289839b528238c4f94271bc743578e1226bacc81c5e701e1e336959490a8
                                                                                        • Opcode Fuzzy Hash: d40fc1e8920b1c7cce11feef57c892b5a1bc5a66315881aa6d5ea8f4a862d543
                                                                                        • Instruction Fuzzy Hash: CC314F31B1874296E718EF11E810AA967A0FF487D4F444272EA6D0BB9DDF3DEA04CB04
                                                                                        Function 00007FFDFAF63B40 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$O_zalloc
                                                                                        • String ID: ..\s\ssl\ssl_sess.c$T
                                                                                        • API String ID: 1556487804-2647723609
                                                                                        • Opcode ID: 2738ae770119198ad7c47fd9ebfa88edacb67cbaab7b8918c68778f86e0758ed
                                                                                        • Instruction ID: 0208a17ce9fcbb708bff8acdf6132dcd80817151959bf4a177404279f68faa98
                                                                                        • Opcode Fuzzy Hash: 2738ae770119198ad7c47fd9ebfa88edacb67cbaab7b8918c68778f86e0758ed
                                                                                        • Instruction Fuzzy Hash: FA218431B1864282EB089F61D864BE92790EF88758F8442B6FA5D4B3D9DF3DE508CB00
                                                                                        Function 00007FFDFAF31A0A Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 381COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freememcpy$O_zalloc
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c
                                                                                        • API String ID: 150470908-348624464
                                                                                        • Opcode ID: 9292a20789efc2b82fdfe7f2ab9c1d42024f0daa3868a5203c0c81826624932c
                                                                                        • Instruction ID: 4df8b5bebd25bb573681844c0f97fa720587bf1a752d07e130c2c7d40be0270b
                                                                                        • Opcode Fuzzy Hash: 9292a20789efc2b82fdfe7f2ab9c1d42024f0daa3868a5203c0c81826624932c
                                                                                        • Instruction Fuzzy Hash: 4D02C532F0864181E7688B11D864B7977A1EF49BA8F148375EAAD0B6D9DF3CE191C704
                                                                                        Function 00007FFDFAF3199C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_md$CipherD_sizeX_block_sizeX_ciphermemcpymemset
                                                                                        • String ID: ..\s\ssl\record\ssl3_record.c
                                                                                        • API String ID: 2016125691-2721125279
                                                                                        • Opcode ID: 37667565cca9a9347e57eca4bdd11c7d165463ab39ff3e3cec14415686df9885
                                                                                        • Instruction ID: b85819001df1fb1ab19d282c6a4e285d4cc9a7d9d00432d266aa8cf7f1c8653c
                                                                                        • Opcode Fuzzy Hash: 37667565cca9a9347e57eca4bdd11c7d165463ab39ff3e3cec14415686df9885
                                                                                        • Instruction Fuzzy Hash: 5F51C622B0878182EB28DA6695609BA6790FF45BB4F1442B5FE5D4FBC9DF3CE491C310
                                                                                        Function 00007FFDFAF31933 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\record\rec_layer_d1.c
                                                                                        • API String ID: 2581946324-1306860146
                                                                                        • Opcode ID: e3f568f08935796fe287935903e11e11848da69c6fc000b1f8ccddb35fbbfd26
                                                                                        • Instruction ID: cb0d307c1d18cecb67fd567bf49b3eccf1459391077ff95b6ca2cb02662cae0e
                                                                                        • Opcode Fuzzy Hash: e3f568f08935796fe287935903e11e11848da69c6fc000b1f8ccddb35fbbfd26
                                                                                        • Instruction Fuzzy Hash: 79515521B18B8281EF18EB16D5B06BD2361FFC4BA8F0056B1EE5D4F799DF68E4818340
                                                                                        Function 00007FFDFAF5C890 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_zalloc$J_nid2snP_get_digestbyname
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 4284552970-1080266419
                                                                                        • Opcode ID: 0202237a95a19ac72226a6d6a47219cf80d719b5c3c70b6add55191cb53c064d
                                                                                        • Instruction ID: 6c498a3452630a26322d47fa449f06f7cfdfd2bb00f619a53bbf8195139bf31b
                                                                                        • Opcode Fuzzy Hash: 0202237a95a19ac72226a6d6a47219cf80d719b5c3c70b6add55191cb53c064d
                                                                                        • Instruction Fuzzy Hash: 14311426B1C68185E7088B25E420B696760EF457E4F440275FF9D0BBCADF7DE552C700
                                                                                        Function 00007FFDFACA1880 Relevance: 13.9, APIs: 9, Instructions: 437COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Mem_$SubtypeType_$DataFreeFromKindMallocReallocUnicode_
                                                                                        • String ID:
                                                                                        • API String ID: 1742244024-0
                                                                                        • Opcode ID: 7fa95b5cd81f519628587b04b727bd74477dff7e7dbf017e14e753301a1448cd
                                                                                        • Instruction ID: caeee4ecfb42e466cf2bca5f709d4f21176ae76aaa98a9397a8bab478a1fbcbb
                                                                                        • Opcode Fuzzy Hash: 7fa95b5cd81f519628587b04b727bd74477dff7e7dbf017e14e753301a1448cd
                                                                                        • Instruction Fuzzy Hash: 3C02017EB0859282E76C8B15E474E7D7AA1EF45B84F144175DAAE8E7D8DE3DE840C300
                                                                                        Function 00007FFDFACA3048 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 313767242-0
                                                                                        • Opcode ID: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                        • Instruction ID: b909fcbcdc010cb649601f93eb2f3c24f4e678bc7e3fb62aa63857d812759297
                                                                                        • Opcode Fuzzy Hash: d8a6e0e72b6848609e29a44b0cba3310e6ec791779f206a0b46e58d07e77914d
                                                                                        • Instruction Fuzzy Hash: E1314C6A709A8189EB648F60E8607FD6360FB84744F444439DA9E4BB98DF38C648C704
                                                                                        Function 00007FFDFAF68B60 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 301COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_zalloc
                                                                                        • String ID: ..\s\ssl\statem\extensions.c$gfffffff$gfffffff$gfffffff$gfffffff
                                                                                        • API String ID: 2237658545-598456477
                                                                                        • Opcode ID: 95490531eb4f3b78b14be84aa5041ea0d03d7087d54fb98e0ceec55a82c35588
                                                                                        • Instruction ID: 34a86a2721ba8d2e46838c5c373cef8b257c49d6097446d7311b07ec86151e54
                                                                                        • Opcode Fuzzy Hash: 95490531eb4f3b78b14be84aa5041ea0d03d7087d54fb98e0ceec55a82c35588
                                                                                        • Instruction Fuzzy Hash: E3C1E522B1878185EB698B16E450BB967A1FF84BE4F144275EE9C4BBC8CF3DE481C741
                                                                                        Function 00007FFDFAF31BE0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 235COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: D_bytesD_sizeO_freeO_memdup_time64
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c$resumption
                                                                                        • API String ID: 2587329016-332775882
                                                                                        • Opcode ID: 253091043945549990c6c8b5153c5d861a575fc5a999ce23c37ffb0ceb2045ed
                                                                                        • Instruction ID: 2678d6b82c839175a3ddafda3b711957efa54dacc3b17b92de8e67415817ef35
                                                                                        • Opcode Fuzzy Hash: 253091043945549990c6c8b5153c5d861a575fc5a999ce23c37ffb0ceb2045ed
                                                                                        • Instruction Fuzzy Hash: 22B1A121709B8185EB54DB15D864BA967A0EF84BA8F044275FE9C4FBD9CF7CD485C700
                                                                                        Function 00007FFDFADEB910 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 427COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Main freelist: $Page %d is never used$Pointer map page %d is referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%d) disagrees with header (%d)
                                                                                        • API String ID: 2221118986-2103957143
                                                                                        • Opcode ID: 3744c614e882a2f24faa761e5eb58caff0e112c2d4c0036284301a0b5953d3d2
                                                                                        • Instruction ID: 3866c3489eddbb5227b26cbad76929d44f3157ca91d1a3c1a0f82c6b0e74649b
                                                                                        • Opcode Fuzzy Hash: 3744c614e882a2f24faa761e5eb58caff0e112c2d4c0036284301a0b5953d3d2
                                                                                        • Instruction Fuzzy Hash: 4412B032B0974286EB18CB25D8A4ABD77A1FB44B58F0441B5DE6E476E8EF3CE841C740
                                                                                        Function 00007FFDFADCE040 Relevance: 12.4, APIs: 2, Strings: 6, Instructions: 399COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                        • API String ID: 2221118986-463513059
                                                                                        • Opcode ID: 47cd6acc09cb97cf6b0c7df549a53dd8525139ec74fec1c94a40a24148967e6a
                                                                                        • Instruction ID: b0804a04b7b10e75608af928e2a311f01b272f98d7232bc001c30c52bbb60abe
                                                                                        • Opcode Fuzzy Hash: 47cd6acc09cb97cf6b0c7df549a53dd8525139ec74fec1c94a40a24148967e6a
                                                                                        • Instruction Fuzzy Hash: 80E11792B1C3C607EF0C8B396825A786BA1EB55740F894176EA7E477D5EE3CB512C700
                                                                                        Function 00007FFDFAE37D80 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 375COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$invalid$misuse$unopened
                                                                                        • API String ID: 3510742995-3077758130
                                                                                        • Opcode ID: 4a9c4f99ca2c150d7de638bb0af79a29b50da3ae11be2d1497a0fa1c00bfb2b5
                                                                                        • Instruction ID: e3823eb91d8e4d30329127fc7e5c960189346b28ba01d8996aa14fa3255376d0
                                                                                        • Opcode Fuzzy Hash: 4a9c4f99ca2c150d7de638bb0af79a29b50da3ae11be2d1497a0fa1c00bfb2b5
                                                                                        • Instruction Fuzzy Hash: F0F18F21B08B8285FB58AB259420B796BA1FF90B94F5441B5DE6F077DDDF3EE8818300
                                                                                        Function 00007FFDFAF82A80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$X_free$memcpy
                                                                                        • String ID: ..\s\ssl\statem\statem_dtls.c
                                                                                        • API String ID: 1711549817-3140652063
                                                                                        • Opcode ID: 258a081509908942275dda133ede93f374715a6b8cd4e8e61459e3aa093acbd0
                                                                                        • Instruction ID: 1d988e5c53a90a2061d02ebf789f9f59ccacb8f323d2be74690683222ef23431
                                                                                        • Opcode Fuzzy Hash: 258a081509908942275dda133ede93f374715a6b8cd4e8e61459e3aa093acbd0
                                                                                        • Instruction Fuzzy Hash: 28412121B0874681EB18AF26D4617B92361FF85BE4F1482B1EE6D4F7DADE7DE4818304
                                                                                        Function 00007FFDFAF9D9C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: N_clear_free$Calc_uN_bn2binN_num_bitsO_malloc
                                                                                        • String ID: ..\s\ssl\tls_srp.c
                                                                                        • API String ID: 2743054381-1778748169
                                                                                        • Opcode ID: 4601729cf72d2317a070b57b779f7da01662e54e6c866f3e4df0eb7fb760c988
                                                                                        • Instruction ID: 840ae534284360c49b423f4475df2a3b7957f5b1d3704bae457d69e8ee1d9318
                                                                                        • Opcode Fuzzy Hash: 4601729cf72d2317a070b57b779f7da01662e54e6c866f3e4df0eb7fb760c988
                                                                                        • Instruction Fuzzy Hash: E5316132B0D74281EB54AB12D850AE96791EF48BE8F084175FD5D4BB8ADF3CE541C710
                                                                                        Function 00007FFDFAF6FA70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$O_malloc
                                                                                        • String ID: ..\s\ssl\statem\extensions_cust.c
                                                                                        • API String ID: 2767441526-3973221358
                                                                                        • Opcode ID: 76037305b5125640d6c8c7c11305f24ecaee3eb944aade057905755f48ba4b7f
                                                                                        • Instruction ID: 59bb638580e781bfe99de6a61c5b7b0f685455783e1c20d2294fffdec92cfbb8
                                                                                        • Opcode Fuzzy Hash: 76037305b5125640d6c8c7c11305f24ecaee3eb944aade057905755f48ba4b7f
                                                                                        • Instruction Fuzzy Hash: 65315C35719B4281EB149B01E8A0AA973A0FF89BF0F404275EEAD4BB99DF3CD5508740
                                                                                        Function 00007FFDFADC69A2 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 488COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: 0123456789ABCDEF0123456789abcdef$Inf$NaN$VUUU$gfff
                                                                                        • API String ID: 2221118986-2941899328
                                                                                        • Opcode ID: e0fc8c7b0d882bf01384680dcc055da3b179f8e9c85d86452f87d38abd0181c3
                                                                                        • Instruction ID: b09280d094870efd3c8995706b1ae968eec27570a7b59827643194857a79cfda
                                                                                        • Opcode Fuzzy Hash: e0fc8c7b0d882bf01384680dcc055da3b179f8e9c85d86452f87d38abd0181c3
                                                                                        • Instruction Fuzzy Hash: E3129C22F0CAC645E72B4A349960B7A6BA4FF55780F4663B1DA9E536D9FF3CE4418300
                                                                                        Function 00007FFDFAF31A50 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 303COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: L_cleanse$O_freeO_memcmpO_memdup
                                                                                        • String ID: ..\s\ssl\statem\extensions_clnt.c
                                                                                        • API String ID: 2249876211-592572767
                                                                                        • Opcode ID: aee2347abda0ceac1a69d1e986f2e2df4b97b3a0e04b0a18797c7a41e01f443c
                                                                                        • Instruction ID: 8c1549fdbce4808b5d15faf7a4bd2786e26b4d6f9cb4bbf92add54b827693f70
                                                                                        • Opcode Fuzzy Hash: aee2347abda0ceac1a69d1e986f2e2df4b97b3a0e04b0a18797c7a41e01f443c
                                                                                        • Instruction Fuzzy Hash: A0D18F32B1878285EB689B11E460ABE67A4FF847A8F540275EE6D4B7CDDF3CD5818700
                                                                                        Function 00007FFDFAF90880 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EVP_PKEY_get0_RSA.LIBCRYPTO-1_1(?,?,?,?,00007FFDFAF920CA), ref: 00007FFDFAF908BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Y_get0_
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c
                                                                                        • API String ID: 2256133966-348624464
                                                                                        • Opcode ID: 33b0fa5ab591dfe08231393ae518e606a9d94476aeabcc81c185303cfa60af41
                                                                                        • Instruction ID: 1624db1a757d6762b8f74d0ea7d4eede3557f21278e4cecf926b806935af18a5
                                                                                        • Opcode Fuzzy Hash: 33b0fa5ab591dfe08231393ae518e606a9d94476aeabcc81c185303cfa60af41
                                                                                        • Instruction Fuzzy Hash: 12A1E73271C69186E7288B21D820AAE7751FF89798F444274FA9D8BBC9DF3DD585CB00
                                                                                        Function 00007FFDFAF81BD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$X_free$O_mallocR_put_error
                                                                                        • String ID: ..\s\ssl\statem\statem_dtls.c
                                                                                        • API String ID: 4216106018-3140652063
                                                                                        • Opcode ID: 67702e2c93f4168f12cc013e510cb0c3fd7b539f750d6d708f79e8f3e27e8c17
                                                                                        • Instruction ID: 22d2d3c0cfbc7a96b983398a024851a545a10c53e27e048d9a345a6d9855d78d
                                                                                        • Opcode Fuzzy Hash: 67702e2c93f4168f12cc013e510cb0c3fd7b539f750d6d708f79e8f3e27e8c17
                                                                                        • Instruction Fuzzy Hash: 3A61B122B09B8582EB689F15D4606B96360FF88794F048371EB9D4FB99DF3CE494C704
                                                                                        Function 00007FFDFADC65DB Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 434COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
                                                                                        • API String ID: 0-2031831958
                                                                                        • Opcode ID: a38f351a2b6d6bed6a639c96bfdb12752d9970357082d94ce6a45bdb89a333de
                                                                                        • Instruction ID: 310e1118fb67d23c7f191ba8f962808bd667e9fdc3a591b09bfcef4fd2ba0140
                                                                                        • Opcode Fuzzy Hash: a38f351a2b6d6bed6a639c96bfdb12752d9970357082d94ce6a45bdb89a333de
                                                                                        • Instruction Fuzzy Hash: B2021922B0C6C685EB6ACB28D860BBA6BA0FF45744F8650B5DA5E437D9FE3CD541C700
                                                                                        Function 00007FFDFAF36BB0 Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_ctrl
                                                                                        • String ID:
                                                                                        • API String ID: 3605655398-0
                                                                                        • Opcode ID: fc6fbe75d0882687662831d325959780c666740d163f787f9d80beca635bed9f
                                                                                        • Instruction ID: b4a154ee4bf880583297434a47b17ca7a2dff43d241565410698cc7946c0a38c
                                                                                        • Opcode Fuzzy Hash: fc6fbe75d0882687662831d325959780c666740d163f787f9d80beca635bed9f
                                                                                        • Instruction Fuzzy Hash: 88318433B1838142EB9CDB65D6A1FFD62A1EF88B94F0045B5EE1D8B79ADF2894508701
                                                                                        Function 00007FFDFAF31988 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_memdup$O_freememcmp
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c
                                                                                        • API String ID: 590648765-348624464
                                                                                        • Opcode ID: 64f14318d472eb99c7bba326cd3969d038977057c1353dac09a735121e593554
                                                                                        • Instruction ID: dc11b89a21284e65d6e0ebe883048dc8abb4e266ca115d7040fc3ae195830ea3
                                                                                        • Opcode Fuzzy Hash: 64f14318d472eb99c7bba326cd3969d038977057c1353dac09a735121e593554
                                                                                        • Instruction Fuzzy Hash: BC51807270968185D7548F15E464AAD67A0FB84BA8F188275EE9C4F7A8CF78D1828B10
                                                                                        Function 00007FFDFAF5CB20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_reallocR_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1389097454-1080266419
                                                                                        • Opcode ID: 54eae9a6d9b1913c3c778e33b6d8967878bf1ab2fdae6f6a487d96c0260a3cfd
                                                                                        • Instruction ID: 37a010c5c0aa3dcca1bc41d0e5ce6f23eb415e63ec151c070aa209a4790c1946
                                                                                        • Opcode Fuzzy Hash: 54eae9a6d9b1913c3c778e33b6d8967878bf1ab2fdae6f6a487d96c0260a3cfd
                                                                                        • Instruction Fuzzy Hash: 1F31F57371878286E7158B25E810AA977A0FF45BA8F544272EEAD0B7D8CF3CE442C700
                                                                                        Function 00007FFDFAF7B9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: N_bn2binN_num_bitsO_freeO_strdup
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 487688590-1507966698
                                                                                        • Opcode ID: 86b19ac8ae4db3e7092d39b4a814544a216b682784a7b72d414eda747bdd984c
                                                                                        • Instruction ID: 48b9b3d3684bdf2e4529a358a7f9e6dfec7889e50283577f246c34c560fbca28
                                                                                        • Opcode Fuzzy Hash: 86b19ac8ae4db3e7092d39b4a814544a216b682784a7b72d414eda747bdd984c
                                                                                        • Instruction Fuzzy Hash: 57217171B1864280EB549B11E864BAE6361EF84BE8F580271EE5D4FBDDDF3DD5818700
                                                                                        Function 00007FFDFADF3510 Relevance: 8.0, APIs: 2, Strings: 3, Instructions: 491COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFADF3B77
                                                                                        • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FFDFADF3C90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcmp
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 1475443563-481979681
                                                                                        • Opcode ID: c63c49f4a4e9b5aebce9ad49fc8b6e6552f5aa6e9c993c3f766fbbe0d5851eb9
                                                                                        • Instruction ID: b45442f0c4c289f056ddb21a44390f43970eb8ca7aaaa80e003402c88b837170
                                                                                        • Opcode Fuzzy Hash: c63c49f4a4e9b5aebce9ad49fc8b6e6552f5aa6e9c993c3f766fbbe0d5851eb9
                                                                                        • Instruction Fuzzy Hash: 79124962B0C6D246E7298B149C60BBB7761EF80744F168171DABE0B7CDFE2DE8459700
                                                                                        Function 00007FFDFAF98BA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_mallocR_put_error
                                                                                        • String ID: ..\s\ssl\t1_lib.c
                                                                                        • API String ID: 2160744234-1643863364
                                                                                        • Opcode ID: 4fcdc32539b9cea6f2874f279da2e2ed3fd2cb9d56b9bf251d5a1acf8abe3a31
                                                                                        • Instruction ID: e50db2c022954ea28f5321a982b35f6ebacaa6c67a0c562f19b69c9675bcdb63
                                                                                        • Opcode Fuzzy Hash: 4fcdc32539b9cea6f2874f279da2e2ed3fd2cb9d56b9bf251d5a1acf8abe3a31
                                                                                        • Instruction Fuzzy Hash: 5071A323B1968285E7A98B11D910BB923A5FF48BA8F594176FE9D0B7D8DF3CF4418340
                                                                                        Function 00007FFDFAF4FC40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_zallocR_put_error
                                                                                        • String ID: ..\s\ssl\ssl_ciph.c
                                                                                        • API String ID: 3070865948-1847046956
                                                                                        • Opcode ID: 0e27565f01674ff10db25e79b0fe99744ce7cf0086ace58627a6fe6224f2bf10
                                                                                        • Instruction ID: 08e2458f9fa10879af18d0ab8d420790e2f49369595c959d02cf333dba1ada7b
                                                                                        • Opcode Fuzzy Hash: 0e27565f01674ff10db25e79b0fe99744ce7cf0086ace58627a6fe6224f2bf10
                                                                                        • Instruction Fuzzy Hash: A7415872B08B4286EB58CB41D560AA877A1FF44FA4F558676EE6C4B788DF38DA40C350
                                                                                        Function 00007FFDFAF31979 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_memdup
                                                                                        • String ID: ..\s\ssl\statem\extensions_clnt.c$D:\_w\1\s\ssl\packet_local.h
                                                                                        • API String ID: 3962629258-2231994545
                                                                                        • Opcode ID: 9c5688be7ee385ffb07beda8aa90414dc438efbea012b178c790ee9b8c8da0ca
                                                                                        • Instruction ID: e2ae203e9e9cf548a737c0557def97da01b869026a8caadf5aec212e69c8072b
                                                                                        • Opcode Fuzzy Hash: 9c5688be7ee385ffb07beda8aa90414dc438efbea012b178c790ee9b8c8da0ca
                                                                                        • Instruction Fuzzy Hash: 7B21E532F1CB8141E7488B25E450AA967A0FF493A4F044271FA9C0BB89DF7CE1A18B04
                                                                                        Function 00007FFDFAF51BE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$O_newO_s_fileO_strdupR_clear_errorR_put_errorX509_free
                                                                                        • String ID: ..\s\ssl\ssl_conf.c$gfffffff
                                                                                        • API String ID: 3738848979-4123734156
                                                                                        • Opcode ID: 4d892043f5cba597c8f0cb338e3eea75dbc169e3cb19ed203174dd4cf60f1339
                                                                                        • Instruction ID: faad01c4331772309a7aca2e9153001ef23713d229d08e1e48ead106e9c5ed3f
                                                                                        • Opcode Fuzzy Hash: 4d892043f5cba597c8f0cb338e3eea75dbc169e3cb19ed203174dd4cf60f1339
                                                                                        • Instruction Fuzzy Hash: AE21BD62B09B4585EF58DF26E4506A823A0EF88FD4F184275EE5ECB39DDF2CE4408300
                                                                                        Function 00007FFDFAF5F970 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free$Y_free
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 3642664693-1080266419
                                                                                        • Opcode ID: d916b0e3f74913a26879c2ab6b17202fa2b17031f912dffacc2f8a704df95eee
                                                                                        • Instruction ID: 25ce2128c293fd43a650d8d18a41cb4aba370c9e43ddb868a84584c9846c53f2
                                                                                        • Opcode Fuzzy Hash: d916b0e3f74913a26879c2ab6b17202fa2b17031f912dffacc2f8a704df95eee
                                                                                        • Instruction Fuzzy Hash: 80E04855F1960280FF1CA761DC71B742210AF487E8F5442B1FD2D4E7CADE5CE5568351
                                                                                        Function 00007FFDFADE5800 Relevance: 6.6, APIs: 5, Instructions: 360COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: 97798965657849468ec0acd95ce4e7931cb5e1b785cc8ce0b8b754f337aa6b44
                                                                                        • Instruction ID: db59be73c6409c5366038e8a5d0ef905bd22b589d3a003bf5ea5066f1d95bf84
                                                                                        • Opcode Fuzzy Hash: 97798965657849468ec0acd95ce4e7931cb5e1b785cc8ce0b8b754f337aa6b44
                                                                                        • Instruction Fuzzy Hash: 80E1D27271878586E7988F29D8A0BAD77A9FB45BC4F044076EE5E437C9EE3DE8458300
                                                                                        Function 00007FFDFAF70B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_memdup
                                                                                        • String ID: D:\_w\1\s\ssl\packet_local.h
                                                                                        • API String ID: 3962629258-1466776524
                                                                                        • Opcode ID: 7eac6bcb858543b8ff6cc2d81774779671f24c96a3e11f7366e6782f4409a7f6
                                                                                        • Instruction ID: 33dc8ba17b9eead91f130cd726bdf9a4e1ae2cb19e636bffb66922560fcde420
                                                                                        • Opcode Fuzzy Hash: 7eac6bcb858543b8ff6cc2d81774779671f24c96a3e11f7366e6782f4409a7f6
                                                                                        • Instruction Fuzzy Hash: 38012C32716B8281EB548F12F890A5963A4EF98BD4F188171FFDC8BB89DE3CD5608700
                                                                                        Function 00007FFDFAF67960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\statem\extensions.c
                                                                                        • API String ID: 2581946324-1165805907
                                                                                        • Opcode ID: d162cf1e08ee89f5282cc3cf197b5ba763d4399495a86006ce95d04356b5d698
                                                                                        • Instruction ID: e78d187989a3f5252f5bb77a90234f0f34d8ad19cde06f420001f8c3246d75ec
                                                                                        • Opcode Fuzzy Hash: d162cf1e08ee89f5282cc3cf197b5ba763d4399495a86006ce95d04356b5d698
                                                                                        • Instruction Fuzzy Hash: B6015232B04B8295D785CF19D8907A873A8EF85FD8F188172EE5C4B7A9CF74C5858300
                                                                                        Function 00007FFDFAF77890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_freeO_strndup
                                                                                        • String ID: D:\_w\1\s\ssl\packet_local.h
                                                                                        • API String ID: 2641571835-1466776524
                                                                                        • Opcode ID: 08fdd943f772afc83b4efc24db8a7528b5b4bef3e73e490ea4112b2e8f33607f
                                                                                        • Instruction ID: 6e62ac75eaf85b222f6819559a84ff7dd9865a4087128f821809a0c7f5871ea3
                                                                                        • Opcode Fuzzy Hash: 08fdd943f772afc83b4efc24db8a7528b5b4bef3e73e490ea4112b2e8f33607f
                                                                                        • Instruction Fuzzy Hash: D2F0A731B05A4781EB089B11E861AA81360DF4CBE8F148076FE1C8B7D9CE3CD4608300
                                                                                        Function 00007FFDFAF5CA30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 2581946324-1080266419
                                                                                        • Opcode ID: 1793b981201c603af54368f8fd872e48aa01e6e49695a3594bd5f8cd15e1b172
                                                                                        • Instruction ID: 5e4e5866e5e3b33e240a112c23b1bd9d4c03ba25960a58f92721c7b313edcc35
                                                                                        • Opcode Fuzzy Hash: 1793b981201c603af54368f8fd872e48aa01e6e49695a3594bd5f8cd15e1b172
                                                                                        • Instruction Fuzzy Hash: 16E09265B1474280EB046B71D860B582320EF48B9CF148271EE5C4F3CACFACD584C361
                                                                                        Function 00007FFDFAF31A69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\statem\extensions_srvr.c
                                                                                        • API String ID: 2581946324-1853348325
                                                                                        • Opcode ID: 2e2483a51991c5821eee356769ffd48030e239a2cb7860b3d30d9ae67c9f93f5
                                                                                        • Instruction ID: bfe40506c2d98330dfc6aadf78cfbd7b0db406b1ab95cbac6d18b5fd395b5a4f
                                                                                        • Opcode Fuzzy Hash: 2e2483a51991c5821eee356769ffd48030e239a2cb7860b3d30d9ae67c9f93f5
                                                                                        • Instruction Fuzzy Hash: F631B632B1978582E7588B14E450EA97764FF847A4F004271FA9D5BBC9EF3CE1A1C700
                                                                                        Function 00007FFDFAF78A97 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_malloc
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 1457121658-1507966698
                                                                                        • Opcode ID: c2c51bba8fa6b847da97064460e2f4c2c18bb80e061b419b28bbe3ba3b579cf8
                                                                                        • Instruction ID: 147081dbcee0cecbc99f8c3a2d38694cb569eb9b6387d70dc6829fc5c82fbbfe
                                                                                        • Opcode Fuzzy Hash: c2c51bba8fa6b847da97064460e2f4c2c18bb80e061b419b28bbe3ba3b579cf8
                                                                                        • Instruction Fuzzy Hash: D131A57271864184E7248F16F850ABDBB91EF85B98F184276EAAD4B7C9DF3CE185C700
                                                                                        Function 00007FFDFAF38990 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\packet.c
                                                                                        • API String ID: 2581946324-1434567093
                                                                                        • Opcode ID: 606609381e21cda8f30b3b7c9feb17ec71e17e3a1d3a2e5bc7b5ddf53f21fbf7
                                                                                        • Instruction ID: 2d1b4ce09140cefcb141dd45b630c40f07c62b9a07711e5e6d691fb2b53d8169
                                                                                        • Opcode Fuzzy Hash: 606609381e21cda8f30b3b7c9feb17ec71e17e3a1d3a2e5bc7b5ddf53f21fbf7
                                                                                        • Instruction Fuzzy Hash: A1218072B25B4581DF58CB55C4A8E6823A4FF54BA0F5181B1EA6D87388EE3FE981C340
                                                                                        Function 00007FFDFAF678C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\statem\extensions.c
                                                                                        • API String ID: 2581946324-1165805907
                                                                                        • Opcode ID: ad7ec8450a52e9ad71fc959e0ebc418e6a4d27da33d7b36f99846db127784720
                                                                                        • Instruction ID: b28dabfa5819b7bb178c4b9218a7b326eae1544d94d6f31abec64e31e9a22382
                                                                                        • Opcode Fuzzy Hash: ad7ec8450a52e9ad71fc959e0ebc418e6a4d27da33d7b36f99846db127784720
                                                                                        • Instruction Fuzzy Hash: B6F0ECB2F0264189F7909B7494547941250DF44724F280370EA2C8F3C4DF6A84E2C310
                                                                                        Function 00007FFDFAF37A60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\packet.c
                                                                                        • API String ID: 2581946324-1434567093
                                                                                        • Opcode ID: d782c9549e3bca253875e980f2a3782d0025901a9344150d5bd06ad5d3a7b3f1
                                                                                        • Instruction ID: 3d6e40082b6ceacc377218dbb9791fb2e983814ca7a379f197bbbbe3f0f70c3b
                                                                                        • Opcode Fuzzy Hash: d782c9549e3bca253875e980f2a3782d0025901a9344150d5bd06ad5d3a7b3f1
                                                                                        • Instruction Fuzzy Hash: 73E09221B19B4181FF989B46E460B646360BF98BA4F1802B4FE5D8B7C9EF2CD5A04300
                                                                                        Function 00007FFDFAF67AB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\statem\extensions.c
                                                                                        • API String ID: 2581946324-1165805907
                                                                                        • Opcode ID: ca9aff490941a5e74e4fb425bba556653d378d8083d345005fbf4785fd1e8e1e
                                                                                        • Instruction ID: f1abde7de41e543ecd5af3a70cc04efa171fcd7a444fea44dfb3dcb86343d3a9
                                                                                        • Opcode Fuzzy Hash: ca9aff490941a5e74e4fb425bba556653d378d8083d345005fbf4785fd1e8e1e
                                                                                        • Instruction Fuzzy Hash: 2CE09232705B8184DB449B59D4947F83360FF48F98F088176EE5C8F396CF24C1968314
                                                                                        Function 00007FFDFAF67B20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_free
                                                                                        • String ID: ..\s\ssl\statem\extensions.c
                                                                                        • API String ID: 2581946324-1165805907
                                                                                        • Opcode ID: 826e5e8fd51ff35201cc7e07dae6c113f0bfeb30c3bc6a461ca865a4b39d0777
                                                                                        • Instruction ID: d6536437233db5426547af501485479ed5dacaeb3cce8adad531b3c736e97f5e
                                                                                        • Opcode Fuzzy Hash: 826e5e8fd51ff35201cc7e07dae6c113f0bfeb30c3bc6a461ca865a4b39d0777
                                                                                        • Instruction Fuzzy Hash: 26E0127270578184DB84DB59D4957F83360EF48F98F188276EE9C8F7A5CF25C19A8314
                                                                                        Function 00007FFDFAF55987 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: D_unlockD_write_lock
                                                                                        • String ID:
                                                                                        • API String ID: 1724170673-0
                                                                                        • Opcode ID: cc867b29cd7041b62f4f9085a8ff1f7407c2bc2b124a3e33734751ebfb80145f
                                                                                        • Instruction ID: 9a3acf0c564ab06097fa24bc32dbd6b802923a4c229df2b91d270de6d2b0246d
                                                                                        • Opcode Fuzzy Hash: cc867b29cd7041b62f4f9085a8ff1f7407c2bc2b124a3e33734751ebfb80145f
                                                                                        • Instruction Fuzzy Hash: F9E0D822F08B8186D74D9B65E9512E85710FF9CB80F144271FF5DC7786DE28D4614300
                                                                                        Function 00007FFDFAF318DE Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: D_unlockD_write_lock
                                                                                        • String ID:
                                                                                        • API String ID: 1724170673-0
                                                                                        • Opcode ID: a0062f77206c5ed4d2718bf982d10cf34880e787bc43d6f46df3fc13d9a06a40
                                                                                        • Instruction ID: 558bd0ed77698418665b2925f8fde8626a9910f20a3a98e2ef01bcd1973940a3
                                                                                        • Opcode Fuzzy Hash: a0062f77206c5ed4d2718bf982d10cf34880e787bc43d6f46df3fc13d9a06a40
                                                                                        • Instruction Fuzzy Hash: C4E08622F1874186D74D9B51E9917AC6314FF8CB90F5441B1FF6E8B3DADE28E4614300
                                                                                        Function 00007FFDFAF31B40 Relevance: 65.2, APIs: 20, Strings: 17, Instructions: 442COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$D_sizeX_newX_reset$L_cleanseO_ctrl
                                                                                        • String ID: ..\s\ssl\tls13_enc.c$CLIENT_EARLY_TRAFFIC_SECRET$CLIENT_HANDSHAKE_TRAFFIC_SECRET$CLIENT_TRAFFIC_SECRET_0$EARLY_EXPORTER_SECRET$EXPORTER_SECRET$SERVER_HANDSHAKE_TRAFFIC_SECRET$SERVER_TRAFFIC_SECRET_0$c ap traffic$c e traffic$c hs traffic$e exp master$exp master$finished$res master$s ap traffic$s hs traffic
                                                                                        • API String ID: 804632375-2823458745
                                                                                        • Opcode ID: 2b8a86c0b3859c5137c2d28f221797c404f3c15ca02ca0d362d30d8a4d1b22c5
                                                                                        • Instruction ID: b9259aac459adaf1a7052b8bc35aba83bed200d3b287e60a67a0f881d41c712f
                                                                                        • Opcode Fuzzy Hash: 2b8a86c0b3859c5137c2d28f221797c404f3c15ca02ca0d362d30d8a4d1b22c5
                                                                                        • Instruction Fuzzy Hash: C8225D31B08B4295EB189B11E960AED73A4FF48798F900276FA6D4B7A9DF3CE155C700
                                                                                        Function 00007FFDFAF44A00 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EVP_MD_CTX_new.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44A42
                                                                                        • EVP_MD_CTX_new.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44A4A
                                                                                        • memset.VCRUNTIME140(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44A9E
                                                                                        • EVP_sha1.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44AA7
                                                                                        • EVP_DigestInit_ex.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44AB5
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44ACD
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44AEC
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B10
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B34
                                                                                        • EVP_DigestFinal_ex.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B4C
                                                                                        • EVP_md5.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B59
                                                                                        • EVP_DigestInit_ex.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B67
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44B86
                                                                                        • EVP_DigestUpdate.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44BA1
                                                                                        • EVP_DigestFinal_ex.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44BC0
                                                                                        • OPENSSL_cleanse.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44BE3
                                                                                        • EVP_DigestFinal_ex.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44C0A
                                                                                        • memcpy.VCRUNTIME140(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44C21
                                                                                        • EVP_MD_CTX_free.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44C88
                                                                                        • EVP_MD_CTX_free.LIBCRYPTO-1_1(?,00000000,?,?,?,00000000,00000000,00007FFDFAF453A1), ref: 00007FFDFAF44C90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Digest$Update$Final_ex$Init_exX_freeX_new$L_cleanseP_md5P_sha1memcpymemset
                                                                                        • String ID: "$..\s\ssl\s3_enc.c$A
                                                                                        • API String ID: 754518535-4125341915
                                                                                        • Opcode ID: c3cd578d24d8423e8837054b88404f62c43ba7284fb286996de5151ea2cd861e
                                                                                        • Instruction ID: 849746a50ae91ce9bc0ad09186d7229531d8e900011427b0886bc820cb4347ce
                                                                                        • Opcode Fuzzy Hash: c3cd578d24d8423e8837054b88404f62c43ba7284fb286996de5151ea2cd861e
                                                                                        • Instruction Fuzzy Hash: A161D362B0C64342F798AA12D820FBA5680AF45BE8F545275FE6E5F7CEDE3CD2418710
                                                                                        Function 00007FFDFAF9BC00 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_ctrlX_free$Digest$D_sizeFinal_exInit_exL_cleanseX_newX_new_idY_deriveY_derive_init
                                                                                        • String ID: ..\s\ssl\tls13_enc.c$derived
                                                                                        • API String ID: 3654632840-96951260
                                                                                        • Opcode ID: 1d3f1776bf3af4428181d7e6859d595b6485f27269184aa311d58f3e90f71322
                                                                                        • Instruction ID: 479b901f088aa365e79a0fcbcb18e2fca696ae90dd0342c75e64129a96155a28
                                                                                        • Opcode Fuzzy Hash: 1d3f1776bf3af4428181d7e6859d595b6485f27269184aa311d58f3e90f71322
                                                                                        • Instruction Fuzzy Hash: C371833170878645E768AB12E920BAAA355AF887E8F500275FE9C4BBDDDF7CD1418B04
                                                                                        Function 00007FFDFAF31FAF Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Digest$Update$Final_exInit_ex$L_cleanseX_freeX_new
                                                                                        • String ID: ..\s\ssl\s3_enc.c
                                                                                        • API String ID: 3290436633-1839494539
                                                                                        • Opcode ID: aa02d94ff94a0c05b61f44a2bbba56d58f3b46ebf44cbaaf33f0ba1e1cc5543e
                                                                                        • Instruction ID: b75d84e935a00e3f0efe9e9588a1833ee4bc711ff788169cc80433f4403f24d7
                                                                                        • Opcode Fuzzy Hash: aa02d94ff94a0c05b61f44a2bbba56d58f3b46ebf44cbaaf33f0ba1e1cc5543e
                                                                                        • Instruction Fuzzy Hash: 84519271B1864342EB58AB12E820BBAA255AF99BE4F405274FE5D4F7CEDF3CE1458700
                                                                                        Function 00007FFDFAE6C2C0 Relevance: 25.7, APIs: 1, Strings: 16, Instructions: 234COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00007FFDFAE099B0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00007FFDFAE71F9A,?,?,?,?,?,00007FFDFAE09752), ref: 00007FFDFAE09B58
                                                                                          • Part of subcall function 00007FFDFAE094A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAE03E1D), ref: 00007FFDFAE0960A
                                                                                          • Part of subcall function 00007FFDFAE094A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAE03E1D), ref: 00007FFDFAE09696
                                                                                        • memcpy.VCRUNTIME140 ref: 00007FFDFAE6C642
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: FILTER clause may only be used with aggregate window functions$L$RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression$U$U$Y$Z$Z$cume_dist$dense_rank$lag$lead$ntile$percent_rank$rank$row_number
                                                                                        • API String ID: 3510742995-2880407920
                                                                                        • Opcode ID: 5a88080267140d62177452a45f271a0bbb8bc058578795dd0428b19345e783ce
                                                                                        • Instruction ID: 42afdcafc6eff50a231fd1e08300c219407008559f71b5c15c0f84f74699d245
                                                                                        • Opcode Fuzzy Hash: 5a88080267140d62177452a45f271a0bbb8bc058578795dd0428b19345e783ce
                                                                                        • Instruction Fuzzy Hash: F0B19E72B58B818AE7289F25D860A6E37A0FB45748F005675DBAE07BD9DF3DE064C700
                                                                                        Function 00007FFDFAF96C40 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 361COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: gfffffff
                                                                                        • API String ID: 0-1523873471
                                                                                        • Opcode ID: 43d4c2688b71a7be710e2de74b00bd82a653e830201607c25b0e6f1a050976a3
                                                                                        • Instruction ID: 017d42924da4fa14079b24201bbbd8ef3c19aa3076b35747fb1106e3c8a089bf
                                                                                        • Opcode Fuzzy Hash: 43d4c2688b71a7be710e2de74b00bd82a653e830201607c25b0e6f1a050976a3
                                                                                        • Instruction Fuzzy Hash: 8BD1C221B0874241FBAC96269960B7956A1BF487ECF1447B5FD6E8B7DDEF3CE4408600
                                                                                        Function 00007FFDFACA24C0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Module_$Dealloc$ObjectObject_$Capsule_ConstantFromMallocMem_SpecStringTrackTypeType_
                                                                                        • String ID: 13.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
                                                                                        • API String ID: 288921926-2302946913
                                                                                        • Opcode ID: ccca032309977acac88550ddf281192da00269ace4aab31aea7533afc1e628b9
                                                                                        • Instruction ID: b667e1ec53db0fa8efbbbd27fb2bd409fb540c6c2c4ba65e5fffc53aabd12952
                                                                                        • Opcode Fuzzy Hash: ccca032309977acac88550ddf281192da00269ace4aab31aea7533afc1e628b9
                                                                                        • Instruction Fuzzy Hash: 7F214D28B0DA1381EB5D8B25A93497C27A5BF49F91B0844B0CA7E4E7EDDF2CE005A300
                                                                                        Function 00007FFDFACA4700 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_Unicode_$ArgumentCheckDigitErr_FromLongLong_PositionalReadyString
                                                                                        • String ID: a unicode character$argument 1$digit$not a digit
                                                                                        • API String ID: 2437920334-4278345224
                                                                                        • Opcode ID: 440c5a05b6d283e727c45f56d52bf2b10ef0e631f8c3f20f627f911fa28e803d
                                                                                        • Instruction ID: 230db8eb168cbd3cd148124b3a8694f42e70a1c83bca906fb10715123c3e64b2
                                                                                        • Opcode Fuzzy Hash: 440c5a05b6d283e727c45f56d52bf2b10ef0e631f8c3f20f627f911fa28e803d
                                                                                        • Instruction Fuzzy Hash: 9F416029B1868681EB588B55DA70A7D23A1EF84F84F5485B1CA3D8F6DCDF3DE846C300
                                                                                        Function 00007FFDFAF629C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ERR_put_error.LIBCRYPTO-1_1(?,?,00000000,00007FFDFAF615B5), ref: 00007FFDFAF62A06
                                                                                        • X509_get0_pubkey.LIBCRYPTO-1_1(00000000,00007FFDFAF615B5), ref: 00007FFDFAF62A2F
                                                                                        • ERR_put_error.LIBCRYPTO-1_1(?,?,00000000,00007FFDFAF615B5), ref: 00007FFDFAF62A54
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$X509_get0_pubkey
                                                                                        • String ID: ..\s\ssl\ssl_rsa.c
                                                                                        • API String ID: 2083351937-2723262194
                                                                                        • Opcode ID: 170c3f05ddd56e747eb97c2f1e7e0a9cff5f7d9f690cce2836e91baf89e12f2f
                                                                                        • Instruction ID: b386bab49e0e290902676ef12752c66da685dc8190cba6034f091c81b9a1fd67
                                                                                        • Opcode Fuzzy Hash: 170c3f05ddd56e747eb97c2f1e7e0a9cff5f7d9f690cce2836e91baf89e12f2f
                                                                                        • Instruction Fuzzy Hash: 11316F62B1894685DF04DB25E460AA9A360FF98B98F540272EB6D8B79DEE78D144C700
                                                                                        Function 00007FFDFAF46B52 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$Y_freeY_newY_set1_
                                                                                        • String ID: ..\s\ssl\s3_lib.c
                                                                                        • API String ID: 520254984-4238427508
                                                                                        • Opcode ID: 48900e18997aaa854cc4ce484ef5244ad7830394a5cc4b36b84ec0fb0839d99b
                                                                                        • Instruction ID: 582f195cf50f1a133de949aaedfd621e56f649aac3a56298073ee152cdde9345
                                                                                        • Opcode Fuzzy Hash: 48900e18997aaa854cc4ce484ef5244ad7830394a5cc4b36b84ec0fb0839d99b
                                                                                        • Instruction Fuzzy Hash: 50218161B0855242E758DB25E821AA96390EF88BA8F5402B1FE5C4FBDDDF3CDA428704
                                                                                        Function 00007FFDFAF45F9F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$Y_freeY_new
                                                                                        • String ID: ..\s\ssl\s3_lib.c$b
                                                                                        • API String ID: 1220942454-2522393336
                                                                                        • Opcode ID: ce43e1b580aa8ecbff729b30547253bf899a783cb31cf24d66aab941453ff207
                                                                                        • Instruction ID: e011e153b929cfbb50692078227711f73ef78d66eff9ef33946a7cb6a5a5a890
                                                                                        • Opcode Fuzzy Hash: ce43e1b580aa8ecbff729b30547253bf899a783cb31cf24d66aab941453ff207
                                                                                        • Instruction Fuzzy Hash: DA218261B0C54391F768AB61D921BB95291AF887A8F500272FD2D4FBDDDE3CEA024711
                                                                                        Function 00007FFDFAE38320 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 382COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                                                        • API String ID: 0-3733955532
                                                                                        • Opcode ID: 3f52104b124e04de75e0c7ba866a05074031348fed5d824c034f1b96b38f15fc
                                                                                        • Instruction ID: a49ba8b8c6790565a22fd4a8f20993eb5fbafcf6084b484e88dcc27d00fb46fc
                                                                                        • Opcode Fuzzy Hash: 3f52104b124e04de75e0c7ba866a05074031348fed5d824c034f1b96b38f15fc
                                                                                        • Instruction Fuzzy Hash: 1202C021B09B8295EB5CAF11A870AB92BA4EF45B94F4442B5DD7F467D8DF2EF484C300
                                                                                        Function 00007FFDFACA2720 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                        • String ID:
                                                                                        • API String ID: 349153199-0
                                                                                        • Opcode ID: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                        • Instruction ID: 9cf73848e2d399b034cf584a71150d1cdb225aa06c246146756b1324c05e3a2c
                                                                                        • Opcode Fuzzy Hash: 2c919d68a485a940d5d0ad5c103bd88b2e133b3e89e7b4880588334ffb64ee24
                                                                                        • Instruction Fuzzy Hash: D381A029F0C66385F75C9B259871A7D62A0AF45B80F1480B5E96D8F3FEDE3CE841A700
                                                                                        Function 00007FFDFACA4AB8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unicode_$Equal$CompareDeallocErr_ReadyString
                                                                                        • String ID: invalid normalization form
                                                                                        • API String ID: 3010910608-2281882113
                                                                                        • Opcode ID: b9cc624d677f3d3d4dcdc77b815f9d9e0de2240ffe07c9b08584b43a0fb79026
                                                                                        • Instruction ID: 7f8ae0347398326e0ec63629ed75c0508652b4fc2835371a7fd6566e70d837a0
                                                                                        • Opcode Fuzzy Hash: b9cc624d677f3d3d4dcdc77b815f9d9e0de2240ffe07c9b08584b43a0fb79026
                                                                                        • Instruction Fuzzy Hash: 12412F2AB0CA4285EB588B12A974B7D67A0FF48BC5F5445B5CDAE4F7D9DF2CE4048310
                                                                                        Function 00007FFDFAF31B0E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: E_dupL_sk_new_reserveL_sk_numL_sk_pushL_sk_valueR_put_errorX509_
                                                                                        • String ID: ..\s\ssl\ssl_cert.c
                                                                                        • API String ID: 2399292771-349359282
                                                                                        • Opcode ID: 9604ed3ec0c25fe6f708db54a45cf731d9c5a08ceca156709399f10aa5340e06
                                                                                        • Instruction ID: c6a0998961637732ec53572acda51f10484ff6e110767a5079ee3a751a444759
                                                                                        • Opcode Fuzzy Hash: 9604ed3ec0c25fe6f708db54a45cf731d9c5a08ceca156709399f10aa5340e06
                                                                                        • Instruction Fuzzy Hash: 3F21C531B0C64286F758EB65E4215AA6360AF487A8F6402B1FE6D4BBCEDF3CE5418700
                                                                                        Function 00007FFDFACA1000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unicode_$Arg_$ArgumentEqualReady$CheckPositionalSubtypeType_
                                                                                        • String ID: argument 1$argument 2$normalize$str
                                                                                        • API String ID: 2760394311-1320425463
                                                                                        • Opcode ID: 7d1d051d551e628fd39903a18f74bd53bfc8dbf593f20ffa674b7b84d83dba3b
                                                                                        • Instruction ID: 4517b1d3c32d48ec2bfd81a79b300a9823ce28dd6e441444b9ceb20c1355f219
                                                                                        • Opcode Fuzzy Hash: 7d1d051d551e628fd39903a18f74bd53bfc8dbf593f20ffa674b7b84d83dba3b
                                                                                        • Instruction Fuzzy Hash: 76215228B08A8281EB188B59D9789BD2750EF44FD4F5441B2D97D4B3ECDF2CD446C740
                                                                                        Function 00007FFDFACA49CC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_$ArgumentReadyUnicode_$CheckPositional
                                                                                        • String ID: argument 1$argument 2$is_normalized$str
                                                                                        • API String ID: 396090033-184702317
                                                                                        • Opcode ID: 314e2a61124d601eecadbcf559cde1561560c95f3e00e8e23aea92c8a5257461
                                                                                        • Instruction ID: 664928cd33c0440603ff780784e72bf991c2835793b7668fbb296f3f6d699941
                                                                                        • Opcode Fuzzy Hash: 314e2a61124d601eecadbcf559cde1561560c95f3e00e8e23aea92c8a5257461
                                                                                        • Instruction Fuzzy Hash: CA218629B08A8681E7188B55E974A7C2360FF44FD8F4451B1DA7E5B2EDDF2CE886C344
                                                                                        Function 00007FFDFADF7B30 Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 333COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
                                                                                        • API String ID: 3510742995-875588658
                                                                                        • Opcode ID: a132d01b6f776bbd05c39471684cc091ad7047dc0ce787ffd261b3775db74b0e
                                                                                        • Instruction ID: 9f5ccf8590b672efeb1868e16fec0d32325ddc575bac31ed7625d0f868ef6069
                                                                                        • Opcode Fuzzy Hash: a132d01b6f776bbd05c39471684cc091ad7047dc0ce787ffd261b3775db74b0e
                                                                                        • Instruction Fuzzy Hash: 73E16E66F085928AFB28CB64D864BFD27B1EB04748F4441B6DE2E536DDFA3CA945C340
                                                                                        Function 00007FFDFAE12FD0 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 325COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDFAE13153
                                                                                        • SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDFAE1315D, 00007FFDFAE131D9, 00007FFDFAE132E3
                                                                                        • cannot add a STORED column, xrefs: 00007FFDFAE132D4
                                                                                        • Cannot add a PRIMARY KEY column, xrefs: 00007FFDFAE130E8
                                                                                        • Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDFAE13175
                                                                                        • SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*', xrefs: 00007FFDFAE134B1
                                                                                        • UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDFAE1337C
                                                                                        • Cannot add a column with non-constant default, xrefs: 00007FFDFAE131CF
                                                                                        • Cannot add a UNIQUE column, xrefs: 00007FFDFAE13103
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*'$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
                                                                                        • API String ID: 3510742995-3865411212
                                                                                        • Opcode ID: 38e9db7eb136fd1c988aeba9a7d056b69dd2ff5574ff1bd7e643b0e5dd669a87
                                                                                        • Instruction ID: 7ad3a37bf0aee99be8aaa15e12037872a486daae1deb48e5eab849c2c818465e
                                                                                        • Opcode Fuzzy Hash: 38e9db7eb136fd1c988aeba9a7d056b69dd2ff5574ff1bd7e643b0e5dd669a87
                                                                                        • Instruction Fuzzy Hash: 71E1DD25B08B9291EBA9AB159564BB833A5FB65BC4F4401B1CE6E077DDDF3EE441C300
                                                                                        Function 00007FFDFAF31A14 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ..\s\ssl\record\rec_layer_d1.c
                                                                                        • API String ID: 0-1306860146
                                                                                        • Opcode ID: 682779c24ee613a6b0e5dfc2be3dbe10ae181fc5cfcd3d7e2b84b0a0b4cbe1e2
                                                                                        • Instruction ID: 3e62e7910185233a0b7546a4518b1809c771a6d00f8290a542582a6cd803fa7b
                                                                                        • Opcode Fuzzy Hash: 682779c24ee613a6b0e5dfc2be3dbe10ae181fc5cfcd3d7e2b84b0a0b4cbe1e2
                                                                                        • Instruction Fuzzy Hash: EAD1A036B08B8285EB248F65D4A0BAD37A0FF44B98F0842B5EE5D5B798DF38D585C700
                                                                                        Function 00007FFDFADCF070 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: new[]
                                                                                        • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
                                                                                        • API String ID: 4059295235-3840279414
                                                                                        • Opcode ID: b101e88f1affa16b041cfc1e2f1eca4e78ffadcba296a8941160182071edcd3a
                                                                                        • Instruction ID: 85b94cd424bb6325d7aabd51f0ddf6286738f4b14de44bc37647380601fc4fd1
                                                                                        • Opcode Fuzzy Hash: b101e88f1affa16b041cfc1e2f1eca4e78ffadcba296a8941160182071edcd3a
                                                                                        • Instruction Fuzzy Hash: 0F51F612F0D38645FB1D9F61AC21EB96791EF48B84F8A40B5DD6D072DAEE3CE4418311
                                                                                        Function 00007FFDFAF31AE6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Digest$Final_exInit_ex$UpdateX_freeX_new
                                                                                        • String ID: exporter
                                                                                        • API String ID: 3991325671-111224270
                                                                                        • Opcode ID: e525ee2a654d090d11982e0814c674d11e3029323b37ec436d6c8601e9d5bbb3
                                                                                        • Instruction ID: 04544b0a09cfb7f5890e8fcb8732af8a49acd5b2139834f737d18f4899d69c56
                                                                                        • Opcode Fuzzy Hash: e525ee2a654d090d11982e0814c674d11e3029323b37ec436d6c8601e9d5bbb3
                                                                                        • Instruction Fuzzy Hash: E751543270878645E7689B15E960BAAA395FF88BE4F400275FE9D4B78DDF3CD5418B00
                                                                                        Function 00007FFDFAF31FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Digest$Final_exInit_ex$UpdateX_freeX_new
                                                                                        • String ID: exporter
                                                                                        • API String ID: 3991325671-111224270
                                                                                        • Opcode ID: e84d91174af1f3929c5065d78c8ba52752f201bdb3c8e5e7605745eee096ede4
                                                                                        • Instruction ID: ba45f043e06ae12f41fb80052f16114c60bea5dc64842182b4698d6f365072c8
                                                                                        • Opcode Fuzzy Hash: e84d91174af1f3929c5065d78c8ba52752f201bdb3c8e5e7605745eee096ede4
                                                                                        • Instruction Fuzzy Hash: 0541633270878645EB649B16E860BEAB394EF997D4F400176FE9D4BB9DDE3CD1418B00
                                                                                        Function 00007FFDFAF31B4F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_ctrlO_int_ctrlO_method_typeO_newO_s_socketO_up_refR_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 123414506-1080266419
                                                                                        • Opcode ID: 94e7ed4a5d5d8fdda9f13481583e131548c9c4ba9d101daf0c3f93a7efaeb97c
                                                                                        • Instruction ID: 336740c14416213e38e9452873bccc2ee2ccb4f193be5351949fd697b8017d57
                                                                                        • Opcode Fuzzy Hash: 94e7ed4a5d5d8fdda9f13481583e131548c9c4ba9d101daf0c3f93a7efaeb97c
                                                                                        • Instruction Fuzzy Hash: EE11D821B0C54242EB689B15E861ABD6250EF887D4F5406B1FE6D4F7DAEE2CE4408700
                                                                                        Function 00007FFDFADFF160 Relevance: 14.0, APIs: 1, Strings: 8, Instructions: 487COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
                                                                                        • API String ID: 2221118986-554953066
                                                                                        • Opcode ID: aed045eab622060eeb85874865a0b8f65f816adeca688e9c715d83d23d90a18a
                                                                                        • Instruction ID: dfafaba0026afe20ff12ea277d0e6af8eee00f66e78bb330abdb96511c4343a0
                                                                                        • Opcode Fuzzy Hash: aed045eab622060eeb85874865a0b8f65f816adeca688e9c715d83d23d90a18a
                                                                                        • Instruction Fuzzy Hash: A8328C72B087C186EB68DF25D8A0AAA37A4FB48B88F414175DE6D47799FF38E450C710
                                                                                        Function 00007FFDFAE1D500 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 405COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                                                        • API String ID: 3510742995-2846519077
                                                                                        • Opcode ID: 32f42057e02e3d1c038d2ca4dd703e3c9d5ba0adf521b808969e93ec765eb26f
                                                                                        • Instruction ID: 144a3b46a16eb53ba0abfcb5ee73ac61ca1608ab21d0f6137a3e5cba681f0fd9
                                                                                        • Opcode Fuzzy Hash: 32f42057e02e3d1c038d2ca4dd703e3c9d5ba0adf521b808969e93ec765eb26f
                                                                                        • Instruction Fuzzy Hash: FF02C362B0869696EB18EF11D4A0BA937A0FB85B84F404275CE6E477D9EF3DE541C700
                                                                                        Function 00007FFDFACA1090 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: EqualUnicode_$Mem_$FreeMallocSubtypeType_
                                                                                        • String ID: invalid normalization form
                                                                                        • API String ID: 1153303739-2281882113
                                                                                        • Opcode ID: 793ec906cf8c790762c40f291311d50d992e529e027369063dd1f7d01523f653
                                                                                        • Instruction ID: f9599c91ef31070f00150910bd64d96b4ed9fdc42348dc3d2afed48f0ced357e
                                                                                        • Opcode Fuzzy Hash: 793ec906cf8c790762c40f291311d50d992e529e027369063dd1f7d01523f653
                                                                                        • Instruction Fuzzy Hash: 18514C2DB1C65241FB688B26A935A7E56A1AF45FC4F0450B5CEAE0FBC9DF2DE5018700
                                                                                        Function 00007FFDFAF31FB4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: i2d_$L_sk_numX509_$L_sk_value
                                                                                        • String ID: ..\s\ssl\statem\extensions_clnt.c
                                                                                        • API String ID: 917959868-592572767
                                                                                        • Opcode ID: d34277a6469f11a0e65891c826dc9b5f02c9621478385953f8993924721f81aa
                                                                                        • Instruction ID: a9dc2b9ff407dc18f2c2bbfaa1349f875acdb7b626dd9b5a9ead6b28f283430f
                                                                                        • Opcode Fuzzy Hash: d34277a6469f11a0e65891c826dc9b5f02c9621478385953f8993924721f81aa
                                                                                        • Instruction Fuzzy Hash: 0D51A961B0CB0291FB28A612D860ABD5695AFC57E4F1402B1FD6D8F7CEDF2DE5828704
                                                                                        Function 00007FFDFAF88910 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_new
                                                                                        • String ID: ..\s\ssl\statem\statem_lib.c$No ciphers enabled for max supported SSL/TLS version$n
                                                                                        • API String ID: 458078758-706774904
                                                                                        • Opcode ID: 4673aa9468fb127451150508e36c9aa352bf004102953343e3389b246b0fd70f
                                                                                        • Instruction ID: 70e3beb6e5ad2d5045fd40a9d2fb2b08234c5b6e4007010407929e7f79b71c9e
                                                                                        • Opcode Fuzzy Hash: 4673aa9468fb127451150508e36c9aa352bf004102953343e3389b246b0fd70f
                                                                                        • Instruction Fuzzy Hash: 3D618E32B1878286EB949F15D4607A92790FF89B98F188271EA5D8F7D9DF3CE481C740
                                                                                        Function 00007FFDFACA16C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
                                                                                        • String ID: a unicode character$argument$category
                                                                                        • API String ID: 2803103377-2068800536
                                                                                        • Opcode ID: 14ab582c5d6d732dc5871c7e6a9656aa881467261f497edbeb5251f8c2b9bd60
                                                                                        • Instruction ID: 1fa92afd1fef83ea2980f2a9a48b004d55ac6158b210c06428eb6500ffa902c8
                                                                                        • Opcode Fuzzy Hash: 14ab582c5d6d732dc5871c7e6a9656aa881467261f497edbeb5251f8c2b9bd60
                                                                                        • Instruction Fuzzy Hash: EC51B169B08A8681EB5C8B1AD4B0A7D62A1EF44F84F044075DABF8B7D8DF3DE845C300
                                                                                        Function 00007FFDFACA1570 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
                                                                                        • String ID: a unicode character$argument$bidirectional
                                                                                        • API String ID: 2803103377-2110215792
                                                                                        • Opcode ID: 499f228ceee3d75acd1e1180add4000edd97fd3d2a5ea5cf87fe443ad21b7eb1
                                                                                        • Instruction ID: 076bf52ab622f619c6a42d44a02f9c26eefbf31906139e1964276247b2ea3826
                                                                                        • Opcode Fuzzy Hash: 499f228ceee3d75acd1e1180add4000edd97fd3d2a5ea5cf87fe443ad21b7eb1
                                                                                        • Instruction Fuzzy Hash: 6C41906DB1864282EB5C8B15D474ABD22A1EF44F94F184176DB6E8B3D8DF2DE884C340
                                                                                        Function 00007FFDFAF48C30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_freeX_new_id
                                                                                        • String ID: ..\s\ssl\s3_lib.c
                                                                                        • API String ID: 4103210000-4238427508
                                                                                        • Opcode ID: 0c2e07e554d6954c1b6f59ee8f7ab8f14fe7e97789a3ae369e77daee4a4b3a5b
                                                                                        • Instruction ID: b559e06d6c72fcbcc344505de390b6ee77fb45eecd9fec6d9b990de54cafdc3b
                                                                                        • Opcode Fuzzy Hash: 0c2e07e554d6954c1b6f59ee8f7ab8f14fe7e97789a3ae369e77daee4a4b3a5b
                                                                                        • Instruction Fuzzy Hash: 92418032B19B4285E728AB11E420BA963A1FF847A4F540275FE9D0B7C9DF7CE6408B44
                                                                                        Function 00007FFDFACA4598 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromStringUnicode_$S_snprintfSizeSubtypeType_memcpy
                                                                                        • String ID: $%04X
                                                                                        • API String ID: 762632776-4013080060
                                                                                        • Opcode ID: 42b747458abae48cfebdf4003f7663c384f3c05cfbb4cf1dc6f11b5ac7b4f9b4
                                                                                        • Instruction ID: dff00cd9d35b25b3ce2321045c3399d0bd1b85601398f4c1b5887429051fd30a
                                                                                        • Opcode Fuzzy Hash: 42b747458abae48cfebdf4003f7663c384f3c05cfbb4cf1dc6f11b5ac7b4f9b4
                                                                                        • Instruction Fuzzy Hash: 4E31B6BAB0898141EB298B14D9347BD67A1FF45B64F480375CABE0B6C9DF2CD545C300
                                                                                        Function 00007FFDFAF7AAD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Y_free$H_get0_keyN_bn2binN_num_bitsY_get0_
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 2719771601-1507966698
                                                                                        • Opcode ID: 5d966a27a383665b3663cf37d7a36490ea7f873c78de2ea56077e26efeab6eac
                                                                                        • Instruction ID: 79544b999a1b37a07095c8bed67040356e8f405987a7228a6863d899d1e94827
                                                                                        • Opcode Fuzzy Hash: 5d966a27a383665b3663cf37d7a36490ea7f873c78de2ea56077e26efeab6eac
                                                                                        • Instruction Fuzzy Hash: 7F319361B1874185FB68AB16F860AAA5751AF88BE4F440274FD5D4FBD9DF3CE1418700
                                                                                        Function 00007FFDFACA4C34 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
                                                                                        • String ID: a unicode character$argument$mirrored
                                                                                        • API String ID: 3097524968-4001128513
                                                                                        • Opcode ID: 4b61645cabab3145ea7c7f2adafcb2898850deed7d069dc5f68e202572abad93
                                                                                        • Instruction ID: 8e69f0a92f9d950528db258a98f72aa501b98c23b09e6fd0f10b4222646c18ad
                                                                                        • Opcode Fuzzy Hash: 4b61645cabab3145ea7c7f2adafcb2898850deed7d069dc5f68e202572abad93
                                                                                        • Instruction Fuzzy Hash: E931BD68F0860682FB5C4B25DA71B7D22A1EF84B98F1445B5CA6E8F3DCDF2DE8458340
                                                                                        Function 00007FFDFACA4160 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
                                                                                        • String ID: a unicode character$argument$combining
                                                                                        • API String ID: 3097524968-4202047184
                                                                                        • Opcode ID: 05fb961aa6ae3b512608cb557c438458611b13703c91cf8178abb9317e869a23
                                                                                        • Instruction ID: 12d4b33164ad775efd5fa7e74e5f3d4b0d3e6e83ca297165f323e50610463bab
                                                                                        • Opcode Fuzzy Hash: 05fb961aa6ae3b512608cb557c438458611b13703c91cf8178abb9317e869a23
                                                                                        • Instruction Fuzzy Hash: E531D169B0860682FB5C4B15DA71B7D22A1AF94B94F4446B5CF6E4F3C9DE2CE8458340
                                                                                        Function 00007FFDFAE14450 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 302COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: "%w" $%Q%s
                                                                                        • API String ID: 438689982-1987291987
                                                                                        • Opcode ID: 9195622123ce080eeec3b02c426e8c6b40673dadf963d2ca43ce0c6e6c6193a4
                                                                                        • Instruction ID: d117f2e3856a6710ff376eed07dfaaa927602dc28f4c6044fa916abd1bda9a08
                                                                                        • Opcode Fuzzy Hash: 9195622123ce080eeec3b02c426e8c6b40673dadf963d2ca43ce0c6e6c6193a4
                                                                                        • Instruction Fuzzy Hash: 3FC1F1B2B08A9296EB18EF15A460A7967A0FB45BA4F444275EE7F077D8DF3DE444C300
                                                                                        Function 00007FFDFADDECC0 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 270COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: 02ed9f4e8b719f9c78407b7d71a2c67bf1cc6552fc7a0d53879185d20272b0eb
                                                                                        • Instruction ID: 1f253eb81cd99645014f55dd36d4cb1303475f946790dd6c82f2fd9b1e848ef7
                                                                                        • Opcode Fuzzy Hash: 02ed9f4e8b719f9c78407b7d71a2c67bf1cc6552fc7a0d53879185d20272b0eb
                                                                                        • Instruction Fuzzy Hash: D8B13B22B0C2D186D7288B15D8A0A7E7BA2FB84B84F044175DFAB477C9EE3CE955D710
                                                                                        Function 00007FFDFAF33B30 Relevance: 12.1, APIs: 8, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_clear_flagsO_get_dataO_set_flagsO_set_retry_reason
                                                                                        • String ID:
                                                                                        • API String ID: 3836630899-0
                                                                                        • Opcode ID: f551cfe698408866c7d08499e959c70aacf7d6597cb32a4dff51983438c7b323
                                                                                        • Instruction ID: 6ea87457abd53510885af85502c25075fe496f6a486e136761cff5124f3af4e0
                                                                                        • Opcode Fuzzy Hash: f551cfe698408866c7d08499e959c70aacf7d6597cb32a4dff51983438c7b323
                                                                                        • Instruction Fuzzy Hash: 53418322F0831246E75DEA269521A7E6291AF44BE4F1042B1FD6D4BBCECE3CE8919744
                                                                                        Function 00007FFDFADD10A0 Relevance: 11.0, APIs: 1, Strings: 6, Instructions: 478COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$misuse
                                                                                        • API String ID: 0-164582590
                                                                                        • Opcode ID: d16af4be9dfa81704786ab46f5c846eb6ee0d3acdac0d8550cb7a92be7f0868a
                                                                                        • Instruction ID: e53dcdf2a7a2b7d421d07f1f1ef93f5cf47d04302eb9d8822c6b16ad0e8c334d
                                                                                        • Opcode Fuzzy Hash: d16af4be9dfa81704786ab46f5c846eb6ee0d3acdac0d8550cb7a92be7f0868a
                                                                                        • Instruction Fuzzy Hash: 75328326B09BC281EB59CF2999646BC2364FF95B84F145275EF6D0729AEF3CE184C300
                                                                                        Function 00007FFDFACA11D0 Relevance: 10.8, APIs: 7, Instructions: 316COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
                                                                                        • String ID:
                                                                                        • API String ID: 4139299733-0
                                                                                        • Opcode ID: b7834dc9c439b256be78b1bb0312e83a47aa2a91677a7129c06b2164236d8830
                                                                                        • Instruction ID: 2b12b482251ba1ef6b8e3d7b2bbe2a3f2f5a2879661a2bef18a609951d8ac4a6
                                                                                        • Opcode Fuzzy Hash: b7834dc9c439b256be78b1bb0312e83a47aa2a91677a7129c06b2164236d8830
                                                                                        • Instruction Fuzzy Hash: 4ED1BE7EB0C55281EB688B19E434D7D27A5EF55B54F1402B1DAAE8B7C8EF3DE8418700
                                                                                        Function 00007FFDFADE5E60 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 206COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: fe4b643a15f9710c0a14981ac75c2638779eb96bfe71d33a66bb4c1e115e7c48
                                                                                        • Instruction ID: 7de57fd6450015066f49ff64eb2f48dbd47735ac9fdea1a192da6577ef02b8ee
                                                                                        • Opcode Fuzzy Hash: fe4b643a15f9710c0a14981ac75c2638779eb96bfe71d33a66bb4c1e115e7c48
                                                                                        • Instruction Fuzzy Hash: AD81D422B082D546D728CF2599A0A7D7BE4FB40B84F0881B5DF99476C9EE3CE855C710
                                                                                        Function 00007FFDFACA4DA8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
                                                                                        • String ID: a unicode character$argument 1$name
                                                                                        • API String ID: 3545102714-4190364640
                                                                                        • Opcode ID: 08ea4fd8ee20783d10131badbe9600b387234ab4466d417a0eb90688dce402d0
                                                                                        • Instruction ID: 83230a054a2fe1c4ff21d0ffd3b45ca784a573c3cfe52dea43ed7b33a8ea2eea
                                                                                        • Opcode Fuzzy Hash: 08ea4fd8ee20783d10131badbe9600b387234ab4466d417a0eb90688dce402d0
                                                                                        • Instruction Fuzzy Hash: 2131B229B0864681EBA88B15D670B7DA361EB80B94F548471DE7D4B7DCDF3DE852C304
                                                                                        Function 00007FFDFACA42CC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
                                                                                        • String ID: a unicode character$argument 1$decimal
                                                                                        • API String ID: 3545102714-2474051849
                                                                                        • Opcode ID: b0cedc29c826bf3852215223b7c146b827784c03fd15fa1892ad4f70a8fc4a08
                                                                                        • Instruction ID: b5894bdb6308eb9ec4325b0a918695a2d679475a1d78274946500a3843c76c4d
                                                                                        • Opcode Fuzzy Hash: b0cedc29c826bf3852215223b7c146b827784c03fd15fa1892ad4f70a8fc4a08
                                                                                        • Instruction Fuzzy Hash: C331A029B2A64681EB588B0AD671B7D2361EB84B84F548071DF6D4B7DDDF3DE842C300
                                                                                        Function 00007FFDFACA4F74 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
                                                                                        • String ID: a unicode character$argument 1$numeric
                                                                                        • API String ID: 3545102714-2385192657
                                                                                        • Opcode ID: 2ed34d07931cdf9518a725f6f7bae4c53b06c95be25d72a1815a72b8da5b7446
                                                                                        • Instruction ID: d68ef72be8a8980439f45fc0db63e6d068656c5110cd51657281eacf37580440
                                                                                        • Opcode Fuzzy Hash: 2ed34d07931cdf9518a725f6f7bae4c53b06c95be25d72a1815a72b8da5b7446
                                                                                        • Instruction Fuzzy Hash: 7F319E29B0864A81FB588B16D970A7D2365EB85B84F588071DE6D4BBDDDF3EE842C340
                                                                                        Function 00007FFDFAF318BB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_ctrlO_freeO_newO_s_fileR_put_error
                                                                                        • String ID: ..\s\ssl\ssl_txt.c
                                                                                        • API String ID: 2618924202-3774725576
                                                                                        • Opcode ID: 0c26dc83405a6688da2c9358f9f9b24d3e2252d280486ab0878f29b4e7b41c9e
                                                                                        • Instruction ID: 0abe517507e25df78f5950e241fe00a5e85097a87b49709c2e0101a78c5232fd
                                                                                        • Opcode Fuzzy Hash: 0c26dc83405a6688da2c9358f9f9b24d3e2252d280486ab0878f29b4e7b41c9e
                                                                                        • Instruction Fuzzy Hash: 0D01DB21B0864281E714DB56E9609AAA360EF48BD4F5442B1FE6C4BBDEDF3DD5418700
                                                                                        Function 00007FFDFADFA926 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 338COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$statement aborts at %d: [%s] %s
                                                                                        • API String ID: 3510742995-2908325248
                                                                                        • Opcode ID: 5ff73823ec9842ce87b2e0576ada40135f413cd19e031e4d1d5ea7c73d8c66b7
                                                                                        • Instruction ID: 36187abc511671e949baab9ce1cf6a75debc2163405d1462b0406e43a9e17ba3
                                                                                        • Opcode Fuzzy Hash: 5ff73823ec9842ce87b2e0576ada40135f413cd19e031e4d1d5ea7c73d8c66b7
                                                                                        • Instruction Fuzzy Hash: 6EE1C231B186D686EB689B15D864A7B77A5FB84B84F010075EE6E477D8FE3CE840CB00
                                                                                        Function 00007FFDFAE21850 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 330COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 00007FFDFAE218D5
                                                                                        • unknown column "%s" in foreign key definition, xrefs: 00007FFDFAE21BEC
                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFDFAE218FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                        • API String ID: 438689982-272990098
                                                                                        • Opcode ID: 90af81936f023e28e948e529803b49bc884c471128b255dc107d4c77a0580886
                                                                                        • Instruction ID: 8931ee7ef760b29d2816d1edfcff2b3c5a6409b59d153ea84d0a4e1dad7271a5
                                                                                        • Opcode Fuzzy Hash: 90af81936f023e28e948e529803b49bc884c471128b255dc107d4c77a0580886
                                                                                        • Instruction Fuzzy Hash: 30D10F72F08A8582EB28AB159464B7927E1FF45BC4F4541B1DE6E837C9DE3EE641C300
                                                                                        Function 00007FFDFADF59F0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 278COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$misuse
                                                                                        • API String ID: 3510742995-2291931656
                                                                                        • Opcode ID: 0fd1cabf83f1b6943d7cafb97eed63d60a3e1d224ff8ca13818b2188bf187971
                                                                                        • Instruction ID: 29fe3c953da00fc6ab96cf3a96278e82397ff21275eabb45bedb8e8ab61ac44f
                                                                                        • Opcode Fuzzy Hash: 0fd1cabf83f1b6943d7cafb97eed63d60a3e1d224ff8ca13818b2188bf187971
                                                                                        • Instruction Fuzzy Hash: 6CE19F26F09BC581E7158F289A146BD2364FBA9B48F15A275CF9C1729AFF38E1D58300
                                                                                        Function 00007FFDFADE3270 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 438689982-481979681
                                                                                        • Opcode ID: 8d926f5473690749016ea3e77e353f06e6c97ae90344f4f7028352a6bcef0767
                                                                                        • Instruction ID: f15895714d5bd7bdbc1acfca9d278d439225ed1eadaa031c4ac9da5d138e2aed
                                                                                        • Opcode Fuzzy Hash: 8d926f5473690749016ea3e77e353f06e6c97ae90344f4f7028352a6bcef0767
                                                                                        • Instruction Fuzzy Hash: 2AB1CE32B0869686D768CB66A4A4F7A77A4FB84B84F014175DE6E47B89EF3DD840C700
                                                                                        Function 00007FFDFADE6950 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 220COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: 354aa92d08951a1a2d19086a3a782c4bb571ccf17812688d3071feb9d2904ef6
                                                                                        • Instruction ID: e0bc7709154f3f2c8e3002817ce80391deda1c1e03547b42375a7bb1b0cabaad
                                                                                        • Opcode Fuzzy Hash: 354aa92d08951a1a2d19086a3a782c4bb571ccf17812688d3071feb9d2904ef6
                                                                                        • Instruction Fuzzy Hash: 8291E462B086C54AC724DF25D8906AEBBA0FB44B88F444176EE9D43B89EF3CD955C740
                                                                                        Function 00007FFDFAE134F0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 215COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                        • API String ID: 438689982-2063813899
                                                                                        • Opcode ID: bf3c420ba3eb1e8dac2626fe2b30a04452add74b9c073f61ca8a1748f0f63000
                                                                                        • Instruction ID: d3adb4c07c67fb8b8accad13547215161ffb91b34864180568b706540b335855
                                                                                        • Opcode Fuzzy Hash: bf3c420ba3eb1e8dac2626fe2b30a04452add74b9c073f61ca8a1748f0f63000
                                                                                        • Instruction Fuzzy Hash: BE910562B08B9286EB58DF059420ABA77A5FB54B84F458275DE6E077C9EF3DE040C700
                                                                                        Function 00007FFDFAF48A50 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Y_free$X_ctrlX_freeX_new_idY_new
                                                                                        • String ID:
                                                                                        • API String ID: 1769623012-0
                                                                                        • Opcode ID: e075cfe8769392663a70d36984386eab896579b5d97520b86f455d739d31a331
                                                                                        • Instruction ID: b20d476b44f95cbf72ea1b16641cfdec19e949ae521bc5de9519f1ad40486047
                                                                                        • Opcode Fuzzy Hash: e075cfe8769392663a70d36984386eab896579b5d97520b86f455d739d31a331
                                                                                        • Instruction Fuzzy Hash: 2521A321B19B0340EB18A719E83277A52909F893D8F2402B4FE6D4F7DEDE3CE5424640
                                                                                        Function 00007FFDFAF31924 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ..\s\ssl\statem\statem_clnt.c
                                                                                        • API String ID: 0-1507966698
                                                                                        • Opcode ID: ae5893d124c16fc699298880899bab6c8ad700b440bfaa2c1fd3c6f6e0ec9d83
                                                                                        • Instruction ID: 8adbe0cff94450a7bb87e09cc0b0f71932e09bac2df43342942a233adf3949fb
                                                                                        • Opcode Fuzzy Hash: ae5893d124c16fc699298880899bab6c8ad700b440bfaa2c1fd3c6f6e0ec9d83
                                                                                        • Instruction Fuzzy Hash: 1FB1C731B0C68285FB689A16E420BBA6690AF85BE4F4842B1FE5D8F7CDCF3CD5418704
                                                                                        Function 00007FFDFAF318A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1767461275-1080266419
                                                                                        • Opcode ID: 11f8b4967c5d30b2af0d6a6378cfec4cb4ad56bf4dde9944b7d761b72770e4d8
                                                                                        • Instruction ID: b77050cca28d0fd0b8d73e34873d42206b95672fbe301bda7d1220d28673aa6e
                                                                                        • Opcode Fuzzy Hash: 11f8b4967c5d30b2af0d6a6378cfec4cb4ad56bf4dde9944b7d761b72770e4d8
                                                                                        • Instruction Fuzzy Hash: A731BC62B18A8186E7A48B24E450BA962A0EF48BA8F184771FB7C4F7D9DF3DD5418700
                                                                                        Function 00007FFDFACA44A8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_ArgumentReadyUnicode_
                                                                                        • String ID: a unicode character$argument$decomposition
                                                                                        • API String ID: 1875788646-2471543666
                                                                                        • Opcode ID: 13037d06ecace0e07ce46ddc0f5f8d4dacc14e6eb04c649593fb57c9ced6b128
                                                                                        • Instruction ID: 7f99bbeec7103b9acdce787a88a14b347e3bc5801ec5604e2711ba94e4d5eb6b
                                                                                        • Opcode Fuzzy Hash: 13037d06ecace0e07ce46ddc0f5f8d4dacc14e6eb04c649593fb57c9ced6b128
                                                                                        • Instruction Fuzzy Hash: 0B21BC79B08A4682FF6C8B15D671B7D12A1EF84BA4F484475CA2E8B2CCDE2DE8419340
                                                                                        Function 00007FFDFACA4864 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Arg_ArgumentReadyUnicode_
                                                                                        • String ID: a unicode character$argument$east_asian_width
                                                                                        • API String ID: 1875788646-3913127203
                                                                                        • Opcode ID: 1fd600c6b1e18fd3e5e5d7e8e8e8be1acd9fa78b7a30593961f3320a591d621e
                                                                                        • Instruction ID: 03e35d5a66bf827e2cf576a4348fb17ed98c3d8a69fa0e36c06a6b97c40f81e5
                                                                                        • Opcode Fuzzy Hash: 1fd600c6b1e18fd3e5e5d7e8e8e8be1acd9fa78b7a30593961f3320a591d621e
                                                                                        • Instruction Fuzzy Hash: A121BF69B0864682FB9C8B25D671B7D1296DF84B94F54C079CA7D8B2CCDE3CE8558340
                                                                                        Function 00007FFDFAF9DB70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: N_ucmp$N_is_zeroN_num_bits
                                                                                        • String ID: ..\s\ssl\tls_srp.c
                                                                                        • API String ID: 1527310491-1778748169
                                                                                        • Opcode ID: 1760832f4a211e03aed3a8d916c2164b95d0a3d143f4c45eb750d286bef4ec09
                                                                                        • Instruction ID: 9bb4304d451f8ab09f27784d00f06511b9d342489de2774e45b8c9570ee85aa9
                                                                                        • Opcode Fuzzy Hash: 1760832f4a211e03aed3a8d916c2164b95d0a3d143f4c45eb750d286bef4ec09
                                                                                        • Instruction Fuzzy Hash: CE21B471B0C64281FB14AA21DCA0BB92390EF48BACF580171ED6C8F7DDDE6DE0408744
                                                                                        Function 00007FFDFACA50B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
                                                                                        • String ID: not a numeric character
                                                                                        • API String ID: 1034370217-2058156748
                                                                                        • Opcode ID: d3376e7c3ae61d0046b8b31da0af158cf2e17ac6505fb45e82957283cafaee07
                                                                                        • Instruction ID: 7fce8e8e4b61004c165967aa8839a0112a75c7030f899e21e49784d6a86da7a9
                                                                                        • Opcode Fuzzy Hash: d3376e7c3ae61d0046b8b31da0af158cf2e17ac6505fb45e82957283cafaee07
                                                                                        • Instruction Fuzzy Hash: 63119029B0C94A81EB598B21983093C67A4EF45B84F04C1B4CBBF4F2DDEF2CE8858700
                                                                                        Function 00007FFDFACA4410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
                                                                                        • String ID: not a decimal
                                                                                        • API String ID: 3750391552-3590249192
                                                                                        • Opcode ID: 9e6bbdd5cc958faae9f1bfda5e7f208c8436e9208d4a88d1b55238a2cd9c594c
                                                                                        • Instruction ID: d447d6158c59e0252b428988071191392346093706999c727263de28f6fc5297
                                                                                        • Opcode Fuzzy Hash: 9e6bbdd5cc958faae9f1bfda5e7f208c8436e9208d4a88d1b55238a2cd9c594c
                                                                                        • Instruction Fuzzy Hash: DF112A29B08A4281EF588F66E57493D67A1EF84F94F1844B1CA7F4F6D9DF2CE8858300
                                                                                        Function 00007FFDFACA2610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Mem_$Capsule_Err_FreeMallocMemory
                                                                                        • String ID: unicodedata._ucnhash_CAPI
                                                                                        • API String ID: 3673501854-3989975041
                                                                                        • Opcode ID: fa0914bc6369d374ccc5a93fe96ae55c771fbe62c3c42b50cd2c1e41e4d5ddc5
                                                                                        • Instruction ID: 1834e76fbd4ea4560670af7eb41229cf4357df868ecea38c0b46363151a7bcd4
                                                                                        • Opcode Fuzzy Hash: fa0914bc6369d374ccc5a93fe96ae55c771fbe62c3c42b50cd2c1e41e4d5ddc5
                                                                                        • Instruction Fuzzy Hash: 1EF0192CB19B4685EF098B15A8349BD62A4BF18B81F4810B1C9AE0A3ECEF3CE044D300
                                                                                        Function 00007FFDFADE9020 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 369COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: 6efb128fbd929f512fa364f7522ab4e9b96948ecf46bbb5d7fa406fcaadb22f2
                                                                                        • Instruction ID: 68b54efe4622283568fbd304a33a5866b458ff720c376601d244c429facf023a
                                                                                        • Opcode Fuzzy Hash: 6efb128fbd929f512fa364f7522ab4e9b96948ecf46bbb5d7fa406fcaadb22f2
                                                                                        • Instruction Fuzzy Hash: 41F19166B0968286EB28CB65D8A4ABDB7A1FB40B8CF544075DE6D477C9EF3CD841C300
                                                                                        Function 00007FFDFAE574E0 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 367COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
                                                                                        • API String ID: 3510742995-1299490920
                                                                                        • Opcode ID: 8d664771fc2223c8d07dbd70dc2cd84f07751fe495aa4d456bef85b063aeaada
                                                                                        • Instruction ID: 9c2efa4d5db65db511a54d96c5c8f563f9c580523ae48700ebc51fef6bc18beb
                                                                                        • Opcode Fuzzy Hash: 8d664771fc2223c8d07dbd70dc2cd84f07751fe495aa4d456bef85b063aeaada
                                                                                        • Instruction Fuzzy Hash: 30F12022B08B8289EB189F11A460B7977B5FB44B90F854671DEAE877D8DF3DE461C300
                                                                                        Function 00007FFDFADE9550 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 344COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: b61347d3bec7b81b1435859d5e4622347e95e657c65f9ee1e91495a14e2e38d1
                                                                                        • Instruction ID: c7bee5efe1b228d70abf2762ae2f2fae78010a657c371bb808409a010b7f9095
                                                                                        • Opcode Fuzzy Hash: b61347d3bec7b81b1435859d5e4622347e95e657c65f9ee1e91495a14e2e38d1
                                                                                        • Instruction Fuzzy Hash: 59E1BE7670978186D798DB15D894BAEB7A1FB84B88F108036EE9E43799EF3DD844C700
                                                                                        Function 00007FFDFADE5150 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 311COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 2221118986-481979681
                                                                                        • Opcode ID: 4bdf955666c5ac82cf6390cf2d8a83894b04edfe6ef3f5747211bb3527a07638
                                                                                        • Instruction ID: 59b63ac0616b0aed0f44d0cbee1480d9a1e73418b609e53f36b74c10d7ca677b
                                                                                        • Opcode Fuzzy Hash: 4bdf955666c5ac82cf6390cf2d8a83894b04edfe6ef3f5747211bb3527a07638
                                                                                        • Instruction Fuzzy Hash: B5D19D73708B8686D768CF25D8A4AA977A9FB88BC8F054076CE5D47798EF39D841C700
                                                                                        Function 00007FFDFAE435C0 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 274COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpymemset
                                                                                        • String ID: %.*z:%u$column%d$rowid
                                                                                        • API String ID: 1297977491-2903559916
                                                                                        • Opcode ID: 9c6e20cff2d78f2c50a489c076a9c0522bc11ee2bf36f3fd05d6c896dc5bf1d1
                                                                                        • Instruction ID: a1b1ff7666ebf9d7c198a2f1d9f3f75dce498363159fdeed4e5607e282f78e7c
                                                                                        • Opcode Fuzzy Hash: 9c6e20cff2d78f2c50a489c076a9c0522bc11ee2bf36f3fd05d6c896dc5bf1d1
                                                                                        • Instruction Fuzzy Hash: ABB1F46AB0968341FB2DAB159420A79A799FF51B84F4941B5DE7E073C9DF3EE601C300
                                                                                        Function 00007FFDFADE8600 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: dcb7662c0c4b5f2e4f7d4ee066f3615f147f979f34acd98f0af8d6db03c74891
                                                                                        • Instruction ID: 8e35105be27a07a830c0e697e4a61732c54e1490d4f4c3a4db8d89a86ed6e910
                                                                                        • Opcode Fuzzy Hash: dcb7662c0c4b5f2e4f7d4ee066f3615f147f979f34acd98f0af8d6db03c74891
                                                                                        • Instruction Fuzzy Hash: F781CD72B086C286E7589B25D8A4BAD77A1FB48B84F008076DE6D437D9EF3DE845C700
                                                                                        Function 00007FFDFAE55E00 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 156stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000,?,00007FFDFAE56078), ref: 00007FFDFAE55F4C
                                                                                        • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000,?,00007FFDFAE56078), ref: 00007FFDFAE55F66
                                                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,?,00007FFDFAE56078), ref: 00007FFDFAE55FEB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: strncmp$memcpy
                                                                                        • String ID: CRE$INS
                                                                                        • API String ID: 2549481713-4116259516
                                                                                        • Opcode ID: ee7f03eb65566b63a200e793eb71c69cb26967c06edd4fe92d413bded03c366d
                                                                                        • Instruction ID: b0d180d71742c602bb03863f84ba2db68d289689aacc90c0a17233210210961c
                                                                                        • Opcode Fuzzy Hash: ee7f03eb65566b63a200e793eb71c69cb26967c06edd4fe92d413bded03c366d
                                                                                        • Instruction Fuzzy Hash: E451C325B0964288FB18AB52A474A792399BF41FD4F9841B4DD6F8B7DDDF3EE4018320
                                                                                        Function 00007FFDFADE6180 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: 07815a208f4ab4e6751cbe36754302aa9aa1073b1d1b1ba255107efd65822c49
                                                                                        • Instruction ID: 40afc273c97c5ee9df82ead454265792c9907415ad98647c07a8edd1a6972dbb
                                                                                        • Opcode Fuzzy Hash: 07815a208f4ab4e6751cbe36754302aa9aa1073b1d1b1ba255107efd65822c49
                                                                                        • Instruction Fuzzy Hash: CF510172708BC0C5CB14CB49E8949AEBBA1F758B84F15417AEE9E43798EB3CD495CB10
                                                                                        Function 00007FFDFAF31B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error$E_finish
                                                                                        • String ID: ..\s\ssl\ssl_sess.c
                                                                                        • API String ID: 1409615136-2868363209
                                                                                        • Opcode ID: b4e289396c64a6a09d4fa4806c3d645d01272b03ba011e08657e3b3bdc8c41ce
                                                                                        • Instruction ID: 87bbbc4106e1f6600e13027a37cbd3d461ce1cfa66aa8ff0b416f16c87190566
                                                                                        • Opcode Fuzzy Hash: b4e289396c64a6a09d4fa4806c3d645d01272b03ba011e08657e3b3bdc8c41ce
                                                                                        • Instruction Fuzzy Hash: C211866171824396EB58DB25F9106ED6360EF88798F440271FA6D4B7DADF3CE5508604
                                                                                        Function 00007FFDFAF61A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: $$..\s\ssl\ssl_rsa.c
                                                                                        • API String ID: 1767461275-1365392022
                                                                                        • Opcode ID: 696c212158a76c12d12b802452140813d8450d4783cffb2c64828533ea22726d
                                                                                        • Instruction ID: 914f5c2f23b635397e60baaec15a4c4f6501c096f5d36f37a43c1819cdca2708
                                                                                        • Opcode Fuzzy Hash: 696c212158a76c12d12b802452140813d8450d4783cffb2c64828533ea22726d
                                                                                        • Instruction Fuzzy Hash: CA010871B0854246E758CB25E410BAA52A1FF883D8F544271FB5C8BBDEDF3DD5408704
                                                                                        Function 00007FFDFACA1EE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PyErr_SetString.PYTHON310(?,?,?,?,?,00007FFDFACA1ECC), ref: 00007FFDFACA3B7D
                                                                                          • Part of subcall function 00007FFDFACA1FC0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFACA1FF8
                                                                                          • Part of subcall function 00007FFDFACA1FC0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFACA2016
                                                                                        • PyErr_Format.PYTHON310 ref: 00007FFDFACA1F43
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Err_strncmp$FormatString
                                                                                        • String ID: name too long$undefined character name '%s'
                                                                                        • API String ID: 3882229318-4056717002
                                                                                        • Opcode ID: 31cd359149d7cc36d1b7242dd865158f364961906bf39cf5effa3536ad119dcc
                                                                                        • Instruction ID: 84f4ba75ad2285a3bb80a9c3c2fb17df4a54e1d49028868fcb82728235723f2f
                                                                                        • Opcode Fuzzy Hash: 31cd359149d7cc36d1b7242dd865158f364961906bf39cf5effa3536ad119dcc
                                                                                        • Instruction Fuzzy Hash: 5411127AB1894681EB048B14E8B4ABC6361FB48B58F400571CA6E4B2E9DF6DD146C700
                                                                                        Function 00007FFDFAE1F420 Relevance: 6.3, APIs: 5, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: 3fa0df7802b0b645e7d29c10f8fec816c8299b8b7593bea0ffbf29fbef4f2375
                                                                                        • Instruction ID: a97be92275602607d725e8ac1fe3707ca32d90e81c312c382a739a5f0e21b814
                                                                                        • Opcode Fuzzy Hash: 3fa0df7802b0b645e7d29c10f8fec816c8299b8b7593bea0ffbf29fbef4f2375
                                                                                        • Instruction Fuzzy Hash: 9021BD62B18B5283DB28AB1AF5514BAB3A2FB44BC0B055071DB9F47F9ADF2DE4518300
                                                                                        Function 00007FFDFADCD250 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s-shm$readonly_shm$winOpenShm
                                                                                        • API String ID: 2221118986-2815843928
                                                                                        • Opcode ID: 625f219681cb963a81eed21fe677e17c746c28b803c4722ea517b21750a01de8
                                                                                        • Instruction ID: 38aa210629a95407bb699616a77ac8aaf27a249be82955ab012e0b5c2ed94023
                                                                                        • Opcode Fuzzy Hash: 625f219681cb963a81eed21fe677e17c746c28b803c4722ea517b21750a01de8
                                                                                        • Instruction Fuzzy Hash: 1BC18125B09B4291EB5C9B61ACA0D7933A4FF44B54F8542B5DABE472E8EF3CE445C340
                                                                                        Function 00007FFDFADE65D0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 244COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 0-481979681
                                                                                        • Opcode ID: 63a058b474643b8f481cfd78a5bcf1f86ff62984bf70d236754023b9e0ae21c4
                                                                                        • Instruction ID: 498b0fd637497b96e834c0e1008dadbec1ecf53dd61f2428fe01cc9b390138d6
                                                                                        • Opcode Fuzzy Hash: 63a058b474643b8f481cfd78a5bcf1f86ff62984bf70d236754023b9e0ae21c4
                                                                                        • Instruction Fuzzy Hash: AE914622B0C1D246D32DAB2598E0CBD7FA1E750744F4442B6DAFE437C9EA2DE954D710
                                                                                        Function 00007FFDFAE50CA0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFDFAE51174), ref: 00007FFDFAE50E4B
                                                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFDFAE51174), ref: 00007FFDFAE50ECE
                                                                                        • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFDFAE51174), ref: 00007FFDFAE50FBB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: RETURNING may not use "TABLE.*" wildcards
                                                                                        • API String ID: 3510742995-2313493979
                                                                                        • Opcode ID: 51e2a1c784bd4d6f7d4cb3126951f8799522629114b9e7def7b718a3445ad8e9
                                                                                        • Instruction ID: 48cbf793fb39e2fd5c557043b4d379d1287d1811fd6ad4f37775cc23a503fb5f
                                                                                        • Opcode Fuzzy Hash: 51e2a1c784bd4d6f7d4cb3126951f8799522629114b9e7def7b718a3445ad8e9
                                                                                        • Instruction Fuzzy Hash: 40B19122B08B818AEB14DF16E4506AD77A1FB45BA4F098275EE7E477D9DF39E150C300
                                                                                        Function 00007FFDFAE0C79C Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 203COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %sSCALAR SUBQUERY %d$CORRELATED $Expression tree is too large (maximum depth %d)
                                                                                        • API String ID: 3510742995-1564306579
                                                                                        • Opcode ID: 2c6b8a820cd65f77b5e73e7e88a8f11c5497ef4919c518ed51300d0f6895b2f9
                                                                                        • Instruction ID: 50b8286cc27cf6b512d1824ceb6a9f66533bc3278d69968e5890d33596ab0146
                                                                                        • Opcode Fuzzy Hash: 2c6b8a820cd65f77b5e73e7e88a8f11c5497ef4919c518ed51300d0f6895b2f9
                                                                                        • Instruction Fuzzy Hash: DE91D632B0878186E768DF25E460A6A77A0FB89B40F498275DBAE477C9DF3DE440C740
                                                                                        Function 00007FFDFAE43260 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 197COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s.%s$column%d$rowid
                                                                                        • API String ID: 0-1505470444
                                                                                        • Opcode ID: 943e59c6c1553e58b0d2ea5e233284f0f4773b69b63a7b4ee6b62a2329014182
                                                                                        • Instruction ID: 5ab1cf7dab3cb754552edf36bcef207c4e11d46efd800bc0804dca9847864403
                                                                                        • Opcode Fuzzy Hash: 943e59c6c1553e58b0d2ea5e233284f0f4773b69b63a7b4ee6b62a2329014182
                                                                                        • Instruction Fuzzy Hash: 1391BB36B08A8281EB28EB15D4647A923A8FB55BB4F044366DEBE077C9DF3ED545C300
                                                                                        Function 00007FFDFADDF220 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 187COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 2221118986-481979681
                                                                                        • Opcode ID: bb331690382cd9aba51fbf9192c4a8343009a09fab82c0642137ec25885589cc
                                                                                        • Instruction ID: 85f1f9edfebcece7ccf4b2cf96254357cc56a5386bf01d8a608312277ab2fade
                                                                                        • Opcode Fuzzy Hash: bb331690382cd9aba51fbf9192c4a8343009a09fab82c0642137ec25885589cc
                                                                                        • Instruction Fuzzy Hash: 96718D22B0C1E242D32DA725A8B0CBEBED1E754305B1582B2DFF6437C9D92CE544D720
                                                                                        Function 00007FFDFAE1F190 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: $, $CREATE TABLE
                                                                                        • API String ID: 3510742995-3459038510
                                                                                        • Opcode ID: 630508d26c8e29aff5ec9272f0614105f7741e97bd90c1c99119a819adb96464
                                                                                        • Instruction ID: 5f6bf630f71c06858086c616a2a568ff5146a49ad04a7fecdb23194d5e10f778
                                                                                        • Opcode Fuzzy Hash: 630508d26c8e29aff5ec9272f0614105f7741e97bd90c1c99119a819adb96464
                                                                                        • Instruction Fuzzy Hash: EC614762B0958155DB199F28E8606BAB792FB40BA4F884376DE7E432D9DF3ED406C300
                                                                                        Function 00007FFDFACA1FC0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: strncmp
                                                                                        • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                                                        • API String ID: 1114863663-87138338
                                                                                        • Opcode ID: 5c7bf163557b2066fab1499a91b96f9435b7b54f10cfdb6e6711bfc6a5562b24
                                                                                        • Instruction ID: fee31423a7477a8daa37a7afba104f9cb43d309ee9740c1bd175a6698e0fe265
                                                                                        • Opcode Fuzzy Hash: 5c7bf163557b2066fab1499a91b96f9435b7b54f10cfdb6e6711bfc6a5562b24
                                                                                        • Instruction Fuzzy Hash: 0A612B3AB1865146E7688B19A830A7E7652FB80B94F444275EE7E4BBDDEF3CD401E700
                                                                                        Function 00007FFDFAE24BA0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: , $index '%q'
                                                                                        • API String ID: 0-2319803734
                                                                                        • Opcode ID: 90e2600fd99b0e5175311cb43c1ad7bf02caec6c7d3629429cba6412b1a69181
                                                                                        • Instruction ID: 574b8ad908c87f0267b3e06832322a2e27932e1ada092ea3b92f4a3bc3faac10
                                                                                        • Opcode Fuzzy Hash: 90e2600fd99b0e5175311cb43c1ad7bf02caec6c7d3629429cba6412b1a69181
                                                                                        • Instruction Fuzzy Hash: 0861AE32F086558AFB18AB69D861ABC3BB0BB44B58F140675DE2F57BCCDF3994458700
                                                                                        Function 00007FFDFADC7732 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: (join-%u)$(subquery-%u)
                                                                                        • API String ID: 3510742995-2916047017
                                                                                        • Opcode ID: e614b10b3fc4dc4c68e01204069f6193e21ea57afad53e52ce8b63ad1f11e514
                                                                                        • Instruction ID: 2d0428e3cd114678c835f7c923a402e359d04f94ea9294bb0d8953f34db3d83e
                                                                                        • Opcode Fuzzy Hash: e614b10b3fc4dc4c68e01204069f6193e21ea57afad53e52ce8b63ad1f11e514
                                                                                        • Instruction Fuzzy Hash: 21611932B0868981EB699B25D860BB96774FF547A4F8602B1CE7D036DCEE3CE541C700
                                                                                        Function 00007FFDFADD88F0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 2221118986-481979681
                                                                                        • Opcode ID: e46cf6a756d8e439f7bf39b0c578f90e143a7744ae175120d6a15517b8f2a346
                                                                                        • Instruction ID: f861a8788e60fa9f55e013cff6ea0217c19e7dd3616ff72ad63ca88a8f56690a
                                                                                        • Opcode Fuzzy Hash: e46cf6a756d8e439f7bf39b0c578f90e143a7744ae175120d6a15517b8f2a346
                                                                                        • Instruction Fuzzy Hash: A751C032B08B8196EB59CF25D960AAD73A4FB48B84F085072DFAD07798EF38E555C300
                                                                                        Function 00007FFDFAF94A00 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: C_curve_nist2nidJ_ln2nidJ_sn2nidmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 722349470-0
                                                                                        • Opcode ID: e9d5f9d3b6b2122b3d9d2e56503c8be0d4bb8136a8682d0a74df2f3e2fb100b2
                                                                                        • Instruction ID: 21022984b60c71191f47fa0883734014f97b3d6825bc3697f099d2f76a362490
                                                                                        • Opcode Fuzzy Hash: e9d5f9d3b6b2122b3d9d2e56503c8be0d4bb8136a8682d0a74df2f3e2fb100b2
                                                                                        • Instruction Fuzzy Hash: 3421C721B0CA4241EB688F24D8605B952A0EF5C7ADF548371F65E8A6DEDF3CD981C304
                                                                                        Function 00007FFDFADE63D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 3510742995-481979681
                                                                                        • Opcode ID: 71afba6c33d03e24609e8bfc27a3b01b0808aef612cffe4553119551787ae4d2
                                                                                        • Instruction ID: c426affba030b4aa9b27b3fd06d15d4a41f17f819fa83963acc101f3dbf756e1
                                                                                        • Opcode Fuzzy Hash: 71afba6c33d03e24609e8bfc27a3b01b0808aef612cffe4553119551787ae4d2
                                                                                        • Instruction Fuzzy Hash: C0517936B0CB8186DB248F15E890AAAB7A5FB84B84F544066EE9D03B99EF3CD455C700
                                                                                        Function 00007FFDFADED470 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID: $%!.15g$-
                                                                                        • API String ID: 3510742995-875264902
                                                                                        • Opcode ID: 0562c877320955d5a948192d9bba56ffafa84f9d69bfdc188615945df056f6b4
                                                                                        • Instruction ID: 9f355e5e39314a4874a17d7f7aae4056984852837db8dccf3b933b5449a3c993
                                                                                        • Opcode Fuzzy Hash: 0562c877320955d5a948192d9bba56ffafa84f9d69bfdc188615945df056f6b4
                                                                                        • Instruction Fuzzy Hash: 7C512722B0D68182E7199B29E490B797BE0EB45B98F000275DEAE477DDEF3ED801C750
                                                                                        Function 00007FFDFADDA600 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 2221118986-481979681
                                                                                        • Opcode ID: b2bd962ca4d533c51114e8662621ced1fd23e52fad8a1fcbe5e1e3e5f6701a96
                                                                                        • Instruction ID: 5df72ba01c321d7f393c4165208e1e01d57840766c06e069102b7370f70d9825
                                                                                        • Opcode Fuzzy Hash: b2bd962ca4d533c51114e8662621ced1fd23e52fad8a1fcbe5e1e3e5f6701a96
                                                                                        • Instruction Fuzzy Hash: 9F41E832B28B4582E7689F15E860A7973A4FB84B90F554135EEAE077E8EF3CD841C740
                                                                                        Function 00007FFDFADE5D20 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                        • API String ID: 0-481979681
                                                                                        • Opcode ID: 570ebc03d33a704c2dd38af454bf99a85bfda6f2fee8f3cd43981828924177f5
                                                                                        • Instruction ID: 7ab38feb5f51dc5876de5b0580a17dface73bfe0d9d812c1befe5850710e794c
                                                                                        • Opcode Fuzzy Hash: 570ebc03d33a704c2dd38af454bf99a85bfda6f2fee8f3cd43981828924177f5
                                                                                        • Instruction Fuzzy Hash: 8A31F2367093C189D709CF29D4A087D7BA0E745F84B04817AEFA94B39DEA3CD955C750
                                                                                        Function 00007FFDFAF31A5A Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Calc_D_priv_bytesL_cleanseN_bin2bn
                                                                                        • String ID:
                                                                                        • API String ID: 4178199679-0
                                                                                        • Opcode ID: ea56a045888b870061d7e9d8e82fac604c0a365b5b43ad017ba898ddd9484a35
                                                                                        • Instruction ID: b35d167783917755597cb3bd3bfb15404d44af68cdf9412677eac9611716d37e
                                                                                        • Opcode Fuzzy Hash: ea56a045888b870061d7e9d8e82fac604c0a365b5b43ad017ba898ddd9484a35
                                                                                        • Instruction Fuzzy Hash: F4219322B08A8181EBA89F15D8607A922A4FF48B5CF144172E95C4F7DDDF7CE4818B50
                                                                                        Function 00007FFDFAF31BA9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_find_typeO_get_data
                                                                                        • String ID:
                                                                                        • API String ID: 280995463-0
                                                                                        • Opcode ID: bad992762d588c539e6f45d4d940070225d6d7fcb69fa1377506dd6e33a0a87a
                                                                                        • Instruction ID: 5394d2cdd90e0e59efeb7f8b82901e27e4abce99e2c72d8e9dc5fa67278aed7b
                                                                                        • Opcode Fuzzy Hash: bad992762d588c539e6f45d4d940070225d6d7fcb69fa1377506dd6e33a0a87a
                                                                                        • Instruction Fuzzy Hash: 1C018011F0D78241FB889A52A52176962919F88BE5F1852B1FE2D8FBCEDE2CE4814710
                                                                                        Function 00007FFDFAF92C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: X_new$R_flagsR_key_lengthX_freeX_reset
                                                                                        • String ID: ..\s\ssl\t1_enc.c
                                                                                        • API String ID: 3297287953-4043206075
                                                                                        • Opcode ID: ca4ceb4f2587bdf2ae6dc213caa406cb577c8c0f0a96e67e7e0e98c5cc8e6fd6
                                                                                        • Instruction ID: 9a599540ed5ec654e5810c0d5a587758c8f9f2d3ce58cf46efa4e9910c08909d
                                                                                        • Opcode Fuzzy Hash: ca4ceb4f2587bdf2ae6dc213caa406cb577c8c0f0a96e67e7e0e98c5cc8e6fd6
                                                                                        • Instruction Fuzzy Hash: F731E23271674186E795DB26E861BA93790FF48B6CF044235EE1C8B388DF39D485C710
                                                                                        Function 00007FFDFAF31938 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: L_sk_numL_sk_value
                                                                                        • String ID: ..\s\ssl\statem\extensions_srvr.c
                                                                                        • API String ID: 557030205-1853348325
                                                                                        • Opcode ID: 259e5708e454676c038ce67839dc6bb30737dbe9861bbda74391d6b5ee4a6089
                                                                                        • Instruction ID: 7038bd5f31ce3877cb356e60a207e55183895ee8fe5b51253e4db6d6c7198984
                                                                                        • Opcode Fuzzy Hash: 259e5708e454676c038ce67839dc6bb30737dbe9861bbda74391d6b5ee4a6089
                                                                                        • Instruction Fuzzy Hash: CC51D072B0879582EB19CB15E464A7A77A9EF447E4F154276FAAC0B7C8EE3CD041C700
                                                                                        Function 00007FFDFAF8B9F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: O_clear_flagsO_set_flags
                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c
                                                                                        • API String ID: 3946675294-348624464
                                                                                        • Opcode ID: 4253961fa518d851db815ebe4e05c23293c16748b416a6bdfdbccb0cdcceed6a
                                                                                        • Instruction ID: b9a7375566b20c0140bcdb42c95fddf7b765027870fd7c2ed2071e35295d7bba
                                                                                        • Opcode Fuzzy Hash: 4253961fa518d851db815ebe4e05c23293c16748b416a6bdfdbccb0cdcceed6a
                                                                                        • Instruction Fuzzy Hash: 6B217731F4824286FBA88B11D864BBC2794AF85764F8482B9EA5D0F7D9EB7DD4458B00
                                                                                        Function 00007FFDFAF5E9B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FFDFAF59E49), ref: 00007FFDFAF5E9FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1767461275-1080266419
                                                                                        • Opcode ID: 8181e6924b19c2d713c86ee25b0f82c3b95bf84bedf1ae859fc8f2093f4a5867
                                                                                        • Instruction ID: 5248e7ade70cfec299bf6e28d8315498f050143ac7a4f92952fe31628be10d78
                                                                                        • Opcode Fuzzy Hash: 8181e6924b19c2d713c86ee25b0f82c3b95bf84bedf1ae859fc8f2093f4a5867
                                                                                        • Instruction Fuzzy Hash: 45214C32B0C74185E7148F65E5546A97760FF88BA4F180276FE9E4BBD9DF3CD0518A40
                                                                                        Function 00007FFDFAF568E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_errormemcpy
                                                                                        • String ID: ..\s\ssl\ssl_lib.c
                                                                                        • API String ID: 1385177007-1080266419
                                                                                        • Opcode ID: 525a64f8975d57229d21f6ed7dad9470396b497f9602868953d5f046b654a7c6
                                                                                        • Instruction ID: ed018ef8e7f5bc8fc731ccaeaa219f939e572a90da7dc4b098b6dfab02413e75
                                                                                        • Opcode Fuzzy Hash: 525a64f8975d57229d21f6ed7dad9470396b497f9602868953d5f046b654a7c6
                                                                                        • Instruction Fuzzy Hash: 8E216262B0478186DB98DF25D4506AC63A0FF84B94F488175EF6D8B399DF38E4918714
                                                                                        Function 00007FFDFAF318A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\d1_msg.c
                                                                                        • API String ID: 1767461275-424620239
                                                                                        • Opcode ID: 46a5a0e5e0231e62bf372fab23a09739cdf8b7aa7ee965e5e27371f09aa5dbee
                                                                                        • Instruction ID: 327ee70a949dd5806059f93bd6b5ffc0ac227c5329a029f76d2ebc96e342aa59
                                                                                        • Opcode Fuzzy Hash: 46a5a0e5e0231e62bf372fab23a09739cdf8b7aa7ee965e5e27371f09aa5dbee
                                                                                        • Instruction Fuzzy Hash: 54116621B0874642E768DB55E8106A96260AF85BE4F1443B1FEAC4BBDDCF3CD5808A04
                                                                                        Function 00007FFDFAF44890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: DigestO_writeUpdate
                                                                                        • String ID: ..\s\ssl\s3_enc.c
                                                                                        • API String ID: 1267058251-1839494539
                                                                                        • Opcode ID: b386d4d8ef744d99e9ccd817d60e08bf59f82400f54d1af10eb12985d374abce
                                                                                        • Instruction ID: a76959d2c44e5503ac10e1cfc90cdaca610629ccec48703e9122250e4817b3a6
                                                                                        • Opcode Fuzzy Hash: b386d4d8ef744d99e9ccd817d60e08bf59f82400f54d1af10eb12985d374abce
                                                                                        • Instruction Fuzzy Hash: ED117331F0824246FB649B11E560BBE56A0EF847A8F548271FE6C9B7DDDE2CD6428700
                                                                                        Function 00007FFDFAF608C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: R_put_error
                                                                                        • String ID: ..\s\ssl\ssl_rsa.c
                                                                                        • API String ID: 1767461275-2723262194
                                                                                        • Opcode ID: 0eba593216d8292164c85710843f0f24732c96c5f7bddc61cd2231070e420186
                                                                                        • Instruction ID: 1d8da6af7c7dfe41538ee77f310f164cc8df2ac08957935d03f30231d299c380
                                                                                        • Opcode Fuzzy Hash: 0eba593216d8292164c85710843f0f24732c96c5f7bddc61cd2231070e420186
                                                                                        • Instruction Fuzzy Hash: 9401E571B0864646EB58CB25E410AAA6360FF887D8F144275FF6C8B7DADF3CD5548A04
                                                                                        Function 00007FFDFAF36FB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091953967.00007FFDFAF31000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FFDFAF30000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091916599.00007FFDFAF30000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091953967.00007FFDFAFA3000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092087856.00007FFDFAFA6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092134766.00007FFDFAFC9000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFCE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFD4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3092172130.00007FFDFAFDB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaf30000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$System$File
                                                                                        • String ID: gfff
                                                                                        • API String ID: 2838179519-1553575800
                                                                                        • Opcode ID: 38bc638285714f8673654ce0a6927bc61df2c2199d4dc0b12482ca57c550bfb1
                                                                                        • Instruction ID: b36a8728fbf8f128cd0ca4c0353d2cdb4bd7e844cd02bc64dc3865c0958a2485
                                                                                        • Opcode Fuzzy Hash: 38bc638285714f8673654ce0a6927bc61df2c2199d4dc0b12482ca57c550bfb1
                                                                                        • Instruction Fuzzy Hash: D20126E2B1864582EF64DB29F81115967A0EFCC794B449131FA9DCFBA9EE2CD2418B00
                                                                                        Function 00007FFDFACA4EEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Err_FromUnicode_
                                                                                        • String ID: no such name
                                                                                        • API String ID: 3678473424-4211486178
                                                                                        • Opcode ID: e4a86547ef813ca04dd6e24cf925b7568a5025c87cfd86b9959d073e36f2cc65
                                                                                        • Instruction ID: 83bff87e461d1ebd4a0502461719ff066ac604c8d1d8bed8276a0c09617ad45c
                                                                                        • Opcode Fuzzy Hash: e4a86547ef813ca04dd6e24cf925b7568a5025c87cfd86b9959d073e36f2cc65
                                                                                        • Instruction Fuzzy Hash: C0011D79B18A4681FB689B11ED70BBD6360FF98B45F4010B1DA6E4F6D9EF2CE5098600
                                                                                        Function 00007FFDFADC4BE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: _msizerealloc
                                                                                        • String ID: failed memory resize %u to %u bytes
                                                                                        • API String ID: 2713192863-2134078882
                                                                                        • Opcode ID: 9841712b506da6af4c43a256ede3935c28466d88f55e49e95347dd3503c1935c
                                                                                        • Instruction ID: cdb4d255ff632902a772c52e8b4d5b5f060daaf0263ab6d9bab33bea730d0956
                                                                                        • Opcode Fuzzy Hash: 9841712b506da6af4c43a256ede3935c28466d88f55e49e95347dd3503c1935c
                                                                                        • Instruction Fuzzy Hash: 93E0E520B09B8041EB58AB06F9908796750EF0CFC4F055070DE2E07B9CEF2CE841C300
                                                                                        Function 00007FFDFACA25A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _PyObject_GC_New.PYTHON310(?,?,00000000,00007FFDFACA2523), ref: 00007FFDFACA25A6
                                                                                        • PyObject_GC_Track.PYTHON310(?,?,00000000,00007FFDFACA2523), ref: 00007FFDFACA25D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091057826.00007FFDFACA1000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFACA0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091032123.00007FFDFACA0000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFACA6000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD04000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFAD53000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091090461.00007FFDFADAC000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091501454.00007FFDFADAF000.00000004.00000001.01000000.0000001F.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091536463.00007FFDFADB1000.00000002.00000001.01000000.0000001F.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfaca0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object_$Track
                                                                                        • String ID: 3.2.0
                                                                                        • API String ID: 16854473-1786766648
                                                                                        • Opcode ID: cac06a346fdc506cb0619a69043d142d9e511ef916963fcfd0704c754b758690
                                                                                        • Instruction ID: b1401927877d9211388006ec7dd4bc6ea1927b32481fae1a76cf2903aabd0d2e
                                                                                        • Opcode Fuzzy Hash: cac06a346fdc506cb0619a69043d142d9e511ef916963fcfd0704c754b758690
                                                                                        • Instruction Fuzzy Hash: 18E0E52DF0AF0295EF198B51A87487C23A4FF0CB44B4401B5CDAD0A3A8EF3CE565D240
                                                                                        Function 00007FFDFAE094A0 Relevance: 5.2, APIs: 4, Instructions: 223COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy$memset
                                                                                        • String ID:
                                                                                        • API String ID: 438689982-0
                                                                                        • Opcode ID: f58fcccc4a0196c16263d067ac9766a36f3dbb43d2a57ff342ea1ccbbaa385b9
                                                                                        • Instruction ID: da434d38e72a1ceae263c81e0e983e430ed74a5a83682bc4e36281177dbcdc85
                                                                                        • Opcode Fuzzy Hash: f58fcccc4a0196c16263d067ac9766a36f3dbb43d2a57ff342ea1ccbbaa385b9
                                                                                        • Instruction Fuzzy Hash: 89910676B0866182E728EF16A060A6A77A0FB44BD4F08C175EE6E47BCDDF3DD4508700
                                                                                        Function 00007FFDFAE09C00 Relevance: 5.2, APIs: 4, Instructions: 220COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.3091611462.00007FFDFADC1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFADC0000, based on PE: true
                                                                                        • Associated: 00000002.00000002.3091572709.00007FFDFADC0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091796977.00007FFDFAEE8000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091842538.00007FFDFAF15000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                        • Associated: 00000002.00000002.3091876793.00007FFDFAF1A000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ffdfadc0000_231210-10-Creal-33652f.jbxd
                                                                                        Similarity
                                                                                        • API ID: memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 3510742995-0
                                                                                        • Opcode ID: 8afcf6db348b6122eb14ae468c1da76088f8a624b48f58ecf82eefa89c483c11
                                                                                        • Instruction ID: 0a3083c8bad07440b9fa3b2764c38b1a8d079605d7d712b40827dc3c5c3d70e1
                                                                                        • Opcode Fuzzy Hash: 8afcf6db348b6122eb14ae468c1da76088f8a624b48f58ecf82eefa89c483c11
                                                                                        • Instruction Fuzzy Hash: B191D135B0876686EB28AF1694A4A2A67D4FB44BD0F4C9274DE6E07BC9DF3DE411C700